The purpose of this policy is to explain the legal requirements for processing personal information and how the Oasis Association processes such information. The conditions and criteria for processing of information are contained in the Protection of Personal Information Act 4 of 2013 (POPIA) which gives effect to the constitutional right to privacy, in section 14 of the Constitution of the Republic of South Africa, 1996 (the Constitution).
The right to privacy includes the right to protection against unlawful collection, retention, distribution and use of personal information.
The provisions in POPIA should be understood in conjunction with the Promotion of Access to Information Act 2 of 2000 (PAIA) which governs the right of access to information. PAIA gives effect to constitutional right to any information, held by another person (or the State) that is required for the exercise or protection of any rights. POPIA and PAIA in effect, creates the balance between the protection of personal information and the effective access to information.
‘Biometrics’ – a technique of personal identification that is based on physical (the body itself), physiological (the functions of the body) or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition,
‘Child’ – a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him or herself,
‘Competent person’ – any person who is legally competent to consent to any action or decision in respect of any matter concerning a child,
‘Data subject’ – a person to whom personal information relates.
‘Electronic Communication’ – any text, voice, sound or image message sent over an electronic
cmunications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.
‘Enforcement Notice’ – a notice that may be issued by the Information Regulator when there is interference with the protection of personal information of the data subject.
‘Information Officer’ – in the case of a private body, is the head of the organisation who is responsible for POPIA and PAIA compliance and has to be registered with the Information Regulator.
‘Responsible Party’ – means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means of processing personal information.
3. PERSONAL INFORMATION
Personal information is information that relates to an identifiable living natural person or a juristic person. A juristic person is a legal entity that enjoys certain rights and has duties. Information pertains
- age; belief; conscience; culture; disability; gender; marital status; pregnancy; language; religion; physical and mental health,
- education; criminal; employment; financial and medical history,
- biometric information: blood typing; DNA analysis; retinal scanning and voice recognition,
- personal opinions; preferences and points of view,
- original correspondence that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the private or confidential nature of the original correspondence,
- views or opinions of another individual about a person, and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
4. LIMITATION OF RIGHTS
The right to privacy is subject to justifiable limitations, such as the right of access to information. On the other hand, the right of access to information, governed by PAIA (mentioned above) is subject to justifiable limitations for:
4.1 the reasonable protection of privacy,
4.2 commercial confidentiality, and
4.3 effective, efficient and good governance.
- THE INFORMATION OFFICER
Information Officers are appointed automatically in terms of PAIA. Information Officers have the authority to appoint Deputy Information Officers to assist with execution of duties. It is not mandatory to appoint Deputy Information Officers.
The director of Oasis Association is the designated Information Officer whose responsibilities include:
5.1.1 the encouragement of compliance with the conditions for lawful processing of personal
5.1.2 dealing with requests made to the Oasis Association pursuant to POPIA and PAIA,
5.1.3 ensure compliance with the provisions of POPIA, and
5.1.4 as may be prescribed
5.2 Commencement of responsibilities
Duties related to POPIA and PAIA must commence only after the Responsible Party has registered the
Information Officer and any deputies, with the Information Regulator (Regulator).
Both the POPIA and PAIA (previously enforced by the South African Human Rights Commission) is monitored and enforced by a juristic person, the Regulator who:
5.3.1 has jurisdiction throughout the Republic of South Africa,
5.3.2 is only subject to the Constitution and the law and must be impartial and perform its functions and
its powers without fear, favour or prejudice,
5.3.3 must exercise its powers and perform its functions in accordance with POPIA and PAIA, and
5.3.4 is accountable to the National Assembly.
An Information Officer who refuses to comply by an enforcement notice is guilty of an offence and upon conviction faces the sanction of imprisonment, for a period not exceeding 3 years, a fine or both. The Regulator issues an enforcement notice if a Responsibility Party has interfered with or is interfering with the protection of personal information.
5.5 Protection of the Regulator
In terms of section 53 of POPIA, any person acting on behalf or under the direction of the Regulator, does not incur civil or criminal liability for actions taken in good faith while performing any power, duty or function of the Regulator in terms of POPIA or PAIA i.e. the Information Officer is not responsible if they shared information with someone else that they believed was acceptable.
6. LAWFUL PROCESSING OF PERSONAL INFORMATION
In POPIA processing of personal information is defined as any operation or activity, whether or not by automatic means including:
6.1 the collection, receipt recording, organisation, collation, updating or modification, retrieval,
alteration, consultation or use;
6.2 dissemination by means of transmission, distribution or making available in any other form; or
6.3 merging, linking as well as restriction, degradation, erasure or destroying of information.
The Oasis Association processes personal information for the purposes of:
- advancing and defending the constitutional rights of people with intellectual disability,
- compiling lists of service providers in the sector for intellectual disability (the sector),
6.6 concluding employee agreements,
- conducting research and surveys for the benefit of the sector,
- general communication and reporting in multi-media,
- meeting statutory obligations,
- processing financial transactions,
6.11 recording and maintaining details of members,
6.12 reporting to and meeting requirements of funders, and
6.13 reporting to and meeting requirements of national and provincial government departments,
- recording personal information submitted via the website, oasis.org or social media pages.
6.14.1 the web user’s information will be treated with confidentiality,
- information provided by the user will only be used for a lawful purpose/s intended by the user
and the personal information submitted is only used to facilitate service delivery to the user,
6.14.4 the Oasis Association is not responsible for the privacy practices or policies of third parties that are integrated and/or linked to this website. Third parties include, but are not limited to: Facebook; Google; Twitter and WordPress plugins.
7. CRITERIA FOR PROCESSING INFORMATION
When processing personal information the Oasis Association as the Responsible Party, must take into account the conditions and criteria for processing of personal
7.1 General conditions
There are 8 general conditions for lawful processing of personal information:
The Responsible Party must ensure compliance to the conditions for lawful processing.
7.1.2 Processing limitation:
126.96.36.199 Lawfulness – personal information must only be processed in a lawful and reasonable manner that does not infringe privacy,
188.8.131.52 Minimality – personal information may only be processed if it is adequate, relevant and not excessive for the purpose for which it is processed,
184.108.40.206 Consent, justification and objection – personal information may only be processed if:
· The data subject or a competent person, in the case of a child, consents to processing,
· Processing is necessary for the conclusion or performance in terms of a contract to which a data subject is party,
· Processing complies with an obligation imposed by law,
· Processing protects the legitimate interests of the data subject,
· Processing is necessary for pursuing the legitimate interests of the Responsible Party or a third party to whom information is supplied.
Consent is required unless the information is available in public records or deliberately made available
publically. The Oasis Association obtains consent to collect, process and share information directly from data subjects, other organisations, institutions, government and non-government organisations.
· Job applications – background screening to do certain verification and vetting checks is an essential
part of the Oasis Association’s recruitment and selection process. Consent for verification and vetting is obtained from applicants. Checks, related to the application for an advertised position at the Oasis Association
and includes checks for –
- validity of driver’s licence,
- posts on social media platforms (consent is not required if the information is in the public domain),
- confirmation of qualifications,
- job references,
- consumer credit information. This information will only be obtained if the applicant is being
considered for employment in a position that includes: honesty; integrity; handling of cash;
finances and for the prevention and detection of fraud,
- SAPS Name/Police Clearance Certificates – A South African Police Service (SAPS) Police/Name Clearance Certificate may contain special personal information about any criminal charges, any legal proceedings or any convictions recorded against the data subject. POPIA prohibits the processing of such special personal information unless consent is obtained from the data subject.
When a job applicant is offered a position by the Oasis Association, they are required to apply and obtain a SAPS Police/Name Clearance Certificate which needs to be forwarded to the Information Officer for processing. The Oasis Association, reserves the right to obtain a written consent from the job applicant to make use of services of external agencies, for the purpose of doing verification and vetting checks.
· Photographs – permission is obtained to share photographs to support: advocacy campaigns;
teaching aids; funding applications and various reports.
· Surveys – permission is obtained from organisations to share information obtained from surveys with third parties.
7.1.3 Purpose specification
The data subject must be made aware of the specific purpose for which personal information is
collected as it pertains to the function and activity of the Responsible Party unless:
220.127.116.11 Permission has been given for non-compliance with this condition,
18.104.22.168 Legitimate interests of the data subject is not prejudiced by non-compliance,
22.214.171.124 Compliance is not reasonably practicable,
126.96.36.199 Compliance would prejudice a lawful purpose of collection.
Retention of records
As a general rule records of personal information must not be retained for longer than is necessary
except if records need to be retained in terms of:
· Any law,
· Lawful purposes related to the purpose and functions of a particular record,
· A contractual requirement,
· Consent where the data subject is a child,
Destruction of personal records
Deletion or destruction of records must be done in a manner that prevents reconstruction in an
accessible form. At theOasis Association:
· Records containing personal information are shredded,
· Data on internal and external computer hard drives is erased before disposal.
7.1.4 Further processing limitation:
Any further processing of personal information must be in accordance or compatible with the original
purpose for which it was collected.
7.1.5 Information quality:
Reasonable practicable steps must be taken to ensure that personal information is complete, accurate, not misleading and updated where necessary.
A PAIA manual must be compiled which contains details of the voluntary disclosure and automatic availability of certain records.
7.1.7 Security safeguards:
The integrity and confidentiality of personal information in the possession or control of the Responsible Party must be secured by taking appropriate and reasonable technical and organisational measures to do so. The Oasis Association has the following data security safeguards in place:
188.8.131.52 Hard copies of information are stored a secure environment,
184.108.40.206 Critical documents are stored in a fire proof safe,
220.127.116.11 Security measures for information stored digitally:
· password protection activated for files containing employee information,
· password protection activated for files containing financial information,
· virus scanning software is used to identify and get rid of threats,
· multiple levels of computer backups are done on a monthly and quarterly basis.
7.1.8 Data subject participation – access to personal information:
A data subject has the right to:
18.104.22.168 Request whether the Responsible Party holds information about the data subject,
22.214.171.124 Request the record or description of the information including the identity of third parties who have access to the information,
126.96.36.199 Request a correction to the information,
188.8.131.52 Sections 30 and 61 of PAIA are applicable in respect of access to health or other records.
The Responsible Party:
· Must give a written estimate to the data subject for any fees charged to access personal information,
· May require a full or partial payment of deposit for the applicable fees.
7.2 Processing of special personal information
Personal information of children may not be processed unless:
7.2.1 prior consent is obtained from a competent person,
7.2.2 processing is necessary for the establishment, exercise, defense of a right or obligation in law,
7.2.3 necessary to comply with an obligation in international law,
7.2.4 for historical, statistical research purposes that serves a public interest,
7.2.5 the information has been deliberately made public by the child with the consent of a competent person,
Personal information may not be processed, subject to certain exceptions, concerning:
7.2.6 religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of the data subject
7.2.7 the alleged commission of a crime; or
7.2.8 any legal proceeding concerning an offence allegedly committed.
8. REQUESTS FOR INFORMATION
Requests for information or any questions or queries related to processing information must be directed in writing to the Oasis Association Information Officer, Gail Bester, Executive Director, email@example.com.
Director: Gail Bester
Deputy Director: Beverley Damons
22 December 2021 ____