Protection of Personal Information Policy
Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. The right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. With this in mind, the Protection of Personal Information Act was introduced.
The POPI Act requiresus, as a Non-Profit Organistation, to protect our Information assets from threats, whether internal or external, deliberate or accidental.
The purpose of this policy is to enable Blessed Gerard’s Care Centre to:
- Comply with the law in respect of the data it holds about individuals.
- Follow good practice.
- Protect Blessed Gerard’s Care Centre staff and other individuals.
- Protect the organisation from the consequences of a breach of its responsibilities.
This policy and compliance framework establishes measures and standards for the protection and lawful processing of information of both natural persons, juristic persons and legal entities within our organisation and provides principles regarding the right of individuals to privacy and to reasonable safeguarding of their Personal Information.
Information Officer Responsibilities
The Act requires that an Information Officer be appointed. The General Manager of Blessed Gerard’s Care Centre will hold this position.
The Information Officer is responsible for:
- The development, implementation and monitoring of this policy and compliance framework.
- Ensuring that this policy is supported by appropriate documentation.
- Ensuring that documentation is relevant and kept up to date.
- Ensuring this policy and subsequent updates are communicated to relevant managers, representatives, staff and associates, where applicable.
- Ensuring that appropriate policies and controls are in place for ensuring the information quality of Personal Information.
- Ensuring that appropriate security safeguards in line with the POPI Act for Personal Information are in place.
- Handling all aspects of relationship with the Regulator as foreseen in the POPI Act.
All employees, departments and individuals are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Officer.
Protection of Personal Information Act Principles
There are eight Principles defined within the Act which must be addressed to be compliant. These are well-accepted attributes which are adopted throughout South Africa as the guidelines for a successful POPIA implementation:
Principle 1: Accountability
Blessed Gerard’s Care Centre will take reasonable steps to ensure that all processing conditions that relate to the collection of Personal Information obtained from employees, volunteers, contractors or service providers, prospective contractors or service providers, prospective employees and patients is stored safely and securely in accordance with the POPI Act. For ease of reference, these groups will be termed as “Data Subjects” with regards to this policy.
Principle 2: Processing Limitation
The processing of Personal Information is only lawful if, given the purpose of processing, the information is adequate, relevant and not excessive.
- Blessed Gerard’s Care Centre will only collect and process information where absolutely necessary.
- Blessed Gerard’s Care Centre undertakes to gain written consent from Data Subjects where appropriate.
- Blessed Gerard’s Care Centre will collect Personal and Business Information directly from the above stipulated groups where possible.
- Once in Blessed Gerard’s Care Centre’s possession we will only process or release information with their consent, except where we are required to do so by law. In the latter case we will always inform the business or person.
Principle 3: Purpose Specification
Blessed Gerard’s Care Centre will only collect and process information for a specific purpose as set out and defined above.
- Blessed Gerard’s Care Centre will collect Personal and Business Information from Data Subjects to enable us to maintain mandatory human resources records, financial and legal records, medical records and prospective employment records.
- Where any information or media is used on the Brotherhood of Blessed Gerard’s website, this information or media will have prior permission of use by any referred to or presented party.
- The organisation has in place retention periods for any data collected.
Principle 4: Further Processing Limitation
Personal Information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. Blessed Gerard’s Care Centre collects Personal Information for specific reasons, as stated above and it will only be used for that purpose.
Personal Information may only be further processed if:
- The Data Subject has consented to the further processing.
- Personal Information is contained in a public record.
- Personal Information has been deliberately made public by the Data Subject.
- Further processing is necessary to maintain, comply with or exercise any law or legal right.
- Further processing is necessary to prevent or mitigate a threat to public health or safety, or the life or health of the Data Subject or a third party.
Principle 5: Information Quality
Blessed Gerard’s Care Centre shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading and updated. Blessed Gerard’s Care Centre shall periodically review Data Subject records to ensure that the Personal Information is still valid and correct.
- Blessed Gerard’s Care Centre is responsible for ensuring that all information collected is complete, up to date and accurate before we use it. This means that it may be necessary to request information from all relevant parties, from time to time, to update records and confirm
- that it is still relevant.
- Systems are in place to encourage and facilitate the entry of accurate Personal Information.
- Personal Information on any Data Subject will be held in as few places as possible.
- Plans are in place to ensure that when any information changes with regards to a Data Subject, systems are updated.
- All information will be stored securely and irrelevant or unneeded Personal Information will be deleted or destroyed.
Principle 6: Transparency / Openness
Blessed Gerard’s Care Centre will follow a policy of total transparency.
- Where any information is collected and processed the Data Subject will be made aware of the source of the information, what information has been collected and the purpose of collection and processing.
- The Data Subject will be made aware when the supply of Personal Information is mandatory or voluntary and the consequences to provide such information.
- The Data Subject will be made aware when the collection of Personal Information is a mandatory requirement of law.
- The Data Subject will be made aware if any Personal Information is requested or needs to be shared with a third party.
Principle 7: Security Safeguards
Blessed Gerard’s Care Centre will identify all reasonably foreseeable risks to information security and establish and maintain appropriate safeguards against such risks by ensuring technical and organisational measures are in place to secure and control the integrity of all Personal and Business Information. Measures are also in place to guard against the risk of loss, damage or destruction of Personal and Business Information. Personal Information and Business Information will also be protected against any unauthorised or unlawful access or processing. Blessed Gerard’s Care Centre is committed to ensuring that information is only used for legitimate purposes with consent and only by authorised employees of Blessed Gerard’s Care Centre.
- All written records are kept in secure areas and when in use will not to be left unattended. If left unattended, all Personal Information must be secured by locked doors.
- All electronic records must be saved to the Dataserver and not kept on local hard drives where reasonably practicable.
- All electronic equipment which holds Personal Information must be password protected.
- All CCTV camera footage is stored on the Digital Video Recorder (DVR) for a three week period before being overwritten.
- All Biometric data is safely secured on the Process-server.
- Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer and action taken.
Principle 8: Participation of Individuals
Data Subjects are entitled to know particulars of their Personal Information held by us, as well as the identity of any authorised employees of Blessed Gerard’s Care Centre that have access thereto. Data Subjects have the right to request access to, amendment of, or deletion of their Personal Information where appropriate through the correct channels. Blessed Gerard’s Care Centre will not disclose any Personal Information to any authorised party unless the identity of that party has been verified.
Processing of Special Personal Information
Blessed Gerard’s Care Centre will adhere to the legislation with regards to the processing of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or lifestyle or biometric information of a Data Subject. Special Personal Information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences. Unless a general authorisation, alternatively a specific authorisation relating to the different types of Special Personal Information applies, a responsible party is prohibited from processing Special Personal Information.
Processing of Personal Information of Children
Blessed Gerard’s Care Centre will adhere to the process of Personal Information of Children. This applies to under-18 individuals, so an age check is required for all Personal Information records. General authorisation concerning Personal Information of Children only applies where under-18s are involved.
The Management of Blessed Gerard’s Care Centre and Information Officer are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents and appropriate related documents and processes. All employees, departments and individuals directly associated with us are to be trained, according to their functions, in the regulatory requirements, policies and guidelines that govern the Protection of Personal Information. Blessed Gerard’s Care Centre will conduct periodic reviews and audits, where appropriate, to ensure compliance with this policy and guidelines.
Blessed Gerard’s Care Centre shall ensure appropriate standard operating procedures that are consistent with this policy and regulatory requirements are in place. This will include:
Allocation of information security responsibilities.
Incident reporting and management.
Information security training and education.
Any breach/es of this policy may result in disciplinary action and possible termination of employment