fbpx

POPIA applies to the…

  • PROCESSING of PERSONAL INFORMATION [of the “DATA SUBJECT”] and according to Section 3(1)(a) and Section 3(1)(b),
  • PERSONAL INFORMATION entered in a RECORD by or for a RESPONSIBLE PARTY by making use of automated or non-automated means,
  • provided that when the RECORD of PERSONAL INFORMATION IS PROCESSED by non-automated means (e.g., paper and text, photographs, x-rays),
  • it forms part of a FILING SYSTEM or is intended to form part of a FILING SYSTEM and in terms of Section 3 (1)(b)(i),
  • the RESPONSIBLE PARTY is domiciled in the Republic, OR in terms of Section 3(1)(b)(ii) the RESPONSIBLE PARTY is not domiciled in the Republic, but makes use of automated or non-automated means,
  • Unless the PROCESSING relates only to the FORWARDING OF PERSONAL INFORMATION.

What Is Meant by Processing?

PROCESSING means any activity, whether by automatic means relating to PERSONAL INFORMATION, including OBTAINING according to Section 1(a), the following concerning PERSONAL INFORMATION:

  • Collection
  • Receipt
  • Recording
  • Organisation
  • Collation
  • Storage
  • Updating
  • Modification
  • Retrieval
  • Alteration
  • Consultation
  • Use in general

PROCESSING further means any activity, whether by automatic means relating to PERSONAL INFORMATION, including DISSEMINATION according to Section 1(b) implies the Dissemination of Personal Information using:

  • Transmission
  • Distribution

Processing also pertains to what is described as dissemination, which includes all activities regarding DATA SUBJECT’s PERSONAL INFORMATION.

PROCESSING means any activity, whether by automatic means relating to PERSONAL INFORMATION, including DESTROYING according to Section 1(c), represents the following concerning personal information.

  • Merging – Departments
  • Linking
  • Restriction
  • Degradation
  • Erasure
  • Destruction

PROCESSING SUBJECT TO PRIOR AUTHORISATION means that a RESPONSIBLE PARTY must obtain prior authorisation from the Information Regulator if the RESPONSIBLE PARTY plans to PROCESS INFORMATION in terms of Section 57(1)(a). The act contains unique identifiers of Data Subjects for a purpose other than the one intended explicitly at the collection and to link the Personal Information being processed, with information processed by a Responsible Party and also in terms of Section 57(1)(b) in respect of criminal or unlawful conduct. There is also Section 57(1)(c) for credit reporting and Section 57(1)(d), which describes Special Personal Information or information about a child that is transferred to a foreign country that does not provide adequate protection.

Keywords.

  • Access: the right, the opportunity, or the means of finding, using, or retrieving information
  • Accountability: the condition that individuals, organisations, and the community are responsible for their actions and may be required to explain them to others
  • Anonymous information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
  • Anonymous information: information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
  • Anti-malware: software designed to identify and prevent malicious software, or malware, from infecting computer systems or electronic devices.
  • Antivirus: software designed to detect and destroy computer viruses.
  • Automated decision making: Decisions made by machines (computers) without human intervention. For example, to automatically accept or deny an online credit application or the automated processing of CVs that evaluates (profiles) personal aspects to determine if they qualify for a position.
  • Availability: The guarantee of reliable access to information by authorised people
  • Binding corporate rules: Personal information processing policies within a group of undertakings, which are adhered to by a responsible party or operator within that group of projects when transferring personal information to a responsible party or operator within that same group of undertakings foreign country.
  • Biometric data: Personal information resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopy data.
  • Child: A natural person under the age of 18 years who is not legally competent, without the assistance of a skilled person, to take any action or decision in respect of any matter concerning him- or herself
  • Children: A natural person under the age of 18 years who is not legally competent, without the assistance of a skilled person, to take any action or decision regarding any matter concerning him- or herself.
  • Classification: the process of assigning an appropriate level of type to an information asset to ensure it receives an adequate level of protection
  • Confidentiality: is managed by a set of rules that limits access to information.
  • Consent: The data subject means any voluntary, specific, and informed expression of will regarding permission to process personal information.
  • Continuity: encompasses planning and preparation to ensure that an organisation can continue to operate in case of serious incidents or disasters and can recover to an operational state within a reasonably short period
  • Core activities: the core activities of a Responsible Party relate to primary activities and do not relate to the processing of personal information as ancillary activities. An example of an ancillary activity would be an organisation paying the salaries of its workers. However, the core activity of a hospital is to provide health care, and it could not offer healthcare safely and effectively without processing health data, such as health records. Those activities cannot be considered ancillary and must be regarded as a core.
  • Data mapping: the process used to identify what personal information you use, why you use it, how sensitive it is, how long you may retain it, where you process it and where you collect it.
  • Data subject: the person to whom the personal information relates.
  • De-identified: information that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
  • Delete
  • The process of eliminating or deleting records beyond any possible reconstruction.
  • Deletion
  • The process of eliminating or deleting records beyond any possible reconstruction.
  • Destroy
  • The process of eliminating or deleting records beyond any possible reconstruction.
  • Disaster recovery
  • The process or actions for an organisation to minimise the effects of a disruptive incident and continue operating or quickly resume mission-critical functions.
  • Encryption
  • the process of converting information or data into a code, mainly to prevent unauthorised access
  • Erasure
  • The process of eliminating or deleting records beyond any possible reconstruction.
  • Filing system: any structured set of personal information which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis
  • Genetic: personal information relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular, DNA or RNA analysis
  • Genetic data: personal information relating to a natural person’s inherited or acquired genetic characteristics, which give unique information about that natural person’s physiology or health and result from an analysis of a biological sample from the natural person in question.
  • Group of undertakings: a controlling undertaking and its controlled undertakings
  • Health: personal information related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status
  • Health: personal information concerning health should include all data about the health status of a data subject, which reveal information relating to the past, current or future physical or mental health status of the data subject
  • High-risk: activities including, but not limited to, extensive scale data processing, which could affect many individuals; regular and systematic monitoring; the transfer of personal information to countries that don’t have adequate privacy
  • Information officer: about a private body means the head of a personal body as contemplated in section 1 of the Promotion of Access to Information Act or relation to a public body means an information officer or deputy information officer as considered in terms of sections 1 or 17 of the Promotion of Access to Information Act.
  • Integrity: the assurance that information is trustworthy and accurate
  • International organisation
  • An organisation and its subordinate bodies are governed by public international law or any other body set up by, or based on, an agreement between two or more countries.
  • Large-scale data processing: examples include – patient data in the regular course of business by a hospital; travel data of individuals using a city’s public transport system (e.g. tracking via travel cards); real-time geo-location data of customers of an international fast-food chain for statistical purposes by an Operator specialised in these activities; customer data in the regular course of business by an insurance organisation or a bank; personal information for behavioural advertising by a search engine; data (content, traffic, location) by telephone or internet service providers. Examples that do not constitute large-scale processing include processing patient data by a single physician and processing personal information relating to criminal convictions and offences by an individual lawyer.
  • Operator: a natural or legal person, public authority, agency or other body which processes personal information on behalf of the Responsible Party
  • Personal information: information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.
  • Personal information impact assessment: a systematic process for evaluating the potential impact of information processing risks that are likely to affect the privacy rights of individuals.
  • Policies: clear and measurable statements of preferred direction and behaviour to condition the decisions made within an organisation
  • Policy: clear and measurable statements of preferred direction and behaviour to condition the decisions made within an organisation
  • Process: a set of interrelated or interacting activities that transforms inputs into outputs
  • Processing: any operation or set of operations which is performed on personal information or stages of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
  • Profiling: any form of automated processing of personal information consisting of the use of personal information to evaluate certain unique aspects relating to a natural person, to analyse or predict characteristics concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
  • Regular and systematic monitoring: examples include – operating a telecommunications network; providing telecommunications services; email retargeting; profiling and scoring for purposes of risk assessment (e.g., credit scoring, fraud prevention or detection); location tracking (for example, by mobile apps); loyalty programs; behavioural advertising; fitness and health data via wearable devices; CCTV; connected devices.
  • Responsible Party: a public or private body or any other person that, alone or in conjunction with others, determines the purpose and means for processing personal information.
  • Restriction: to withhold from circulation, use or publication any personal information that forms part of a filing system, but not to delete or destroy such data – for example – temporarily moving the data to another processing system, making the data unavailable to users, or temporarily removing published data from a website.
  • Risk: a threat of damage, injury, liability, loss, or any other negative occurrence caused by external or internal vulnerabilities that may be avoided or mitigated through pre-emptive action.
  • Security compromise: a security compromise means a security compromise of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal information transmitted, stored or otherwise processed.
  • Security compromise: a compromise of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information transmitted, stored or otherwise processed.
  • Certain personal information: personal information including religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric data.
  • Technical and organisational measures: internal policies as well as measures which meet the conditions of privacy, among other things – minimising the processing of personal information; de-identifying personal information as soon as possible; transparency concerning the functions and processing of personal data; enabling the data subject to monitor the data processing; using Operators who provide the appropriate guarantees; ensuring the proper security measures, including confidentiality; maintaining data quality; conducting privacy impact assessments; on-going training and awareness of staff.
  • Technical or organisational measures: internal policies as well as measures which meet the conditions of privacy, among other things – minimising the processing of personal information; de-identifying personal information as soon as possible; transparency concerning the functions and processing of personal data; enabling the data subject to monitor the data processing; using Operators who provide the appropriate guarantees; ensuring the proper security measures, including confidentiality; maintaining data quality; conducting privacy impact assessments; on-going training and awareness of staff.
  • The Regulator: The Information Regulator established in terms of section 39 of POPIA
  1. The company acknowledges that the personal information of data subjects needs to be protected.
  2. The company acknowledges that the personal information of data subjects needs to be protected.
  3. The company vows to engage in a risk impact assessment to protect the data subject’s personal information.

In terms of the risk assessment, the IO will give each risk factor a rating.

The outcome of the evaluation will determine the priorities in the risk mitigation strategy.

The company commits to continue upholding that the person responsible for instructing the Information Technology contractors to the company is responsible for processing the information. The company addressed all security on all personal information. Personal information is at least secure, but not limited to, in the following areas:

  • On endpoints.
  • Data in transit.
  • Data stored in the cloud.
  • In terms of antivirus, malware, trojans, worms, and phishing employed.

The company procured the commitment of all processors of personal information.

The company procured all personal information processors to employ maximum security and secrecy on all personal data and to personally assume the responsibility to use measures to protect personal information on all electronic equipment.

Incident Management and Data Breach Incident Plan.

The data subject remains the owner of his or their personal information.

The data subject is the sole stakeholder of their or its confidential information, and the company acknowledges the latter facts.

The company has approved procedures to manage incidents that may have an impact on the POPI Act.

Roles and responsibilities are known to all responsible data processors and ready to be implemented when incidents occur.

A Data Breach Action Plan.

A data breach action plan can include the following but are not limited to:

  • All parties related to the incident will assist one another to attend to a breach as soon as possible with maximum allowed force.
  • When an incident occurs, the IO of the Company will not discuss the incident in compliance with the POPI Act with anyone but the Employee’s direct manager.
  • Managers may only discuss incidents with the CEO.
  • The CEO may only discuss the matter with the board of directors, whereafter the board will direct the CEO.
  • Once a breach is confirmed, the CEO will communicate, as prescribed by the POPI Act, with the affected data subject, the Regulator, and those the breach may influence.
  • The IO will document the following:
  • All risks, incidents, and threats.
  • All responses to the above.
  • Details of the breach, i.e., time, place, format of data, size of the breach, reasons and possible consequences.
  • An action plan to remedy the breach with the roles and responsibilities of all parties related to the matter.
  • The company has forms and written procedures for all steps related to the stages of the breach.

What personal data we collect, and why we collect it?

When visitors leave comments on the site, we collect the data shown in the comments form and the visitor’s IP address and browser user agent string to help spam detection.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it.

The Gravatar service privacy policy is available here: https://automattic.com/privacy/.

After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Essentially, any location data from the website images can be downloaded and extracted by the visitors.

Cookies

If you leave a comment on our site, you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

We will also set up several cookies to save your login information and screen display choices when you log in. Login cookies last for two days, and screen options cookies last for a year. For example, if you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the browser will remove the login cookies.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and indicates the post ID of the article you just edited. It expires after one day.

Embedded content from other websites.

Articles on this site may include embedded content (e.g. videos, images and articles). Embedded content from other websites behaves similarly as if the visitor has visited the other website. These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Analytics

Whom we share your data with, and How long we retain your data?

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can automatically recognise and approve any follow-up comments instead of holding them in a moderation queue.

Users who register on our website (if any) also store the personal information they provide in their user profiles. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data?

If you have an account on this site or have left comments, you can request to receive an exported file of the personal data we hold about you, including any information you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data?

Visitor comments may be checked through an automated spam detection service.

Additional information is available upon request.

  • How we protect your data
  • What data breach procedures we have in place
  • What third parties we receive data from
  • What automated decision making and profiling we do with user data
  • Industry regulatory disclosure requirements

Godspeed Digital Agency is deemed an organisation that engages in all aspects of the business for the POPI Act.

It follows that personal information could be processed in some of the following categories:

  • Employees
  • Clients
  • Vendors
  • Stakeholders, i.e. shareholders
  • Governing bodies, i.e. directors
  • Statutory bodies, i.e. SARS
  • Public viewers, i.e. websites
  • Hostile invaders, i.e. hackers

You can obtain a list of the processors, a person who has access to the data, by contacting the information officer of the company.

The following general information is collected from the parties above:

  • Name
  • Surname
  • Address
  • Contact Details
  • All labour-related information
  • All client information relating to accounting, products, services in common
  • All vendor information about accounting, products, services in common
  • Information stakeholders could be interested in
  • Information governing bodies could be interested in
  • All Statutory information on which the company is to report/act upon
  • Data destined for marketing and sales in future
  • The purpose for holding information

Godspeed Digital Agency vows to protect the information as prescribed by the POPI Act. As far as the company understands, all personal information is private and attended to according to the POPI Act. Godspeed Digital Agency will at all times measure the risk of breach of the POPI Act and actively manage the same daily.

Any questions relating to the abovementioned can be forwarded in writing to the information officer, Jack Martin, at jack@godspeed.capetown.