SMILE FOUNDATION
Protection of Personal Information Act, 2013 (“POPIA Policy”)
- POLICY STATEMENT
- Everyone has rights with regard to how their personal information is handled. During the course of its activities the Smile Foundation will collect, store and process personal information about the Smile Foundation staff, customers, suppliers and other third parties. The Smile Foundation recognises the need to treat it in an appropriate and lawful manner.
- Any breach of this policy amounts to serious misconduct and may result in disciplinary action.
- RELEVANT DEFINITIONS
- The following terms bear the meaning given to them here in this policy and its annexures:
- “Data subjects” for the purpose of this policy include all living individuals and juristic persons about whom the Smile Foundation holds personal information. All data subjects have legal rights in relation to their personal
- “IO” means the information officer appointed as such by the Smile Foundation in terms of section 56 of POPIA and who will have the ultimate responsibility to ensure that the Smile Foundation complies with the provisions of POPIA.
- “Operators” include any person who processes personal information on behalf of a responsible party. Employees of responsible parties are excluded from this definition but it could include suppliers which handle personal information on the Smile Foundation’s behalf.
- “Personal information” means information relating to an identifiable, living, natural person, and (where applicable) an identifiable, existing juristic person, including the name, race, gender, marital status, address and identifying number of a person, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
- “POPIA” means the Protection of Personal Information Act 4 of 2013.
- “Processing” is any activity that involves use of personal information. It includes any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.
- “Processing conditions” are the 8 (eight) conditions for the lawful processing of personal information set out in chapter 3 of POPIA.
- “Regulator” means the Information Regulator established in terms of section 39 of POPIA.
- “Responsible parties” are the people who or organisations which determine the purposes for which, and the manner in which, any personal information is processed. They have a responsibility to establish practices and policies in line with POPIA. The Smile Foundation is the responsible party of all personal information used in its business. [Note: Each subsidiary is responsible party in its own right.]
- “Special personal information” includes personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
- “Users” include employees whose work involves using personal information. Users have a duty to protect the information they handle by following the Smile Foundation data privacy and data protection policies at all times.
- The following terms bear the meaning given to them here in this policy and its annexures:
- ABOUT THIS POLICY
- This policy applies to all Users and will come into effect when POPIA becomes fully effective.
- The types of information that the Smile Foundation may be required to handle include details of current, past and prospective employees, clients, suppliers, and others that the Smile Foundation deals with. The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in POPIA and other regulations. POPIA imposes restrictions on how the Smile Foundation may use that information.
- POPIA applies to the automated or non-automated processing of personal information entered into a record in any form (provided that when the recorded personal information is processed by non-automated means, it forms part of a filing system or is intended to form part thereof) by or for The Smile Foundation.
- This policy sets out the Smile Foundation’s rules on personal information protection and the legal conditions that must be satisfied in relation to the obtaining, handling, processing, storage, transportation and destruction of personal information.
- This policy does not form part of any employee’s contract of employment and may be amended at any time.
- The IO is responsible for ensuring compliance with POPIA and with this policy. That post is held by Ellen Moira Gerszt, Acting CEO/CIO,011 325 6480, moira@smilefoundationsaorg. Any questions or concerns about the operation of this policy should be referred in the first instance to the
- If you consider that the policy has not been followed in respect of personal information about yourself or others you should raise the matter with your line manager or the IO.
- PURPOSE OF THE POLICY
- The purpose of the policy is to establish management direction and high-level objectives for regulating the manner in which personal information is processed and to provide for remedies in cases where personal information is not handled accordingly. Further purposes of the policy include:
- the supplementation of the Smile Foundation policies and to align it with South African laws;
- compliance with the requirements of POPIA;
- the identification and codification of documents and ensuring adequate protection and maintenance of accuracy of documents where required;
- providing a set framework and unified policy regarding the methods and procedures for the retention and destruction of documents;
- ensuring records that are no longer required or documents that are of no value are destroyed properly and in accordance with the data retention schedule; and
- providing assistance to employees in understanding the requirements relating to the protection of personal information and the retention and destruction of documents.
- The purpose of the policy is to establish management direction and high-level objectives for regulating the manner in which personal information is processed and to provide for remedies in cases where personal information is not handled accordingly. Further purposes of the policy include:
- PROCESSING CONDITIONS
- Anyone processing personal information must comply with the following eight processing conditions:
- Condition 1: Accountability;
- Condition 2: Processing Limitation;
- Condition 3: Purpose Specification;
- Condition 4: Further Processing Limitation;
- Condition 5: Information Quality;
- Condition 6: Openness;
- Condition 7: Security Safeguards; and
- Condition 8: Data Subject Participation.
- Condition 1: Accountability
- The Smile Foundation must ensure that the processing conditions are complied with.[1]
- The Smile Foundation has appointed an IO to encourage and support the Smile Foundation with overall compliance with POPIA.
- The IO is responsible for implementing personal information security measures, which will, among other things, address document retention, access to information and classification of data.
- The Smile Foundation will furthermore designate specific individuals to monitor compliance with information security standards within each business area.
- Training or awareness sessions for employees on information security will be conducted on a regular basis.
- Condition 2: Processing limitation
- Personal information may only be processed lawfully and in a manner that does not infringe on the privacy of a data subject.[2]
- Personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.[3]
- There are a number of grounds that the Smile Foundation may use in order to process personal information, please consult the IO when you collect any new type of personal information.
- It is advisable to obtain voluntary, informed and specific consent from data subjects, where possible, before collecting their personal information.
- Personal information of children may only be processed with the consent of a competent person.[4] A competent person means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
- Special personal information, including health information, may only be processed under POPIA if there is a general authorisation[5] or special authorisation[6] to do so.
- A data subject may withdraw consent at any time and such withdrawal of consent should be noted. A data subject may also object at any time on reasonable grounds, to the processing of its personal information, save if other legislation provides for such processing. The Smile Foundation may then no longer process the personal information, unless they have another lawful justification for doing so.
- Generally, personal information must be collected from the data subject directly except in certain circumstances which may include if the data subject has made personal information public or if collection from another source is necessary.[7]
- Condition 3: Purpose specification
- Personal information may only be collected for specific, explicitly defined and lawful reasons relating to the functions or activities of the Smile Foundation, of which the data subject is made aware.[8]
- Personal information will only be collected to the extent that it is required for the specific purpose notified to the data subject. Any personal information which is not necessary for that purpose will not be collected in the first place.
- Once collected, personal information will only be processed for the specific purposes notified to the data subject when the personal information was first collected or for any other purposes specifically permitted by POPIA. This means that personal information will not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the personal information is processed, the data subject will be informed of the new purpose before any processing occurs.
- Records of personal information may only be kept for as long as necessary for achieving the purpose for which the information was collected or subsequently processed, unless:[9]
- retention of the record is required or authorised by law;
- the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
- retention of the record is required by a contract between the parties thereto; or
- the data subject or a competent person where the data subject is a child has consented to the retention of the record.
- Personal information will therefore not be kept longer than is necessary for the purpose for which it was collected. This means that personal information must be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form or be de-identified as soon as reasonably practicable after The Smile Foundation is no longer authorised to retain the record. For guidance on how long certain personal information is likely to be kept before being destroyed, contact the IO.
- Condition 4: Further processing limitation
- Further processing of personal information must be compatible with purpose of collection, unless the data subject has consented to such further processing.[10]
- Where personal information is transferred to a third party for further processing, the further processing must be compatible with the purpose for which it was initially collected, unless the data subject has consented to such further processing or it is permitted in terms of POPIA.
- If personal information is to be used for any other purpose the further consent of the data subject must be obtained. Where this is not possible, the IO should be consulted.
- Condition 5: Information quality
- The Smile Foundation must take reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary in light of the purpose for which such information is collected.[11]
- Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal information at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date information will be destroyed.
- The IO will develop processes for:
- checking the accuracy and completeness of records containing personal information;
- dealing with complaints relating to the timeliness and accuracy of personal information;
- individuals to periodically verify and update their personal information;
- making individuals aware of these processes; and
- monitoring and tracking updates to personal information.
- The IO will furthermore put procedures in place to verify that records containing personal information remain relevant, accurate and up-to-date.
- Anyone processing personal information must comply with the following eight processing conditions:
- Condition 6: Openness
- The Smile Foundation must take reasonably practicable steps to ensure that the data subject is aware of[12]:
- the information being collected and where the information is not collected from the data subject, the source from which it is collected;
- the names and addresses of the Smile Foundation;
- the purpose for which the information is being collected;
- whether or not the supply of the information by that data subject is voluntary or mandatory;
- the consequences of failure to provide the information;
- any particular law authorising or requiring the collection of the information;
- where applicable, the fact that the responsible party intends to transfer the information to a country or international organisation and the level of protection afforded to the information by that country or international organisation;
- any further information such as the recipient or category of recipients of the information, the nature or category of the information and the existence of the right of access to and the right to rectify the information collected;
- the existence of the right to object to the processing of personal information; and
- the right to lodge a complaint to the Regulator and the contact details of the Regulator,
- The Smile Foundation must take reasonably practicable steps to ensure that the data subject is aware of[12]:
which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the data subject to be reasonable.
- By law all organisations in South Africa are required to have a PAIA manual which will outlines to the public:
- categories of personal information collected by the Smile Foundation;
- purpose of processing personal information the Smile Foundation;
- description of the categories of data subjects and of the information or categories of information relating thereto;
- the recipients or categories of recipients to whom the personal information may be supplied;
- planned transborder flows of personal information; and
- a general description of information security measures to be implemented by the Smile Foundation.
- Condition 7: Security safeguards
- The Smile Foundation will keep all personal information secure against the risk of loss, unauthorised access, interference, modification, destruction or disclosure and conduct regular risk assessments to identify and manage all reasonably foreseeable internal and external risks to personal information under its control.
- The Smile Foundation will secure the integrity of the personal information under the Smile Foundation’s
- In order to protect personal information The Smile Foundation has implemented the Worldwide Policies on Information Asset Protection.
Duty in Respect of Operators
- Operators (i.e. third parties which may process personal information on behalf of the Smile Foundation) include call centres, outsourced payroll administrators, marketing database companies, recruitment agencies, psychometric assessment centres, document management warehouses, external consultants and software providers.
- The Smile Foundation will implement the following key obligations in respect of operators:
- the operator may not process personal information on behalf of the Smile Foundation without the knowledge and authorisation of the Smile Foundation;
- the Smile Foundation will ensure that the operator implements the security measures required in terms of Condition 7: Security Safeguards;
- there will be a written contract in place between the Smile Foundation and the operator which requires the operator to maintain the confidentiality and integrity of personal information processed on behalf of the Smile Foundation; and
- if the third party is located outside of South Africa, the Smile Foundation will comply with the requirements in POPIA in respect of transborder transfers of personal information.
- Duties in Respect of Security Compromises
- In the event that personal information has been compromised, or if there is a reasonable belief that a compromise has occurred, the Smile Foundation (or an operator processing personal information on its behalf) will notify the Information Regulator and the relevant data subjects (if their contact details are available).
- Condition 8: Data subject participation
- The Smile Foundation recognises that a data subject has the right to request the Smile Foundation to confirm, free of charge, whether or not it holds personal information about the data subject and request the Smile Foundation to provide a record or a description of the personal information held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information at a prescribed fee.[13]
- All Users will comply with the Smile Foundation’s subject access request policy and PAIA manual in respect of any access to personal information requests by data subjects.
- Request to Correct or Delete
- The data subject may request the IO to:
- correct or delete personal information relating to the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, misleading or obtained unlawfully; or
- destroy or delete a record of personal information about the data subject that The Smile Foundation is no longer authorised to retain.
- The Smile Foundation will provide credible proof to the individual of the action that has been taken in response to the request.
- If any changes to the personal information will have an impact on any decisions to be made about the individual, the Smile Foundation will inform all third parties to whom the information has been disclosed, including any credit bureaus, of such changes.
- The data subject may request the IO to:
- FAIR AND LAWFUL PROCESSING
- POPIA is intended not to prevent the processing of personal information, but to ensure that it is done fairly and without adversely affecting the rights of the data subject.
- For personal information to be processed lawfully, certain requirements have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the responsible party or the party to whom the personal information is disclosed. In most cases when special personal information is being processed, the data subject’s explicit consent to the processing of such information will be required or that of a competent person where such data subject is a child.
- Personal information about Users may be processed for legal, personnel, administrative and management purposes and to enable the responsible party (i.e. the Smile Foundation) to meet its legal obligations as an employer, for example to pay Users, monitor their performance and to confer benefits in connection with their employment. Examples of when special personal information of Users is likely to be processed are set out below:
- information about an employee’s physical or mental health or condition in order to monitor sick leave and take decisions as to the employee’s fitness for work;
- the employee’s racial or ethnic origin or religious or similar information in order to monitor compliance with employment equity legislation; and
- in order to comply with legal requirements and obligations to third parties.
- Personal information about customers, suppliers and other third parties may be processed for the purposes set out in the Smile Foundation’s PAIA manual.
- TRANSBORDER TRANSFERS OF PERSONAL INFORMATION
- The Smile Foundation may not transfer personal information about a data subject to a third party who is in a foreign country unless:[14]
- the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that:
- effectively upholds principles for reasonable processing of the information that are substantially similar to Processing Conditions; and
- includes provisions, that are substantially similar to those of POPIA, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
- the data subject consents to the transfer;
- the transfer is necessary for the performance of a contract between the data subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the responsible party and a third party; or
- the transfer is for the benefit of the data subject, and:
- it is not reasonably practicable to obtain the consent of the data subject to that transfer; and
- if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
- the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that:
- The Smile Foundation may not transfer personal information about a data subject to a third party who is in a foreign country unless:[14]
- DIRECT MARKETING
- At the outset it should be noted that POPIA draws a distinction between direct marketing by means of unsolicited electronic communications and direct marketing in person or by mail or telephone. Several provisions in POPIA draw a distinction between these two types of marketing.
- ”Direct marketing’‘, as defined in POPIA, means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
- promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
- requesting the data subject to make a donation of any kind for any reason.
- ”Electronic communication’‘, in turn, is defined as “[a]ny text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient” (our emphasis).
- When the Smile Foundation does direct marketing, they must provide data subjects with an opt out. In addition, electronic direct marketing is stringently regulated under POPIA. If the Smile Foundation processes personal information of a data subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines (i.e. machines that are able to do automated calls without human intervention),[15] facsimile machines, SMSs or e-mail is prohibited unless the data subject:
- has given his, her or its consent in the prescribed manner and form set out in regulations 6 of the POPIA Regulations to the processing; or
- is a customer of The Smile Foundation, as defined in section 69 of POPIA.
This policy is reviewed frequently by the IO to ensure it is achieving its stated objectives.
[1] See section 6 of POPIA.
[2] See section 9 of POPIA
[3] See section 10 of POPIA.
[4] See section 34 and 35 of POPIA.
[5] See section 27 of POPIA.
[6] See section 32 of POPIA.
[7] See section 12 of POPIA.
[8] See section 13 of POPIA.
[9] See section 14 of POPIA.
[10] See section 15 of POPIA.
[11] See section 16 of POPIA.
[12] See section 18 of POPIA.
[13] See section 23 of POPI.
[14] See section 72 of POPIA.
[15] See section 69(5) of POPIA.