1.Preamble
Batchelor Smith Marais Inc is an organisation that complies with the laws of South Africa and recognises that a person’s constitutional right to privacy is of the upmost importance, therefore the protection of personal information is vital for
sustainability and growth of our business.
2.Purpose
The purpose of this policy is to incorporate the requirements of the Protection of Personal Information Act No.4 of 2013 (hereafter called this Act) into the everyday operations of Batchelor Smith Marais Inc and to ensure that these requirements are documented and implemented in Batchelor Smith Marais Inc.
3.Scope This policy is applicable to all employees in Batchelor Smith Marais Inc.
4.Objectives Batchelor Smith Marais Inc and its employees shall adhere to this policy in the handling of all personal information received from, but not limited to
natural persons, employees, clients, suppliers, agents, representatives and business partners to ensure compliance with this Act, applicable regulations and other rules relating to the protection of personal information.
5.Management Declaration Batchelor Smith Marais Inc, represented by the Information Officer confirms that we have familiarized ourselves with the content of this Act, applicable regulations and other rules relating to the protection of personal information, and will strive to adhere to these requirements at all times.
6.Important Definitions “automatic calling machine”: means a machine that is able to do automated calls without human intervention;
“binding corporate rules”: means personal information processing policies, within a group of undertakings, which are adhered to by Batchelor Smith Marais Inc or operation within that group of undertakings when transferring personal information to a business or operator within that same group of undertakings in a foreign country;
“data subject”: means the person to whom personal information relates;
“direct marketing”: means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of –
a)Promoting or offering to supply, in the ordinary course of business, any goods or service to the data subject; or
b)Requesting the data subject to make a donation of any kind for any reason.
“electronic communication”: means any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
“filing system”: means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.
“group undertakings”: means a controlling undertaking and its controlled undertakings;
“information officer”: of, or in relation to, a –
a)Public body means an information officer or deputy information officer as contemplated in terms of Section 1 or 17 of this Act; or
b)Private body means the head of a private body as contemplated in Section 1 of the Promotion of Access to Information Act.
“operator”: means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
“person”: means a natural person or a juristic person.
“personal information”: means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to –
a)Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
b)Information relating to the education or the medical, financial, criminal or employment history of the person;
c)Any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person;
d)The biometric information of the person;
e)The personal opinions, views or preferences of the person;
f)Correspondence sent by the person that would reveal the contents of the original correspondence if the message is of a personal or confidential nature;
g)The views or opinions of another individual about the person; and
h)The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
“private body”: means –
a)A natural person who carries or has carried on any business or profession, but only in such capacity;
b)A partnership which carries or has carried on any trade, business or profession; or
c)Any former or existing juristic person, but excludes a public body.
“processing”: means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including –
a)The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
b)Dissemination by means of transmission, distribution or making available in any other form; or
c)Merging, linking, as well as restriction, degradation, erasure or destruction of information.
“Promotion of Access to Information Act”: means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000).
“public body”: means –
a)Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
b)Any other functionary or institution when –
I.Exercising a power or performing a duty in terms of the Constitution or provincial constitution; or
II.Exercising a public power or performing a public function in terms of any legislation.
“public record”: means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.
“record”: means any recorded information –
a)Regardless of form or medium, including any of the following:
I.Writing on any material;
II.Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
III.Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
IV.Book, map, plan, graph, or drawing;
V.Photograph, film, negative, tape or other device in which one or more visuals images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
b)In the possession or under the control of a responsible party; and
c)Regardless of when it came into existence.
“regulator”: – means the Information Regulator established in terms of Section 39.
“re-identify”: in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that –
a)Identifies the data subject;
b)Can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
c)Can be linked by a reasonably foreseeable method to other information that identifies the data subject, and
‘re-identified” has a corresponding meaning.
“responsible party”: means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
“restriction”: means to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such information;
“special personal information”: means personal information as referred to in Section 26 of this Act.
“this Act”: means the Protection of Personal Information Act, No. 4 of 2013.
“unique identifier”: means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.
7.Batchelor Smith Marais Inc’s key principles in adhering to the requirements of the protection of personal information Batchelor Smith Marais Inc’s and its employees are committed to the following principles:
·To give effect to the constitutional right to privacy, by safeguarding personal information when processed by Batchelor Smith Marais Inc, subject to justifiable limitations;
·To regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
·To be transparent in its standard operating procedures that govern the processing of personal information;
·To comply with the applicable legal and regulatory requirements regarding the processing of personal information;
·To collect personal information through lawful and fair means and to process personal information in a manner compatible with the purpose for which it was collected;
·Where required by law and according to local requirements, to inform data subjects when personal information is collected about them;
·Where required by law, regulations or guidelines, to obtain a data subject’s consent prior to processing his/her/its personal information;
·To strive to keep personal information accurate, complete, up-to-date and reliable for its intended use;
·To strive to develop reasonable security safeguards against risks, losses, unauthorised access, destruction, use, modification or disclosure of personal information;
·To strive to provide data subjects with the opportunity to access the personal information relating to them and, where applicable, to comply with requests to correct, amend or rectify the personal information where incomplete, inaccurate or not compliant with the standard operating procedures;
·To only share personal information, such as permitting access, transmission or publication, with third parties (either within or outside Batchelor Smith Marais Inc), only if reasonable assurance can be provided that the recipient of such information will apply suitable privacy and security protection to the personal information;
·To comply with any restrictions and requirements that applies to the Transborder Information Flow Policy.
8.Procurement of Personal Information 8.1Personal information collected by Batchelor Smith Marais Inc and/or any of its representatives, will be collected directly from the data subject, unless –
a)The information is contained or derived from a public record or has deliberately been made public by the data subject;
b)The data subject or a competent person where the data subject is a child, has consented to the collection of the information from another source;
c)Collection of the information from another source would not prejudice a legitimate interest of the data subject;
d)Collection of the information from another source is necessary –
I.To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
II.To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
III.For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
IV.In the interest of national security; or
V.To maintain the legitimate interests of Batchelor Smith Marais Inc or of a third party to whom the information is supplied;
e)Compliance would prejudice a lawful purpose of the collection; or
f)Compliance is not reasonably practicable in the circumstances of the particular case.
8.2Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Batchelor Smith Marais Inc.
8.3Steps will be taken to ensure that the data subject is aware of the purpose of the collection of the information.
8.4Batchelor Smith Marais Inc will take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which the personal information is collected and further processed.
8.5Where personal information is collected form a data subject, Batchelor Smith Marais Inc will take reasonably practicable steps to ensure that the data subject is aware of –
a)The information being collected and where the information is not collected from the data subject, the source from which it is collected;
b)The name and address of Batchelor Smith Marais Inc;
c)The purpose for which the information is being collected;
d)Whether or not the supply of the information by the data subject is voluntary or mandatory;
e)The consequences of failure to provide the information;
f)Any particular law authorising or requiring the collection of the information;
g)The fact that, where applicable, Batchelor Smith Marais Inc intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisations;
h)Any further information such as the –
I.Recipient or category of recipients of the information;
II.Nature or category of the information;
III.Existence of the right of access to and the right to rectify the information collected;
IV.Existence of the right to object to the processing of personal information;
Which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
8.6The steps referred to in clause 8.5 must be taken –
a)If the personal information is collected directly from the data subject, prior to the information being collected, unless the data subject is already aware of the information as referred to in clause 8.5;
b)In any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
8.7It will not be necessary for Batchelor Smith Marais Inc to comply with clause 8.5 if –
a)The data subject or a competent person if the data subject is a child has provided consent for the non-compliance;
b)Non-compliance would not prejudice the legitimate interests of the data subject;
c)Non-compliance is necessary –
I.To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
II.To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
III.For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
IV.In the interest of national security.
d)Compliance would prejudice a lawful purpose of the collection;
e)Compliance is not reasonably practicable in the circumstances of the particular case; or
f)The information will –
I.Not be used in a form in which the data subject may be identified; or
II.Be used for historical, statistical or research purposes.
9.Processing of Personal Information 9.1Personal information will only be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
9.2Personal information may only be processed if –
a)given the purpose for which it was processed, it is adequate, relevant and not excessive;
b)the data subject or a competent person where the data subject is a child consents to the processing;
c)processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party;
d)processing complies with an obligation imposed by law on Batchelor Smith Marais Inc;
e)processing protects a legitimate interest of the data subject;
f)processing is necessary for the proper performance of a public law duty by a public body; or
g)processing is necessary for pursuing the legitimate interest of Batchelor Smith Marais Inc or of a third party to whom the information is supplied.
9.3In the event that Batchelor Smith Marais Inc appoints or authorises an operator to process any personal information on its behalf or for any reason, it will implement necessary agreements to ensure that the operator or anyone processing personal information on behalf of Batchelor Smith Marais Inc or an operator, must –
a)Process such information only with the knowledge or authorisation of Batchelor Smith Marais Inc; and
b)Treat personal information which comes to his/her/its knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of his/her/its duties.
9.4Batchelor Smith Marais Inc must maintain the documentation of all processing operations under its responsibility.
10.Further Processing of Personal Information 10.1Batchelor Smith Marais Inc must ensure that the further processing of personal information be compatible with the purpose for which it was collected.
10.2To assess whether further processing is compatible with the purpose of collection, Batchelor Smith Marais Inc will take account of –
a)The relationship between the purpose of the intended further processing and the purpose for which the information was collected;
b)The nature of the information concerned;
c)The consequences of the intended further processing for the data subject;
d)The manner in which the information has been collected; and
e)Any contractual rights and obligations between the parties.
10.3The further processing of personal information will not be incompatible with the purpose of collection if –
a)The data subject or competent person where the data subject is a child, has consented to the further processing of the information;
b)The information is available in or derived from a public record or has deliberately been made public by the data subject;
c)Further processing is necessary –
I.To avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
II.To comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue;
III.For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
IV.In the interest of national security;
d)The further processing of the information is necessary to prevent or mitigate a serious and imminent threat to –
I.Public health or public safety; or
II.The life or health of a data subject or other individual(s);
e)The information is used for historical, statistical or research purposes and Batchelor Smith Marais Inc ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form.
11.Retention and Restriction of Records 11.1Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless –
a)The retention of a record is required or authorised by law;
b)Batchelor Smith Marais Inc reasonably requires a record for lawful purposes related to its functions or activities;
c)Retention of a record is required by a contract between the parties thereto; or
d)The data subject or a competent person where the data subject is a child has consented to the retention of a record.
11.2Information collected or processed initially for the purposes of historical, statistical or research value, may be retained for a period longer than contemplated in clause 10.1, providing Batchelor Smith Marais Inc has appropriate measures in place to safeguard these records against uses other than what it was intended for initially.
11.3Batchelor Smith Marais Inc will destroy or delete a record of personal information or de-identify it as soon as reasonably practicably after Batchelor Smith Marais Inc is no longer authorised to retain a record.
11.4The de-identifying or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible/understandable form.
11.5In the event that Batchelor Smith Marais Inc uses a record of personal information of a data subject to make a decision about the data subject, it must –
a)Retain the record for such period as may be required or prescribed by law or a code of conduct; or
b)If there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the data subject a reasonable opportunity, taking all considerations relating to the use of the personal information into account, to request access to the record.
11.6Batchelor Smith Marais Inc will restrict the processing of personal information if –
a)Its accuracy is contested by the data subject, for a period enabling Batchelor Smith Marais Inc to verify the accuracy of the information;
b)Batchelor Smith Marais Inc no longer needs the personal information for achieving the purpose for which it was collected or subsequently processed, but it has to be maintained for purposes of proof;
c)The processing is unlawful and the data subject opposes its destruction or deletion and requests the restriction of its use instead; or
d)The data subject requests to transmit the personal data into another automated processing system.
11.7Personal information that has been restricted may only be processed for purposes of proof, or with the data subject’s consent, or with the consent of a competent person where the data subject is a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
11.8Where personal information is restricted, Batchelor Smith Marais Inc will inform the data subject before lifting the restriction.
12.Security Safeguards 12.1Batchelor Smith Marais Inc will secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent –
a)Loss of, damage to or unauthorised destruction of personal information; and
b)Unlawful access to or processing of personal information.
12.2Batchelor Smith Marais Inc will take responsible measures to –
a)Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
b)Establish and maintain appropriate safeguards against the risks identified;
c)Regularly verify that the safeguards are effectively implemented; and
d)Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
12.3Batchelor Smith Marais Inc will have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.
12.4Batchelor Smith Marais Inc will, in terms of a written contract between Batchelor Smith Marais Inc and the operator, ensure that the operator which processes personal information for Batchelor Smith Marais Inc, establishes and maintain the security measures as referred to in clause 12.1 – 12.3.
12.5The operator will inform Batchelor Smith Marais Inc immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
13.Security Compromises 13.1Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, Batchelor Smith Marais Inc will notify –
a)The Information Regulator; and
b)The data subject, unless the identity of such data subject cannot be established.
13.2The notification of a breach will be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of Batchelor Smith Marais Inc’s information system.
13.3Batchelor Smith Marais Inc will only delay notification of the data subject if a public body responsible for the prevention, detection or investigation of offences or the Regulator determines that notification will impede a criminal investigation by the public body concerned.
13.4The notification to a data subject will be in writing and communicated to the data subject in at least one of the following ways:
a)Posted to the data subject’s last known physical or postal address; or
b)Sent by e-mail to the data subject’s last known e-mail address; or
c)Placed in a prominent position on the website of Batchelor Smith Marais Inc; or
d)Published in the news media.
13.5The notification will provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise, including–
a)A description of the possible consequences of the security compromise;
b)A description of the measures that Batchelor Smith Marais Inc intends to take or has taken to address the security compromise;
c)A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and
d)If known to Batchelor Smith Marais Inc, the identity of the unauthorised person who may have accessed or acquired the personal information.
14. Rights of the Data Subject 14.1The data subject or competent person where the data subject is a child, may withdraw his, her or its consent to procure and process his, her or its personal information, at any time, providing that the lawfulness of the processing of the personal information before such withdrawal or the processing of personal information in terms of clause 9.2 (c) – (g), is not affected.
14.2A data subject may object, at any time, to the processing of personal information–
a)In terms of clause 9.2 (c) – (g), in writing, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
b)For purposes of direct marketing other than direct marketing by means of unsolicited electronic communications.
14.3A data subject, having provided adequate proof of identity, has the right to –
a)Request Batchelor Smith Marais Inc to confirm, free of charge, whether or not Batchelor Smith Marais Inc holds personal information about the data subject; and
b)Request from Batchelor Smith Marais Inc a record or a description of the personal information about the data subject held by Batchelor Smith Marais Inc, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information –
I.Within a reasonable time;
II.At a prescribed fee as determined by the Information Officer;
III.In a reasonable manner and format; and
IV.In a form that is generally understandable.
14.4A data subject may, in the prescribed manner, request Batchelor Smith Marais Inc to –
a)Correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or
b)Destroy or delete a record of personal information about the data subject that Batchelor Smith Marais Inc is no longer authorised to retain.
14.5Upon receipt of a request referred to in clause 14.4, Batchelor Smith Marais Inc will, as soon as reasonably practicable –
a)Correct the information;
b)Destroy or delete the information;
c)Provide the data subject, to his, her or its satisfaction, with credible evidence in support of the information; or
d)Where an agreement cannot be reached between Batchelor Smith Marais Inc and the data subject, and if the data subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
14.6Batchelor Smith Marais Inc will inform the data subject, who made a request as set out in clause 14.5, of the action taken as a result of the request.
15. Request for Disclosure Batchelor Smith Marais Inc will respond promptly when the data subjects request notification of purpose of use, disclosure, correction, addition or deletion of details, and suspension of use or elimination relating to personal information held by Batchelor Smith Marais Inc.
16. Monitoring and Enforcement Each employee of Batchelor Smith Marais Inc will be responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedure, notices, consents and appropriate related documents and processes.
Managers and responsible employees will be trained according to their functions in legal requirements, policies and guidelines that govern the protection of personal information in Batchelor Smith Marais Inc. Batchelor Smith Marais Inc will conduct periodic reviews and audits, where appropriate, to demonstrate compliance with privacy law and its policies, this Act and any applicable regulations. Employees who violate the guidelines and standard operating procedures of this policy may be subject to disciplinary action being taken against him/her.
17. Point of Contact The point of contact for requests, disclosures, questions, complaints and any other inquiries relating to the handling, collection, processing or re-identifying of personal information shall be directed to the Information Officer or Deputy Information Officer(s) as referred to in the Information Officer Policy.
18. Standard Operating Procedures Each department will establish appropriate privacy standard operating procedures that are consistent with this policy, local customs and practices as well as legal and regulatory requirements.