THE PROTECTION OF PERSONAL INFORMATION ACT (POPIA)
DATA SUBJECT PRIVACY POLICY
Preamble
The purpose of this policy is to advise the data subject why personal information is collected and processed, what data is in focus as well as how it is processed. The Company is committed to compliance with the POPI Act insofar as the utilisation and disclosure of personal information (PI) is concerned. Technical and organisational measures have been put in place to protect data subject privacy and the Company invites all data subjects and/ or requesters to engage with its Information Officer (IO) in respect of any matter related hereto.
Information Officer details
• Violet Dlamini
• info@capes.org.za
• 084 407 3469
• 1 Harcus Road, Bedfordview,2008
Scope of application
This policy applies to data subjects under the POPI Act and its principles extend to the Promotion of Access to Information Act (PAIA) in respect of requesters of records held by the Company. PI applies to both natural and juristic persons. Data subjects and requesters are invited to engage with the
Information Officer about any matter pertaining to the POPIA and PAIA, including but not limited to updating PI, deleting of PI, complaints in respect of how PI is being processed and updating consent for electronic direct marketing.
About the Company
The Confederation of Associations in the Private Employment Sector (CAPES) is an umbrella body, formed in 2002, when the need for a unified voice for the South African staffing industry became apparent. CAPES was created specifically to act as the lobbying organisation for the four primary staffing associations, who represent thousands of SME staffing businesses, and several of South Africa’s largest corporate staffing companies. CAPES, as a member of Business Unity South Africa (BUSA) and the Black Business Council (BBC), has been at the forefront of the negotiations in respect to the staffing industry
(since 2006) and extensively during the current broad labour law review. More details in this regard can
be obtained here
Definition of Personal Information (PI)
‘‘Personal information’’ means information relating to an identifiable, living, natural person, and where
it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social
origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion,
conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the
person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location
information, online identifier or other particular assignment to the person;
(d) the biometric information of the person; (e) the personal opinions, views or preferences of the
person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or
further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the
disclosure of the name itself would reveal information about the person;
Purpose of Collecting and Processing PI
The Company processes PI for various purposes including for –
• Engaging in various forms of direct marketing
• Facilitating transactions with data subjects
• Collecting data for statistical purposes to improve its services
• Fulfilling its contractual obligations to its clients and client contacts
• Complying with the provisions of statute and regulations
• Attending to the legitimate interests of data subjects
• Identifying prospects for enhanced service delivery and business sustainability
• Confirm and verify data subject identity or to verify that they are authorised users for security purposes;
• Conduct market or customer satisfaction research
• Audit and record keeping purposes
• In connection with legal proceedings.
Lawful Basis
In respect of the processing of PI as provided for above, The Company will adhere to the conditions for the lawful processing of PI, based on its desire to provide data subjects services in their best interests as well as a legitimate interest of the Company to achieve its business objectives. In addition, where personal information is transmitted across SA borders, the Company will ensure that the destination country and organisation has protections similar to those of POPI. In addition, where special personal information is processed, including under 18 year old data subjects, consent from the Information Regulator and/ or competent persons will be obtained as required.
Period of holding Personal Information The Company will use personal information for the purpose intended and this includes that it will try and keep the personal information up to date. The Company shall keep records of personal information for as long as it is required at law as a minimum and will regularly evaluate whether it should thereafter
be destroyed or de-identified. 8
Data Subject Rights
Data subjects have the right to request that THE COMPANY provide them with access to their PI, to rectify or correct their personal information, erase PI or restrict the processing of PI, including refraining from sharing it or otherwise providing it to any third parties. Data subjects also have the right to raise complaints with the Information Regulator. The afore-going rights may be subject to certain limitations pursuant to applicable law. In order to access any of these rights, access the Information Officer who is waiting to engage.
Sources of Personal Information (PI)
The Company gathers PI from several sources, which include directly from data subjects, publicly available sources such as websites, social media, commercial transactions with the Company, referrals, prospects, partner agreements, training engagements, conferences and the like. Given that PI can be extracted and/ or obtained from several sources and consolidated into one CRM or other similar systems of record, it may be difficult or impossible to identify the exact source of one particular piece of information.
Categories of Personal Information (PI) collected and processed
The Company collects information about data subjects that are part of its scope of operations.
Depending on the purpose of the transaction, some or all of the following categories of personal information on data subjects, historical or current, may be processed –
• Name and surname
• Identity number
• Race, gender & disability status
• Contact details (email, mobile)
• Birth date
• Position held and responsibilities
• Areas of interest in respect of the Company offerings
• Record of services used
• Email correspondence and attachments
• Organisation details
• Office address
• Office contact details
• Organisation email Address
• Organisation and data subject social media URL’s
• Other information that is available in the public domain.
We collect and process personal information mainly to process membership applications. Where possible, we will inform data subjects what information they are required to provide to the Company and what information is optional, as well as the consequences of not providing the said information.
Website usage information may be collected using “cookies” which allows the Company to collect standard internet visitor usage information.
Disclosure of information
The Company may disclose data subject PI to its third-party service providers who are involved in the delivery of products or services data subjects. The Company has agreements in place to ensure that it complies with the privacy requirements as required by the POPI Act.
The Company may also disclose data subject PI:
• Where it has a duty or a right to disclose in terms of law and/ or industry codes.
• Where it believes it is necessary to protect its rights.
Information Security
The Company is legally obliged to provide adequate systems, technical and organisational protection for the PI that it holds and to prevent unauthorized access to as well as prohibited use of PI. It will therefore on a regular basis review its security controls and related processes to ensure that the PI of data subjects remains secure.
The Company has conducted an impact assessment across all of its functions and used the findings thereof to manage risk optimally as well as to provide iterative improvements on an ongoing basis. The Company policies and procedures cover the following aspects –
• Physical security;
• Computer and network security;
• Access to personal information;
• Secure communications;
• Security in contracting out activities or functions;
• Retention and disposal of information;
• Acceptable usage of personal information;
• Governance and regulatory issues;
• Monitoring access and usage of private information;
• Investigating and reacting to security incidents.
The Company also ensures that it contracts with Operators as required by POPI and it requires appropriate security, privacy and confidentiality obligations of these operators in order to ensure that personal information is kept secure. The same protocols apply to any party to whom the Company may pass PI on to for the purposes mentioned herein.
How to contact us – Head Office and Information Officer
Our Head Office physical address is –
1 Harcus Road, Bedforview,2008
The information officer is –
Violet Dlamini
Email – info@capes.org.za
Mobile – 084 407 3469