This policy applies to BHBW South Africa (Pty) Ltd (BHBW).
POPIA defines “Personal Information” widely and includes information which relates to an identifiable living or natural person and where applicable an existing juristic person (such as a company or a trust). The individual or juristic person that the Personal Information relates to is referred to as the Data Subject. Examples of Personal Information may include:
2.1 race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a Data Subject;
2.2 information relating to the education or the medical, financial, criminal or employment history of the Data Subject;
2.3 any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignments to the Data Subject;
2.4 the biometric information of the Data Subject, including photographs;
2.5 the personal opinions, views or preferences of the Data Subject;
2.6 private or confidential correspondence; and
2.7 another person’s views or opinions about the Data Subject.
3.1 The objective of this policy is to establish a framework within which the data protection and privacy obligations with respect to the management and handling of Personal Information imposed by POPIA are implemented through supporting processes and procedures, to discharge BHBW’s regulatory obligations.
3.2 This policy applies to all Personal Information held and processed by BHBW in the Republic of South Africa or relating to South African persons. This includes Personal Information:
(1) held in any system or format, whether electronic or physical;
(2) processed by employees (permanent and temporary), as well as individuals conducting work at or for BHBW, who have access to BHBW’s information (together “Authorised Users”);
(3) relating to employees, clients, third party providers and Authorised Users; and
(4) accessed from all locations, including outside of BHBW offices/premises.
4.1 BHBW needs Personal Information relating to both individual and juristic persons in order to carry out its business and organisational functions. The manner in which this information is collected, stored, used, disseminated or deleted (Processed) and the purpose for which it is Processed is determined by BHBW. BHBW is accordingly a Responsible Party for the purposes of POPIA and must ensure that the Personal Information of a Data Subject:
(1) is processed lawfully, fairly and transparently. This includes the provision of appropriate information to Data Subjects when their data is collected by BHBW, in the form of privacy or data collection notices. BHBW must also have a legal basis (for example, consent) to process Personal Information;
(2) is processed only for the purposes for which it was collected;
(3) will not be processed for a secondary purpose unless that processing is compatible with the original purpose;
(4) is adequate, relevant and not excessive for the purposes for which it was collected;
(5) is accurate and kept up to date;
(6) will not be kept for longer than necessary;
(7) is processed in accordance with integrity and confidentiality principles; this includes physical and organisational measures to ensure that Personal Information, in both physical and electronic form, are subject to an appropriate level of security when stored, used and communicated by BHBW, in order to protect against access and acquisition by unauthorised persons and accidental loss, destruction or damage;
(8) is processed in accordance with the rights of Data Subjects, where applicable. Data Subjects have the right to:
(a) be notified that their Personal Information is being collected by BHBW. The Data Subject also has the right to be notified in the event of a data breach (see 1.1(4) below);
(b) know whether BHBW holds Personal Information about them, and to access that information. Any request for information must be handled in accordance with the BHBW Promotion of Access to Information Manual;
(c) request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained Personal Information;
(d) object to BHBW’s use of their Personal Information and request the deletion of such Personal Information (deletion would be subject to BHBW’s record-keeping requirements);
(e) object to the processing of Personal Information for purposes of direct marketing by means of unsolicited electronic communications; and
(f) complain to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its Personal Information.
4.2 BHBW must also ensure that adequate processes and procedures are in place to manage:
(1) Cross-border transfers
Personal Information may not be transferred outside of South Africa without the appropriate consents and controls in place. Personal Information may only be transferred to a foreign country in limited circumstances, such as with the Data Subject’s informed consent or where the foreign recipient is subject to privacy and data protection obligations similar to those imposed by POPIA, or the transfer is part of the performance of a contract which the Data Subject is a party; or the transfer is for the benefit of the Data Subject and it is not reasonably practicable to obtain the Data Subject’s consent and that such consent would be likely to be given.
(2) Sensitive Information
Additional conditions and safeguards must be applied when dealing with information relating to (1) children (i.e. under the age of 18) and with (2) Special Personal Information i.e. information relating to a Data Subject’s:
(a) religious or philosophical beliefs;
(b) race or ethnic origin;
(c) trade union membership;
(d) political persuasion;
(e) health or sex life;
(f) biometric information; or
(g) criminal convictions or charges.
(3) Processing of Account Numbers
Special care and controls must be applied when processing the account numbers of Data Subjects in order to mitigate the high risk of identity thefts and fraud.
(4) Data Breaches
In the event that Personal Information relating to an identifiable Data Subject has been accessed or acquired by an unauthorised person, BHBW must inform both the South African Information Regulator established under POPIA (“the Information Regulator”) and the relevant Data Subject.
5.1 The Information Officer is responsible for ensuring BHBW’s compliance with POPIA.
5.2 The Information Officer must be registered with the Information Regulator prior to performing his or her duties (which include ensuring compliance with POPIA, assisting the Information Regulator with investigations and dealing with subject access requests). Employees may be designated as deputy information officers to assist with these duties.
6.1 ‘Employees’ as referred to in this policy include both permanent employees and temporary employees/contractors.
6.2 All Employees must:
(1) familiarise themselves with the content of this policy and the data protection obligations that BHBW is subject to;
(2) complete data protection training every two years, and must seek advice and guidance from the Information Officer if clarification is required; and
(3) immediately report to the BHBW Information Officer any actual or suspected misuse, unauthorised disclosure or exposure of Personal Information, “near misses” or working practices which jeopardise the security of Personal Information held by BHBW.
Employees in breach of this policy will be dealt with in terms of BHBW’s disciplinary code processes.
This policy and its implementation are subject to internal monitoring and auditing throughout BHBW, and the outcomes from these processes will inform and improve practices as part of BHBW’s commitment to POPIA compliance. BHBW may also be audited on its data protection / privacy control measures by external bodies. Reports on matters related to this Policy will be provided to the Information Officer.