POPI Compliance with a Member Management System and a Learner Management System

What is POPI?

The Protection of Personal Information act, otherwise known as POPI, is a piece of legislation designed to protect any private information of a data subject which is collected, processed, stored or shared by a responsible party by holding said responsible parties accountable if they abuse or compromise the data subject's private information in any way (for all you nitwits that means you and me). The Act is It is meant to to strike a balance between the right to privacy and the need for the free flow of, and access to information, and to regulate how personal information is processed.

POPI marks your information to be ‘precious goods’ and therefore aims to bestow upon you as the owner of your personal information, certain rights of protection and the ability to exercise control over the following:

- when and how you choose to share your personal information (requires your consent)
- the type and extent of information you choose to share (must be collected for valid reasons)
- transparency and accountability on how your data will be used (limited to the purpose) and notification if/when the data is compromised
- providing you with acc ess to your own information as well as the right to have your data removed and/or destroyed should you so wish
- who has access to your information, i.e. there must be adequate measures and controls in place to track access and prevent unauthorised people, even within the same company, from accessing your information
- how and where your information is stored (there must be adequate measures and controls in place to safeguard your information to protect it from theft, or being compromised)
- the integrity and continued accuracy of your information (i.e. your information must be captured correctly and once collected, the institution is responsible to maintain it) ‘Information’ in this context is any information related to a data subject that can be used directly or indirectly to identify that person.

Examples of ‘personal information’ for an individual will include:

- Identity and/or passport number
- Date of birth and age
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race and Ethnic origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership to organisations/unions

It must however be noted that some personal information, on its own, does not necessarily allow a third party to confirm or infer someone’s identity to the extent that this information can be used for other purposes. The Act defines a ‘unique identifier’ as data that “uniquely identifies that data subject in relation to that responsible party. As such the combination of someone’s name and phone number and/or email address for example is a lot more damaging than just a name or phone number on its own. It is important to note, that the law not only covers people, but also any legal entity, including companies and also communities or other legally recognised organisations. All of these entities are considered to be ‘data subjects’ and afforded the same right to protection of their information.

Who WIll POPI Affect?

The Act applies to all organizations that store, collect or process personal information, unless those records are subject to other legislation which protects such information more stringently. As a company this would include protecting information about your employees, suppliers, vendors, service providers, business partners, etc.

Is the POPI Act Unique to South African Law?

The POPI ACt is not unique to south African law, but borrows from the best of similar international laws, learning from their mistakes and shortcomings, many countries have similar legislation to protect the personal information of data subjects.

When Will POPI Become Effective?

Although POPI was signed into law on 26 November 2013, and in April 2014 certain sections of the Act came into force (sections dealing with the appointment of the administrative body, the Information Regulator and the sections empowering the Minister and the Information Regulator to make regulations as regards the implementation of the Act), it is not yet effective as  a commencement date has not yet been established. Once a commencement date has been established companies will have 12 months to comply.

Why You Should Comply with POPI Legislation?

Incorporating PoPI into the day-to-day operations of a business will most likely require a significant amount of time and effort, including: educating and training staff, updating business processes and implementing or updating technology solutions but it is critical for organisations that process personal information of employees, customers or other juristic persons (companies, trusts and so on) to implement organisation-wide privacy initiatives in order to comply with the conditions of the Act because not only do we now live in an information age where along with the progress comes the responsibility and accountability in the way each person and entity handles data, but also consider that you could be breaking the law by doing something as simple as synchronising your contacts on your phone, sending an email with sensitive content, taking/sharing a video or photo or using an international mail provider, and ignorance of the law will be no excuse.

How Intoweb will Comply with POPI in Accordance with Member Management Systems and Learner Management Systems? 

Introduction and Overview

In compliance with POPI, Intoweb has these roles and responsibilities:

• We are the responsible party regarding the client’s personal information, such as email addresses, phone numbers, billing details, and other information used to do business with clients.

• We are the service provider, or operator regarding the personal information that the client provides in the form of a database, distribution list, or the like

This policy applies to the sole proprietor or key individuals, subsidiaries, business units and representatives and staff of Intoweb and all the above mentioned are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Officer. The external individual(s) who is (are) contracted to handle the information technology of Intoweb, must adhere to the same information security as that of Intoweb, and will confirm  by separate agreement that they have such security measures in place in respect of processing of personal information.

The Information Officer is responsible for:

• The development and upkeep of this policy

• Ensuring this policy is supported by appropriate documentation

• Ensuring that documentation is relevant and kept up to date

• Ensuring this policy and subsequent updates are communicated to relevant managers, representatives, staff and associates, where applicable.

Compliance

Intoweb is compliant with the following:

• Protection of Personal Information Act(POPI)

• CPA Section 11

• Electronic Communications Act of 2002 (ECT)

Key Policy Principles

Accountability and Security - Intoweb takes steps to ensure data collected is treated with the highest care according to regulation and see to it that technical and organisational measures   are put into place to keep your personal information safe against risks such  as  loss, unauthorized access, destruction, use, amendment or disclosure of personal information.

Processing Limitation - Intoweb will collect personal information only by lawful and fair  means. Once in our possession we will only process or release data subject information with their consent, except where we are required to do so by law. In the latter case we will always inform the data subject.

Purpose - Intoweb will only collect personal information in a manner compatible with the purpose for which it was collected

Limit on Further Processing - Intoweb will only process information in a way that is compatible with the purpose for which the information was collected initially

Information Quality - Intoweb strives to keep personal information accurate, complete, up to date and reliable for its intended use, this means that it may be necessary for us to request data subjects, from time to time, to update their information and confirm that it is still relevant

Transparency - Intoweb will be transparent with regards to the standard operating procedures governing the collection and processing of personal information. Where personal information is collected from a source other than directly from a data subject ie Social media, portals, we will inform you that your information is collected and why your information is being collected. If you cancel your services with us we will delete your personal information, except for statistics which we store in a de-identified and aggregated manner.

Choice and Consent - Intoweb will not contact/solicit you unless you have given us your consent to do so

Access - Intoweb give you access to any of your personal information that you request relating to you, where applicable, except where unlawful.

Participation of data Subjects and Information Requests.

Candidates are entitled to know particulars of their personal information held by us, as well as the identity of any authorised employees of our agency that had access thereto. They are also entitled to correct any information held by us. If their personal information changes or they no longer desire to use or access our services, Intoweb encourages them to correct, update, or remove their personal information they provided. This can be done by contacting us. In the event that a data subject would like access to their data, requests should be submitted to us in writing. Requests for personal information will be handled in accordance with the POPI Act.

Monitoring

The management and Information Officer of Intoweb, are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and  processes. The company and key individuals, representatives and staff of Intoweb are to be trained according to their functions in regulatory requirements, policies and guidelines that govern the protection of personal information Intoweb, will conduct periodic reviews and audits, where appropriate, to demonstrate compliance with privacy regulation, policy and guidelines.

Operating Control

Intoweb, shall establish appropriate privacy standard operating controls that are consistent  with this policy and regulatory requirements. This will include:

• Allocation of information security responsibilities.

• Incident reporting and management.

• User ID addition or removal.

• Information security training and education.

• Data backup.   

Changes to This Policy

If we make any material changes, we will notify you by email or by providing the revised privacy policy in your account within Everlytic. Your continued use of our services following the update means that you accept Intoweb’s updated POPI Compliance & Security Policy.

Policy Compliance

This policy is implemented by Intoweb, and will be adhered to by the company and all key individuals, representatives and staff who are tasked with collecting and processing of personal information. Any breach of this policy may result in disciplinary action and possible termination of employment.