PROTECTION OF PERSONAL INFORMATION POLICY POP 001

NOSA
Date: 30/04/2018
PROTECTION OF PERSONAL
Rev.:
INFORMATION POLICY

POP 001

THE VALUE STATEMENT OF NOSA:

 Honesty and integrity

 Client focus
 Accountability
 Quality and excellence
 Pride and respect
 Safety and social responsibility

1. INTRODUCTION
The Company recognises the constitutional rights of a person/s to privacy and acknowledges that it is of the
utmost importance, as required by law, to protect the personal information pertaining to the relevant parties
concerned.

The danger of invading a person’s privacy and the abuse of personal information has been considered and
acknowledged internationally and precautionary measures to protect this confidential information has been
documented to be of assistance in the regulation hereof. For this specific reason, Parliament established
legislation to address this matter. The Company undertakes to respect and protect the privacy of all persons
who are associated with this company whether they are employees of this company or persons who are
business partners or other entities, who for various reason of interest, are related to the Company.

2. POLICY AND SCOPE

The contents of this policy is applicable to all employees of the Company, and has been introduced in order
to encourage the protection and confidentiality of all personal information that has been made available to
the Company by employees or any consumer/client or any party who has disclosed any information of a
private or business nature, for the sole intention of employment, business transactions, contracts or
communication and will be deemed to be necessary for the records pertaining to the Company.

The information officer is the custodian of this policy, as it is the responsibility of the information officer to
ensure that this policy is incorporated and implemented in the various divisions of the Company, and that
workshops and training is provided to all parties concerned regarding the contents of the Protection of
Personal Information Act (PoPIA).

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 1 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

This policy applies to all permanent and temporary positions held by persons within the Group and is
applicable to all temporary and permanent employees. The Company will make employees aware of this
procedure by discussing it during induction sessions, and by distributing it to the workforce by making it
available on the Company’s electronic equipment and stored under the Q-drive.

However, it remains the duty and responsibility of all employees to make themselves aware of, and to
familiarise themselves with, the content and application of this document.

3. PURPOSE
3.1 The purpose of this policy is to incorporate the requirements of the Protection of Personal
Information Act (4/2013) (hereafter referred to as ‘PoPIA’) into the daily operations of the Company
and to ensure that these requirements are documented and implemented in the business processes.

3.2 The objective of this policy is to ensure the constitutional right to privacy, with regards to:

i. the safeguarding of personal information;

ii. the regulation and processing of personal information;
iii. the execution of the prescribed requirements for the legal processing of personal information;
and
iv. the protection of free flow of personal information.

3.3 The Company and its employees shall adhere to this policy concerning the management of all
personal information received from, but not limited to natural persons, employees, clients, suppliers,
agents, representatives and partners of the Company, to ensure compliance is applied to this Act and
the applicable regulations and rules relating to the protection of personal information is adhered to.

4. DEFINITIONS
Concept Definition
Act Protection of Personal Information Act (4/2013)
Automated Any equipment capable of operating automatically/independently in
response to instructions being executed, for the purposes of processing
information
Company The NOSA Group consists of NOSA (Pty) Ltd, Aspirata, NAIS, NQA, NOSA
Logistics
Data subject The person to whom the personal information is relative to
Direct marketing To approach/contact a data subject, either in person or by mail or
electronic communication, for the direct or indirect purpose of –
promoting or offering to supply, in the ordinary course of business, any
goods or service to the data subject; or requesting a donation of any sort
and for any reason from the data subject
Information officer The head of a private body as contemplated in Section 1, contained in the
Promotion of Access to Information Act (PAIA)

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 2 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

Personal information Information relating to an identifiable, living, natural person, and where it
is applicable, an identifiable, existing juristic person, including, but not
limited to – information relating to the race, gender, sex, pregnancy,
marital status, national, ethnic or social origin, colour, sexual orientation,
age, physical or mental health, wellbeing, disability, religion, conscience,
belief, culture, language and birth of the person; information relating to
the education or the medical, financial, criminal or employment history of
the person; any identifying number, symbol, e-mail address, telephone
number, location information, online identifier or other particular
assignment to the person; the biometric information of the person; the
personal opinions, views or preferences of the person; correspondence
sent by the person that would reveal the contents of the original
correspondence; the views or opinions of another individual regarding the
person; and the name of the person if it appears with other personal
information relating to the person or if the disclosure of the name itself
would reveal information about the person
Record Any recorded information in whatever form in possession or under the
control of the responsible party
Regulator the information regulator established in terms of the Act
Responsible party A public or private body or any other person which, independently or in
conjunction with others, determines the purpose of and means for
processing personal information (typically, but not always, the collector of
information)
PAIA Promotion of Access to Information Act (2/2000)
PoPIA Protection of Personal Information Act (4/2013)

5. PROVISION
5.1 The Company acknowledges that it is mandatory to comply with the provisions of the Protection of
Personal Information Act; (PAIA)

5.2 There are eight (8) conditions that shall apply, and which are relevant for the lawful processing of
personal information:

i. Accountability;
ii. Processing limitation;
iii. Purpose specification;
iv. Further processing limitation;
v. Information quality;
vi. Transparency (honesty and integrity);
vii. Security safeguards; and
viii. Data subject participation.

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 3 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

6. CONSIDERATIONS
6.1 Processing of Personal Information:

6.1.1 The procedure of processing the personal information, refers to the collection, recording,
organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means
of transmission, distribution or making available in any other form, merging, linking, including
inaccessibility, erasure or destruction of personal information.

6.1.2 Personal information collected by the Company and/or any of its representatives or subsidiaries, will
not be collected directly from the data subject, unless:

i. The information is contained or derived from a public record or has deliberately been made
public by the data subject.
ii. The data subject or a competent person where the data subject is a minor, has consented, to the
collection of the information from another source.
iii. Collection of the information from another source would not prejudice a legitimate interest of
the data subject.
iv. Collection of the information from another source is necessary to avoid prejudice to the
maintenance of the law by any public body, including the prevention, detection, investigation,
prosecution and punishment of offences; to comply with an obligation imposed by law or to
enforce legislation concerning the collection of revenue; for the conduct of proceedings in any
court or tribunal that have commenced or are reasonably contemplated; in the interest of
national security; or to maintain the legitimate interests of the Company or of a third party to
whom the information is supplied.
v. Compliance would prejudice a lawful purpose of the collection.
vi. Compliance is not reasonably practicable in the circumstances of that instance.

6.1.3 Personal information must only be collected for a specific, explicitly, defined and lawful purpose,
related to the function or activity of the Company.

6.1.4 Ensure that the data subject is aware of what information is collected prior to the collection thereof.

6.1.5 Ensure the data subject, or should the individual be a minor, a competent person in this instance
then consents to the collection of personal information.

6.1.6 Inform the data subject what the purpose is for the collection of this information and inform the data
subject regarding:

i. whether the information to be collected is a voluntary or mandatory function to be performed;

ii. the consequences of the matter for the data subject should they fail to provide the information;
iii. whether it is ascertained that a legal authority requires the collection of the information for their
records;
iv. whether this information needs to be transferred to another source;
v. whether the Company intends to transfer the information to any other country outside the
borders of the Republic of South Africa or international organisation and disclose the level of
protection regarding the personal information which can be expected from this country or
international organisation.

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 4 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

6.1.7 Ensure that the personal information is complete, accurate, not misleading and is updated from time
to time;

6.1.8 Ensure that the information which is collected is not excessive. To collect solely the information
which is necessary for the company, which it requires to execute its functions or in the interests of a
third party, where the information will be provided to them;

6.1.9 To undertake to regard personal information as strictly private and confidential and not to disclose
it to any other party, unless required by law to take this course of action, or the consideration of the
correct performance of the company’s duties and tasks;

6.1.10 The Company, will take responsibility to keep on record all the appropriate documentation of all
processing operations.

7. ADDITIONAL PROCESSING PROCEDURES REGARDING PERSONAL INFORMATION:

7.1 The Company undertakes to ensure that any additional processing of personal information will be in
accordance for the purpose for which it was collected;

7.2 To assess whether any additional processing is in accordance with the purpose of collection, the
following detail should be considered:

i. The relationship between the purpose of the intended additional processing and the purpose or
intention for which the information was collected;
ii. The nature of the information concerned;
iii. The consequences of this action for the data subject regarding the intention of processing
additional information;
iv. The manner/method in which this information was collected; and
v. Any contractual rights and obligations between the parties.

8. RETENTION AND RESTRICTION OF RECORDS

8.1 Records of personal information should not be retained for longer periods than is necessary for
achieving the purpose for which the information was collected, unless:

i. the retention of a record is required or authorised by law;

ii. the Company, reasonably requires a record for legal purposes related to its functions or activities;
iii. retention of a record is required by a contract between the parties thereto; or
iv. the data subject or a competent person where the data subject is a minor and has consented to
the retention of a record.

8.2 The Company will destroy or delete a record of personal information as soon as it is reasonably
practical once it has no further authority to retain a record for a further period;

8.3 The deletion of a record of personal information should be processed in a manner that prevents its
reconstruction in an intelligible/understandable form;

8.4 In the event where the Company uses a record of personal information from a data subject to arrive
at a conclusion regarding various aspect pertinent to the data subject, the following will be necessary:

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 5 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

i. Retain the record for such period as may be required or prescribed by law or a code of conduct;
or
ii. If there is no law or code of conduct prescribing a retention period, retain the record for a period
that will afford the data subject a reasonable opportunity in which to request access to the record,
taking all considerations relating to the use of the personal information into account.

8.5 The Company will restrict the processing of personal information if:

i. its accuracy is contested by the data subject, for a period enabling the Company to verify the
accuracy of the information;
ii. the Company no longer requires the personal information for achieving the purpose for which it
was collected or subsequently processed, but is required to maintain/retain it for purposes of
proof or record keeping purposes;
iii. the processing is unlawful, and the data subject opposes its destruction or deletion and
alternatively requests the restriction of its use; or
iv. the data subject requests that the personal data be transmitted or transferred to another
automated processing system.

8.6 Personal information that has been restricted may only be processed for purposes of proof, or
processed with the data subject’s consent, or with the consent of a competent person where the
data subject is a minor, or for the protection of the rights of any other natural or legal person, or if
such processing is in the public interest.

8.7 Where personal information is restricted, the Company will inform the data subject prior to the
termination of the restriction.

9. SECURITY SAFEGUARDS
9.1 The Company will secure the integrity and confidentiality of personal information in its possession or
under its control by taking appropriate, reasonable, technical and organisational measures to prevent
loss of, damage to, or unauthorised destruction of personal information; and unlawful access to or
processing of personal information;

9.2 The Company will take responsible measures to:

i. identify all reasonable predictable internal and external risks to personal information in its
possession or under its management;
ii. establish and maintain appropriate safeguards against the risks identified;
iii. regularly verify that the safeguards are effectively implemented; and
iv. ensure that the safeguards are continually updated in response to new risks or deficiencies in
previously implemented safeguarding methods.

9.3 The Company will have due regard to generally accepted information security practices and
procedures which may apply to it generally or be required in terms of specific industry or professional
rules and regulations.

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 6 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

10. SECURITY COMPROMISES

10.1 Where there are reasonable grounds to believe that the personal information of a data subject has
been accessed or acquired by any unauthorised person, the information officer should be contacted
immediately.

10.2 The information officer is required to notify the information regulator and the data subject.

10.3 The notification of a breach of confidentiality should be declared as soon as is reasonably possible
upon the discovery of the compromise.

10.4 The information officer needs to provide sufficient information to the data subject which will enable
the data subject to take protective measures against the potential consequences of the compromise.

11. RIGHTS OF THE DATA SUBJECT

11.1 The data subject, or competent person where the data subject is a minor, may withdraw his, her or
its consent to procure and process his/her or its personal information, at any time, providing that the
processing of the personal information was performed legally, prior to the request for the withdrawal.

11.2 A data subject, having provided adequate proof of identity, has the right to:

i. request the Company to confirm, free of charge, whether it holds personal information regarding
the data subject; and
ii. request from the Company a record or a description of the personal information relevant to the
data subject held by the Company, including information regarding the identity of all third parties,
or categories of third parties, who have, or have had, access to the information.

11.3 This must be processed within a reasonable period, at a fee prescribed as determined by the
Information Officer, in a reasonable manner and format and in a form that is generally
understandable.

11.4 A data subject may request the Company, to correct or delete personal information in its possession
or under its management which is inaccurate, irrelevant, excessive, out of date, incomplete,
misleading or has been obtained illegally.

11.5 A data subject may request the Company to destroy or delete their record of personal information.
This must be processed only if it is permissible and has been approved by the Information Officer.

12. MONITORING AND ENFORCEMENT

12.1 All employees will be responsible for administering and overseeing the implementation of this policy
including the supporting of guidelines, standard operating procedure, notices, consents and
appropriate related documents and processes.

12.2 Employees who violate the guidelines and standard operating procedures of this policy may be
subjected to disciplinary action, being taken against him/her.

12.3 The point of contact for requests, disclosures, questions, complaints and any other inquiries relating
to the processing, collection, or re-identifying of personal information shall be directed to the
information officer or deputy information officer(s).

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 7 of 8
personal
information
 PROTECTION OF PERSONAL INFORMATION POLICY POP 001

13. SPECIFIC INFORMATION PERTAINING TO THIS POLICY

13.1 The Company must ensure that the disciplinary code (reference code LRP 001) is amended
accordingly to include any violation of this policy.

13.2 The Company must appoint an information officer and a deputy officer/s who will be responsible for
the management of this division.

13.3 The Company will ensure that the information officer and the deputy information officer/s receive
the appropriate training with regard to the execution of their duties and responsibilities, in terms of
the provisions of PoPIA and PAIA.

Name of Policy Reference no: Revision no: Date Drafted / reviewed Responsible person Page
Protection of POP 001 0 April 18 Drafted HR Consultant Page 8 of 8
personal
information