20 year warranty


1 Introduction

Given the nature of Value Fencing's business, which is providing services that contains Personal Information (PI) to clients via various platforms and, storing this sensitive member information on our internal systems, we must comply with international legislation such as the Protection of Personal Information Act (POPIA), General Data Protection Regulation (GDPR) and Financial Regulatory requirements. This Policy, however, applies to any PI supplied to a third party for processing.

This legislation gives effect to the right to privacy and regulates the way PI may be processed by providing rights and remedies to protect PI. This applies not only to the processing of PI by a responsible person domiciled in the country, and where processing happens, but also to citizens of a different country/zone (for example EU citizens are protected by GDPR outside of the borders of the EU). Specific to POPI, the Act will override other legislation that contains inconsistent provisions relating to the processing of PI, and where other legislation provides for more extensive conditions for the processing of PI, the other legislation will prevail.

PI relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, and includes, but is not limited to:

Processing is any operation or activity, whether by automatic means, including:

Key concepts include:

2 Objectives and Scope

PI must be collected for a specific, explicitly defined, and lawful purpose related to the function or activity of the responsible party. The data subject must be made aware of the purpose of the collection.

Records must not be retained any longer than is necessary for achieving the purpose for which it was collected unless:

PI must be destroyed, deleted or de-identified as soon as is reasonably practical. Destruction or deletion must be done in a manner that prevents its reconstruction in any form.

3 Validity of this document

This document is valid from the last review date and authorized by the Management Representative and should be revised at least every twelve months or as required. This document replaces and supersedes all previous dated documents for this procedure, which are cancelled and destroyed.

4 Responsibilities for the process

The Deputy Information Officers are responsible for reviewing a complaint submitted by a complainant who is dissatisfied with the conduct of his / her PI.

Information Officers? Accountability and Responsibility:

5 Personal Information and consent process

6 Limiting collection and further processing process

The Responsible Party shall ensure that PI will not be collected indiscriminately, but by fair and lawful means, and be limited to what is necessary to fulfil the specific purpose for which the PI is being collected.

PI may only be processed if:

A data subject may object, at any time, on reasonable grounds, to the processing of their PI. The responsible party may then no longer process the PI.

PI must be collected directly from the data subject except if:

7 Use of Personal Information for direct marketing

Direct marketing means unsolicited electronic communication.

The processing of PI for direct marketing by any form of electronic communication is prohibited unless the data subject:

The responsible party may only approach a data subject whose consent is required, and who has not previously withheld such consent, once, to gain consent and such consent must be in the prescribed manner and form.

8 Accuracy of Personal Information

A responsible party must take reasonably practical steps to ensure that PI is complete, accurate, not misleading and updated where necessary. The PI shall not be updated routinely unless it is required to fulfil the purpose for which the PI was collected.

9 Data and information safeguards

A responsible party must secure the integrity and confidentiality of the PI in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss, damage or unauthorized destruction, unlawful access to, or processing of the PI.

The Data Subject may request the responsible party to:

10 Openness

The Deputy Information Officer must take reasonably practicable steps to ensure the Data Subject is aware of:

11 Individual's access to their Personal Information

The Deputy Information Officer/s shall, upon request, inform an individual whether Value Fencing holds PI about the requested party. If possible, the information source shall also be given. Value Fencing shall allow the individual access to the information.

Value Fencing shall also account for the use that has been made or is being made of this information and give an account to the third parties to whom it has been disclosed. (Note, if the Deputy Information Officer/s believes for valid reasons that access to PI should be denied, the Deputy Information Officer/s shall consult legal counsel before making such a decision.)

A person requesting individual PI may be required by the Deputy Information Officer/s to give sufficient information to permit Value Fencing to provide an account of the existence, use, and disclosure of PI. Information shall be used only for the purpose for which it was obtained.

The Deputy Information Officer/s shall ensure that Value Fencing responds to an individual's request within a reasonable time and at minimal or no cost to the individual. The requested information shall be made available in a generally understandable form. For example, Value Fencing shall explain abbreviations or codes it uses to record information.

The Deputy Information Officer/s shall ensure that when an individual successfully demonstrates the inaccuracy or incompleteness of PI, Value Fencing shall amend the information as required. Depending on the information challenged, amendment involves the correction, deletion, or addition of information in question.

The Deputy Information Officer/s shall ensure that when a challenge is not resolved to the individual's satisfaction, Value Fencing shall record the unresolved challenge's substance. When appropriate, the unresolved challenge's existence shall be transmitted to third parties having access to the information in question.

12 Risk Management

All risks identified and associated with this policy/procedure are recorded on the Risk Management Register (IF-001-Risk Management Register) and managed according to the Risk Management Process (QP-007-Risk Management Process)

13 Corrective Action

The company's QP-009-Corrective and Preventative Action Process will be activated if this procedure fails to meet the desired objectives.

14 Updating and Distribution of this Document

The updating of this process can be initiated by the Process Owner following the procedure defined in the QP-008-Control of Documents and Records Process.

This policy can be updated at any time and when necessary, by the Information Officer.

This Policy should be reviewed on a continual improvement basis for suitability, adequacy, and effectiveness, or at least no less than every twelve months.

The distribution of this Policy is circulated to the following persons:

15 Management Review

Management should review this document on a continual improvement basis for suitability, adequacy, and effectiveness, and at least no less than every 12 months.

Reports required for the reviewing of input and output of this process are: