SHEEPDOG SECURITY (PTY) LTD
POLICY ON THE PROTECTION OF
(IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013)
The purpose of this document is to explain the manner in which SHEEPDOG SECURITY (PTY) LTD (‘the Company’) deals with the personal information of Data Subjects and the purpose for which this information is used.
This policy also serves to protect the Company from compliance risks associated with the protection of personal information which includes:-
- Breaches of confidentiality
- Failing to offer choice to Data Subjects to choose how and for what purpose their information is used
- Reputational damage.
The policy also demonstrates the Company’s commitment to protecting the privacy rights of Data Subjects.
This policy applies to:-
- Shareholders of the Company
- Attorneys and their employees
- Employees of the Company
- Any person acting on behalf of the Company
- All potential and existing Data Subjects
The Protection of Personal Information Act 4 of 2013 (‘POPIA’) requires the Company to inform Data Subjects of the following:-
- How their personal information is used;
- How their personal information is disclosed; and
- How their personal information is destroyed.
The Company is committed to compliance with POPIA and other applicable legislation, protecting the privacy of Data Subjects and ensuring that their personal information is used appropriately, transparently and securely.
This policy is to be distributed to all members upon its approval and will thereafter be available for inspection at the office of the Company’s managing agent or such other location as the trustees may from time to time determine.
This policy is to be read in conjunction with the provisions of the POPIA Regulations and Guidelines, the Promotion of Access to Information Act 2 of 2000, the Sectional Titles Act 95 of 1986, the Sectional Titles Schemes Management Act 8 of 2011, the Community Schemes Ombud Services Act 9 of 2011 and all regulations published pursuant thereto. In the event that this policy is inconsistent with any provision of the aforementioned legislation and/or regulations then the provision of the legislation and/or regulations shall apply.
Save as provided for in this paragraph 4 and unless a specific word and/or phrase has been assigned a definition in terms of POPIA, words and/or phrases used in this policy shall be assigned their ordinary grammatical meaning unless such interpretation shall lead to an absurdity and in which event the word and/or phrase shall be interpreted within the context of this policy and to give effect to the purpose of this policy.
- Personal Information
Personal Information means information relating to an identifiable, living, natural person, and where applicable, an existing, identifiable juristic person and may include but is not limited to:-
- Information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- The biometric information of the person;
- The personal opinions, views or preferences of the person;
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- Information regarded as confidential information;
- The views or opinions of another individual about the person; and
- The name of the person if it appears with other personal information relating the person or fi the disclosure of the name itself would reveal information about the person.
- Data Subject
This refers to the natural or juristic person to whom personal information relates.
The act of processing information includes any activity or set of operations concerning personal information and includes:-
- The collection, receipt, capturing, collation, storage, updating, retrieval, alteration or use;
- Dissemination by means of transmission, distribution or making available in any other form; or
- Merging, linking, erasure or destruction of information.
- THE POLICY
(NOTE: THIS POLICY ONLY APPLIES TO THE PROCESSING OF PERSONAL INFORMATION WHICH IS NOT SPECIFICALLY REGULATED BY THE PROVISIONS OF THE COMPANIES ACT.
Lawfulness of Processing, Minimality and Collection for a Specified Purpose
When processing personal information, the Company must ensure that such processing takes place for a specified purpose (which relates to the activities of the Company), lawfully and in a reasonable manner whilst not infringing on the rights of the data subject. Any personal information that is obtained and retained by the Company must be used for the purposes as notified to the data subject.
The data subject must also be provided with the relevant and mandatory notification per the POPIA Regulations and Guidelines.
Consent, Collection of Personal Information and Notification to the Data Subject
Personal information may only be processed by the Company where the data subject (or in the case where the data subject is a child, from a competent person) has consented to such processing and such information must be collected directly from the data subject (or the competent person, as the case may be).
The data subject must be made aware of the consequences of not consenting and/or objecting to the processing of the relevant personal information.
NOTE: Consent is not required from the data subject for the processing of personal information as stipulated in the Companies Act or any other applicable legislation.
Retention; Restriction of Records; Security of Information
The Company may retain personal information:
- for as long as the lawful purpose for which the Company requires the personal information remains; and/or
- as a practice of good governance; and/or
- as proof that the that the objective for which the personal information was obtained and subsequently processed has been achieved; and/or
- for historical, statistical and/or research purposes of the Company.
The Company may retain the personal information in the above circumstances, for periods in excess of those required by legislation, so long as appropriate security measures are in place and/or implemented, for both electronic and paper-based formats that may be utilised for processing personal information, to avoid any and all instances of security breaches.
Personal information may only ever be processed by persons authorised to do so by the Company and must at all times be kept in a confidential, safe and secure manner so as to avoid exposure to unauthorised persons. It is recommended that where relevant, managing agents sign non-disclosure agreements to ensure the confidentiality of information.
All personal information processed by the Company and which remains in active use by the Company must be maintained in such a manner so as to ensure that the personal information is kept in a confidential, safe and secure manner to avoid exposure to unauthorised persons.
Once the personal information may no longer be retained for the reasons mentioned above, same must be destroyed/de-identified (the process must still facilitate and maintain the confidentiality of the information), by persons authorised to do so, in a manner that ensures that the personal information cannot be reconstructed or re-identified. The Company is to retain proof and/or record of the destruction.
Note that personal information may only be destroyed upon expiration of the retention periods prescribed by the Sectional Titles Schemes Management Act and any regulations published pursuant thereto.
The Company will follow any guidelines and/or directions as issued by the Information Regulator that pertain to retention and/or destruction practices.
Information processing by Operators (including the Transfer of Personal Information outside the Republic)
Should the Company engage the services of an operator in relation to the processing and/or destruction of personal information, the Company is to ensure that the operator is contractually obligated to comply with the requirements of POPIA and process and/or destroy the personal information as stipulated by the Act (this applies to instances of further processing as well).
Information processing by Third Parties (including the Transfer of Personal Information outside the Republic)
Personal information that is not de-identified and anonymised may only be provided to a third party if provision of such information is a legislative and/or reporting requirement.
In the above instances the third parties are to be contractually bound to comply with the requirements of POPIA (this applies in instances of further processing as well).
The operator and/or third party must be contractually obligated to immediately inform the Company of any and all threatened and/or actual security breaches which may/will affect any and all personal information that the Company processes itself or via contractual agreement with an operator and/or third party. Such threatened and/or actual security breaches either within the Company environment and/or that of the operator and/or third party must be reported to the Information Officer or such other authorised person so that the measures in terms of POPIA may be instituted.
Quality of Information
The Company is at all times to ensure that the personal information obtained and retained from the data subject is complete, accurate, not misleading and up to date.
To facilitate the above:
- Regular communication with all the Company stakeholders may take place in a paper-based or electronic format to ensure that same are aware of their obligation to ensure that the Company has their correct personal information at all times;
- Such stakeholders must be able to access to their personal information to verify the authenticity of same; and
- Should such stakeholders wish to correct their information, the Company must provide the platform to enable the correction with the consent of the stakeholder.
- All requests for updating personal information must be sent to [insert email address] (or any other email address and/or process as identified by the Trustees) to enable an objective assessment of such requests to take place.
- With regard to any supporting documentation that may be required for the updating of personal information, the Company will follow any applicable guidelines that may be issued by the Office of the Information Regulator as and when same are published.
Where relevant, requests for access to personal information and the correction thereof, must be facilitated via the process prescribed in the Sectional Titles Schemes Management Act or any regulations published pursuant thereto.
Further processing of personal information may only take place if the reason for the further processing is compatible with the reason for which the personal information was originally processed.
Special Personal Information
The processing of special personal information may only take place in the following instances:
- Processing is carried out with the data subject’s consent (or the competent person, as the case may be);
- Processing takes place under the auspices of relevant South African and/or international public law;
- Processing takes place for historical, statistical or research purposes, within the Company context, to the extent that:-
The processing is necessary for the relevant purpose and serves a public interest; or
It appears to be impossible or would have a disproportionate effort to ask for consent
and the Company ensures that the processing does not affect the individual privacy of the data subject to a disproportionate extent; or
- The personal information has been made public by the data subject.
Contractual Agreements, Other Documents and Processes
All contractual agreements; documents and/or processes which the Company is a party to and/or may utilise to conduct its business, must give effect to the requirements of POPIA (ie. by the insertion of a relevant clause in the agreement and/or document. In the case of a process same must be vetted to ensure that it does have the potential to cause a breach of the Act).
Requests for Access to, Processing and/or Destruction of Personal Information
All requests to access/process/destroy personal information must be directed to Sheldin GC Dauberman for consideration via the email address: firstname.lastname@example.org.
Amendment of Personal Information Held by the Company
All requests for the amendment, correction and/or deletion of personal information must be directed to Sheldin GC Dauberman via the email address: email@example.com for an objective assessment to take place. Where the request for amendment, correction and/or deletion is declined a note to such effect will be entered into the relevant Company record.
Matters and/or Incidences which may occur outside the scope covered by this Document
The person, acting in the capacity as Deputy Information Officer, must be contacted for direction should any matters and/or incidences occur, which this document does not address, with regard to personal information.
Failure to comply with this policy may result in such action as may be appropriate under the circumstances.
This document may be periodically reviewed to coincide with changes to POPIA and/or the Company environment. Should a review take place as a result of the latter instance, the requirements of POPIA must still be met in the reviewed document.