Protection of Personal Information Policy
1. Introduction
Calitz Crockart & Associates Inc (“the firm”) recognises the Constitutional right to privacy and acknowledges its obligation to protect the personal information pertaining to relevant parties, as enshrined in the Protection of Personal Information Act 4 of 2013 (“POPIA”), and its regulations.
POPIA requires the firm to inform data subjects as to how their personal information is obtained, processed, disclosed and destroyed.
The contents of this Policy shall be applicable to all directors, employees and partners of the firm and has been introduced in order to ensure, maintain and promote the protection of all personal information that has been made available to the firm by, but not necessarily limited to, natural personals, employees, clients, suppliers, agents, job applicants and representatives of the firm.
The Information Officer shall be the custodian of this Policy, and shall accordingly be responsible for its incorporation and implementation.
The firm undertakes to ensure that its directors, employees and partners are made aware of the provisions of POPIA, however, it remains the duty of all persons in the firm to familiarise themselves with the content and application of this Policy.
A copy of this Policy shall be made available on the firm’s website at www.calitzcrockart.co.za and should be read in conjunction with the firm’s Privacy Notice, which is also available on the firm’s website.
2. Purpose
The purpose of this policy is to promote awareness of the provisions of POPIA, to incorporate the provisions of POPIA into the operations of the firm and its business processes, and to provide clarity on, amongst other things,:
2.1. The definition and types of personal information (which includes information such as analytics information, applicant information, bank information, communications information, employee information, enquiry information, marketing information, message information, service information and supplier information) ;
2.2. The safeguarding of personal information;
2.3. The regulation and processing of personal information;
2.4. The rights of data subjects in relation to personal information; and
2.5. The prescribed legal requirements for the protection and processing of personal information.
3. Interpretation and Definitions:
In this Policy:
3.1. Clause headings are for convenience and reference only and shall not affect the interpretation thereof;
3.2. Unless inconsistent with the context, words relating to gender shall include the other gender, words relating to the singular shall include the plural and vice versa, and words relating to natural persons shall include associations of persons having corporate status by statute or common law;
3.3. Any annexures to this policy shall be incorporated herein and shall have the same force and effect as if they were set out in the body of this Policy;
3.4. The following words and/or phrases hereinbefore and/or hereinafter set out shall bear the meaning below:
3.4.1. “Analytics information” means personal information provided by data subjects when our website is accessed which includes (but is not limited to) the data subject’s IP address, the date and time that the website was accessed and the web browser that was used when accessing the website.
3.4.2. “Applicant information” means personal information supplied to our offices by job applicants, which information includes (but it not necessarily limited to) names, identity and passport numbers, contact details such as phone numbers, email,
physical and other addresses, education and employment history, race and gender information.
3.4.3. “Bank information” means personal information that is necessary to open bank accounts and receive and process payments through banking institutions.
3.4.4. “Claims information” means any personal information identified in this policy which is used by us to establish, investigate, exercise or defence claims by or against us in any forum.
3.4.5. “Communication information” means personal information provided when a data subject communicates with us which may include (but is not necessarily limited to) the data subject’s name and contact information, the contents of the communication and related metadata if such communication is made by accessing our website.
3.4.6. “Data subject” means the person to whom the personal information relates to.
3.4.7. “Employee information” means personal information relating to our partners, employees, their family members and beneficiaries which includes information such as, but not necessarily limited to, names, identity and passport numbers, contact details such as phone numbers, email, physical and other addresses, information contained in communications relating to our partners’ partnerships, employees’ employment, information pertaining to employment and educational
information, financial information (such as banking details), marital status and children, race, gender, tax information and biometric information.
3.4.8. “Enquiry information” means enquiries made by data subjects regarding our services.
3.4.9. “Information officer” means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act, 2000.
3.4.10. “Marketing information” means personal information provided by data subjects should a data subject subscribe to our newsletter or marketing communications.
3.4.11. “Message information” means personal information provided to us by data subjects in order to communicate with them by SMS or Whatsapp.
3.4.12. “Personal information” means information relating to an identifiable, living, natural person and where applicable, an identifiable, existing juristic person, including but not limited to, information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of a person, information relating to the education or medical, financial, criminal or employment history of a person; any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other
particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that would reveal the contents if the original correspondence; the views or opinions of another individual regarding the person; the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
3.4.13. “Processing” is any activity or set of operations concerning personal information and includes the collection, receipt, capturing, collation, storage, updating, retrieval, alteration or use of information; the dissemination of information by means of transmission, distribution or making available in any other form; and the merging, linking, erasure or destruction of information.
3.4.14. “Risk information” means personal information identified in this policy to be utilised where necessary in order to conduct audits, obtain expert advice and to identify and manage risks.
3.4.15. “Responsible party” means a public or private body or any other person which, independently or in conjunction with others, determines the purpose of and means for the processing of personal information, and is usually (but not always) the collector of such information.
3.4.16. “Service information” means information based on the legal services we provide, and will include information such as, but not necessarily limited to, names, identity and passport numbers, contact details such as phone numbers, email, physical and other addresses, registration and VAT numbers, marital status, employment history, and information contained in communications with our clients and other parties which relate to our services, our details (including our banking details).
3.4.17. “Supplier information” means personal information relating to our suppliers of goods and services, which includes, but is not necessarily limited to, names, identity and passport numbers, registration and VAT numbers, contact details
such as phone numbers, email, physical and other addresses and financial information such as banking details.
4. The Rights of Data Subjects:
The firm undertakes to ensure that data subjects are made aware of their rights when it comes to their personal information, and with specific regard to the following:
4.1. The right to request and access personal information: Data subjects have the right to request the firm to confirm, free of charge, whether the firm holds any of their personal information, and the right to access the personal information provided to the firm by that data subject, at the prescribed fee.
4.2. The right to have personal information corrected or deleted: Data subjects have the right to request that the firm rectifies the data subject’s personal information held by the firm, and the right to request that their personal information be destroyed or deleted (subject to the firm’s legal duty to retain such information for a minimum period).
4.3. The right to withdraw their consent and object to the processing of personal information: Data subjects have the right to withdraw their consent to the firm holding and processing their personal information, and the right to object, on reasonable grounds, to the processing of their personal information, except where legislation provides for such processing.
4.4. The right to object to direct marketing: Data subjects have the right to object to their personal information being used for the purposes of direct marketing by means of unsolicited electronic communications.
4.5. The right to be informed: Data subjects have the right to be made aware that their personal information is being collected and processed by the firm, and should be notified if the firm reasonably believes that a data subject’s personal information has been accessed or disclosed without authorisation.
4.6. The right to lodge a complaint with the Information Regulator: Data subjects have the right to lay a complaint with the Information Regulator regarding infringements of any of their rights as contained in POPIA.
5. General Guiding Principles / Conditions:
There are eight conditions prescribed by section 4 of POPIA that shall apply to the lawful processing of personal information.
The firm undertakes that its directors, employees and partners shall abide by these guiding principles.
5.1. Accountability:
The firm is accountable to a data subject whose personal information the firm has collected and processed. As such, the firm will ensure that it takes appropriate steps, including disciplinary action, against individuals who negligently or intentionally fail to comply with this Policy.
5.2. Processing limitation:
In order for processing to be lawful, there needs to be limits to the reason why personal information is processed, the types of personal information processed and the data subjects from who the personal information is collected.
The firm only collects and processes personal information from data subjects that pertain to the firm’s business requirements and only as needed in order for the firm to render its services.
The firm undertakes to only collect and process personal information that is adequate, relevant and non-excessive, and only for purposes for which the information was collected in accordance with section 10 of POPIA.
In order to comply with section 10, certain requirements as contained in section 11, must be complied with. These conditions are listed below:
5.2.1. The data subject must consent to processing;
5.2.2. The processing of the personal information must be necessary – in other words, the personal information must be required to facilitate the provision of the firm’s legal services to the data subject, whether in terms of mandate, contract or otherwise;
5.2.3. The legitimate interests of the data subject must be protected; and
5.2.4. The processing of the personal information must be in the best interests of the firm.
5.3. Purpose specification:
The firm shall only collect personal information for a specified, lawful purpose and undertakes to delete or destroy this information once the purpose for which it was collected has been completed or no longer exists
5.4. Further processing limitation:
Personal information must be collected for a specific, defined and lawful purpose. Personal information will not be processed for a secondary purpose unless the processing of such information is compatible with the original intended purpose.
Where such processing is not compatible, the firm undertakes to obtain the consent of the data subject to process such information.
5.5. Information quality:
The firm undertakes to take all reasonable steps to ensure that the personal information collected and processes is complete, clear, accurate, up to date and not misleading.
Where personal information is collected from a third party, the firm shall take all reasonable steps to verify the veracity and accuracy if the information.
5.6. Transparency and Openness:
The firm shall provide information to a data subject on request and undertakes to ensure that the data subject shall be informed of: when personal information is collected, the purpose for which it is collected, whether such collection is prescribed by law, whether the supply of personal information is mandatory or voluntary; whether it is intended that the information be transferred outside the Republic of South Africa; consequences of the failure to provide such information and any other relevant information.
5.7. Security safeguards:
Section 19 of POPIA requires that personal information held by the firm be adequately protected.
The firm undertakes to secure the integrity and confidentiality of personal information that is in its possession or within its control and to continuously review and update its security measures and processes to prevent unauthorised access and disclosure of personal information.
The firm shall have due regard to the accepted personal information security measures and procedures which may apply to it generally or which are required in terms of a specific industry or profession set of rules and regulations.
The following procedures are in place to ensure that personal information retained by the firm is secure:
5.7.1. The firm’s Information Officer is the director of the firm, who is responsible for, and is able to ensure compliance with, the conditions and provisions of POPIA.
5.7.2. A copy of this Policy, and the firm’s Privacy Notice, is available on the firm’s website.
5.7.3. Employees of the firm will be made aware of, and trained, on this policy and the relevant provisions of POPIA.
5.7.4. Each new employee will be required to sign an employment contract that contains provisions relating to consent and confidentiality for the use and storage of the employee’s personal information.
5.7.5. Each employee currently employed by the firm will be required to sign an addendum to their employment contract, containing relevant consent and confidentiality clauses for the use and storage of personal information.
5.7.6. The firm’s client service agreement shall contain the relevant consent and confidentiality clauses in terms of POPIA, for the use, storage and processing of personal information, which will be required to be signed by new clients.
5.7.7. Existing clients of the firm will be required to consent to the processing of their personal information.
5.7.8. Archived hardcopies of clients’ personal information is safely stored at an offsite facility and is destroyed after the retention period as prescribed by the Legal Practice Act, 2014, has elapsed.
5.7.9. Current hardcopies of clients’ personal information are safely secured in the firm’s offices, which are secured by means of an alarm activation system.
5.7.10. Electronic personal information is backed up, managed and regulated through an agreement entered into with a reputable service provider.
5.7.11. The firm’s internal server hard drives are protected by firewalls and antivirus software.
5.7.12. Only the directors of the firm and the employees of the firm have access to clients personal information.
5.7 Data subject participation:
Data subjects have the right to access personal information. The firm undertakes to ensure that data subjects know what personal information is held by our firm and that we are able to provide proof of consent from the data subject to process such information. The firm shall also ensure that data subjects are aware of their right to request that personal information is corrected or rectified, and the right to request that their personal information is deleted or destroyed once the purpose for which the information was collected ceases to exist.
6. Specific Duties and Responsibilities:
6.1 Information Officers:
The firm’s Information Officer is Ivette Calitz, the director of the firm. The Deputy Information Officer is Shantal Peter, the firm’s office manageress. Together, they will ultimately be responsible for the following (amongst other things):
6.1.1 Taking the necessary steps to ensure that the firm complies with the applicable provisions of POPIA;
6.1.2 Ensuring that the employees of the firm are informed of the firm’s personal information protection obligations, for example, the steps to be taken in the event of a security breach;
6.1.3 Reviewing, monitoring and updating the firm’s information protection procedures and policies;
6.1.4 Ensuring that data subjects are able to communicate with the firm regarding their personal information;
6.1.5 Overseeing the amendment of employees’ contracts, client service agreements and other service level agreements;
6.1.6 Ensuring that employees are made aware of and understand the provisions of POPIA, the risks associated with the processing of personal information, and that they comply with the provisions of POPIA;
6.1.7 Ensuring that there are procedures and processes in place to be able to adequately address data subjects’ complaints and requests, and employees’ POPIA related questions;
6.1.8 Ensuring that the firm’s IT infrastructure and other devices or systems used for processing personal information meet the acceptable security standards as prescribed by POPIA;
6.1.9 Taking the necessary steps to ensure that all personal information that is stored electronically is backed up, protected from unauthorised access, accidental deletion, and malicious hacking attempts;
6.1.10 Ensuring that all servers and computers containing personal information are sited in a secure location and are protected by a firewall and antivirus software; and
6.1.11 Performing regular IT audits and reviews.
6.2 Employees of the firm:
6.2.1 Employees acting on behalf of the firm shall be responsible for:
6.2.1.1 Ensuring that the personal information that they access and process is kept secure by complying with the provisions in this Policy;
6.2.1.2 Administering and overseeing the implementation of this Policy;
6.2.1.3 Taking reasonable steps to ensure that personal information is only stored for as long as required and that it is stored in as few places as necessary;
6.2.1.4 Ensuring that hardcopies of personal information are kept in a secure place where only authorised persons are able to access such information and that printouts of personal information are not left unattended;
6.2.1.5 Ensuring that all electronic devices such as computers and flash drives are password protected and not left unattended, and that such devices are turned off when not in use;
6.2.1.6 Ensuring that personal information is encrypted before sharing such information electronically;
6.2.1.7 Ensuring that removal devices such as hard drives or flash drives containing personal information are kept in a secure location when not in use; and
6.2.1.8 Taking the necessary steps to ensure that they are aware of the provisions of POPIA at all times.
6.2.2 Employees of the firm will not:
6.2.2.1 Share personal information informally;
6.2.2.2 Process personal information when such processing is not required to perform their job-related duties; and
6.2.2.3 Save copies of personal directly to their own mobile devices or personal computers.
6.2.3 In circumstances where an employee becomes aware or suspects that there has been a security breach of personal information, the employee must immediately inform the Information Officer or Deputy Information Officer.
7. Disciplinary Action and Procedure:
7.1 Any employee found to be implicated in any non-compliant activity outlined in this Policy may be subject to appropriate legal or disciplinary action recommended by the firm, which actions include:
7.1.1 Commencement with disciplinary action;
7.1.2 Referral of the matter to the relevant law enforcement agency for a criminal investigation.
7.2 An employee is found to be guilty of gross negligence or intentional mismanagement of personal information will be regarded as having committed a serious form of misconduct which may result in dismissal.
8. Retention, Deletion and Restriction of Records of Personal Information:
8.1 Records of personal information shall not be retained by the firm for longer periods than is necessary in order to achieve the purpose for which the personal information is collected, unless:
8.1.1 The retention of the personal information is required or authorised by legislation;
8.1.2 The retention of the personal information is required or authorised by contract between the firm and the data subject;
8.1.3 The firm reasonably requires the personal information for legal purposes related to its business functions or services;
8.1.4 The data subject (or a competent person in law if the data subject is a minor) consents to the retention of the personal information.
8.2 The firm undertakes to delete or destroy records of personal information once such information is no longer necessary or the firm is no longer authorised or permitted to retain it.
8.3 The records of personal information shall be destroyed in such a manner as to prevent its reconstruction in an intelligible form.
8.4 The firm shall restrict the processing of personal information if:
8.4.1 The firm no longer requires the personal information to achieve the purpose for which it was collected and processed, but is required to retain the information for the purposes of proof or for record keeping purposes;
8.4.2 The accuracy of the personal information is contested by the data subject;
8.4.3 The data subject requests that the personal information be transmitted or transferred to another automated processing system;
8.4.4 The processing of the personal information is unlawful; and / or
8.4.5 The data subject opposes the destruction or deletion of the personal information or requests the restriction of its use.
8.5 Where the processing of personal information has been restricted, the firm shall only process such information with the data subject’s consent (or the consent of a person competent in law where the data subject is a minor), for the purposes of proof or record keeping, in order to protect the rights of any natural or legal person, or if such processing would be in the public interest.
9. Breaches in Security:
9.1 Where there are reasonable grounds to believe that a data subject’s personal information has been access or disclosed by an unauthorised person, the Information Officer (and if not available, the Deputy Information Officer) must be contacted as soon as possible after the discovery of the security breach.
9.2 The Information Officer shall inform the Information Regulator and the data subject about the breach. Such notification must be declared as soon as possible after the discovery of the security breach.
9.3 The Information Officer must make available sufficient information to the data subject to enable to data subject to take the necessary protective measures against the potential consequences of the breach.
10. Amendment of Policy:
10.1 The firm reserves its rights to update this policy from time to time.
10.2 Any amendments will be published on the firm’s website and any important changes to this policy will be communicated to our clients via email, and circulated to directors, employees and partners of the firm.
11. Information Officers:
The details of the firm’s Information Officer and Deputy Information Officer are as follows:
11.1 Information Officer
Name: Ivette Calitz
Contact Number: 031 202 3100 / 083 254 4818
Email Address: ca****@ca************.za / iv****@ca************.za
11.2 Deputy Information Officer
Name: Shantal Peter
Contact Number: 031 202 3100
Email Address: ca****@ca************.za / ad***@ca************.za