Protection of Personal Information Policy

(POPI Act No 4 of 2013)

 

First Release

 

 

 

 

 

 

 

 

 

 

Table of Contents                                                                                     page

 

  1. Introduction………………………………………………………………… 3
  2. Definitions………………………………………………………………….. 3
  3. Scope………………………………………………………………………… 4
  4. Policy Statement………………………………………………………… 4
  5. Processing of Personal Information………………………………. 4
  6. Eight Processing Conditions…………………………………………. 5
  7. Operational Considerations…………………………………………. 7
  8. Operating Controls…………………………………………………….. 7
  9. Destruction of Documents………………………………………….. 8

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PROTECTION OF PERSONAL INFORMATION POLICY

 

Fitness Breakthru is committed to compliance with, and adheres to, the Protection of Personal Information Act (POPI) South Africa, and confirm that we comply with this legislation

 

 

 

1              INTRODUCTION

 

This policy and compliance framework establishes measures and standards for the protection and lawful processing of personal information within our organisation and provides principles regarding the right of individuals to privacy and to reasonable safeguarding of their personal information.

 

The Information Compliance Officer is responsible for:

 

 

All employees, departments and individuals directly associated with Fitness Breakthru are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Compliance Officer.

 

Any service provider that provides information technology services, including data storage facilities, to the company must adhere to the requirements of the POPI No 37067 Act 4 of 2013 to ensure adequate protection of personal information held by them on our behalf. Written confirmation to this effect must be obtained from relevant service providers.

 

2             DEFINITIONS

 

Personal Information is any information that can be used to reveal a person’s identity.  Personal Information relates to an identifiable, living, natural person, and where applicable an identifiable, existing juristic person (such as a company), include, but not limited to information concerning:

 

 

This refers to the natural or juristic person to whom personal information relates, such as an employee, client, customer or a company that supplies the organisation with products or other goods.

 

2.3          Responsible Party

The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information.  In this case the company is the responsible party.

 

2.4          Information Compliance Officer

                         The Information Compliance Officer is responsible for ensuring the company’s compliance with the POPIA and must be registered with the SA Information Regulator established under Section 39 of the POPIA Act.

 

 

  1. SCOPE OF POLICY

 

                The Policy applies to all Employees, Directors, Sub-Contractors, Agents and appointees and applies

to both on and off-site processing of personal information.

 

  1. POLICY STATEMENT

 

                           The Company collects and uses personal information of the individuals and corporate entities                       with whom it works in order to operate and carry out it’s business effectively and lawfully in Compliance with POPI. The Company will ensure the lawful collection and processing personal information in order to establish confidence between it and the above individuals and entities and maintain good business practice.

 

  1. PROCESSING OF PERSONAL INFORMATION

               

               5.1 Purpose of Processing

                     

 

5.2 Types of Data Subjects

 

 

5.3 Recipients for processing of Personal Information

 

 

5.4 Trans-border Flows of Personal Information

 

 

5.5 Retention of Personal Information Records

 

These will be stored and recorded in accordance to the extent permitted by law.

 

5.6 Information Security Measures

 

The Company makes use of the following methods to ensure confidentiality, security and integrity and availability of the Personal information in it’s care.

 

 

 

  1. Eight Processing Conditions

 

Principle 1: Accountability

 

 

 

 

 

 

 

 

 

 

 

Principle 2: Processing Limitation

 

2.1        Processing of Personal Information is only Lawful if one of the following exists

 

 

Your Personal Information is defined by the Protection of Personal Information Act (the Act) as:

“means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to— (a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views or preferences of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; (g) the views or opinions of another individual about the person; and (h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person”.

 

Principle 3: Limitation on further processing

 

3.1          Personal information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. The Personal Information Compliance Officer will monitor the collection of personal information for employment and it will only be used for that purpose.

 

Principle 4: Purpose Specific

 

The Company will only process Personal Information for the specific purposes as laid out in 5.1

 

Principle 5: Information quality

 

5.1          The Personal Information Compliance Officer is responsible for ensuring that Personal information is complete, up to date and accurate before we use it. This means that it may be necessary to request employees, Customers and Suppliers from time to time, to update their information and confirm that it is still relevant. If we are unable to reach a data subject for this purpose their information will be deleted from our records.

 

Principle 6: Transparency/openness

 

6.1          Where personal information is collected from a source other than directly from an employee (EG Social media, portals) we are responsible for ensuring that the employee is aware:

 

 

Principle 7: Security safeguards

 

7.1          The Personal Information Compliance Officer will ensure technical and organisational measures to secure the integrity of personal information, and guard against the risk of loss, damage or destruction thereof. Personal information must also be protected against any unauthorised or unlawful access or processing. We are committed to ensuring that information is only used for legitimate purposes with the data subject’s consent and only by authorised employees of Fitness Breakthru I.T. / Server requirements.

 

Principle 8: Participation of individuals

 

8.1          Data Subjects are entitled to know particulars of their personal information held by us, as well as the identity of any authorised employees of Fitness Breakthru that had access thereto. They are also entitled to correct any information held by us.

 

  1. OPERATIONAL CONSIDERATIONS

 

Monitoring

Management and the Information Compliance Officer are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and processes. All employees, subsidiaries, departments and individuals directly associated with us are to be trained, according to their functions, in the regulatory requirements, policies and guidelines that govern the protection of personal information. We will conduct periodic reviews and audits, where appropriate, to ensure compliance with this policy and guidelines.

 

  1. OPERATING CONTROLS

 

We shall establish appropriate standard operating procedures that are consistent with this policy and regulatory requirements. This will include:

 

 

  1. DESTRUCTION OF DOCUMENTS