POPIA

MANUAL IN TERMS OF SECTION 51 OF THE PROMOTION OF ACCESS TO

INFORMATION ACT 2 OF 2000 (“PAIA”)

AS AMENDED BY THE PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013

(“POPIA”)

 

FENWICK BOSHOFF INC. (PTY) LTD

(REG. NO.: 2001/002612/07)

(“COMPANY”)

1            Introduction

1.1              This Manual constitutes the Company PAIA manual. 

1.2              This Manual is compiled in accordance with section 51 of PAIA as amended by the Protection of Personal Information Act, 2013 (“POPIA”). POPIA promotes the protection of personal information processed by private bodies, including certain conditions so as to establish minimum requirements for the processing of personal information. POPIA amends certain provisions of PAIA, balancing the need for access to information against the need to ensure the protection of personal information. Where a request is made in terms of PAIA to a private body, that private body must disclose the information if the requester is able to show that the record is required for the exercise or protection of any rights, and provided that no grounds of refusal contained in PAIA are applicable. PAIA sets out the requisite procedural issues attached to information requests.

1.3              This PAIA manual also includes information on the submission of objections to the processing of personal information and requests to delete or destroy personal information or records thereof in terms of POPIA.

1.4              For purposes of this Manual, we refer to ourselves as the “Company”, “we”,” us” or “our”.

 

  • Who Are We – About Us And Our Business

2.1              Fenwick Boshoff Incorporated.

 

3             Our Contact Details

3.1              All requests for access to records in terms of the Act for the Company must be in writing and must be addressed to the Information Officer, at the contact details below; 

Information Officer:  Brett Tromp 

                        Street Address:        21 John Gainsford Street, Springbok Park, Brackenfell, 7560

                      Email address:         Brett@fb-law.co.za 

 

4             Information That Is Automatically Available Without A PAIA Request

4.1              The information available on our website, may be automatically accessed by you, without having to follow the formal PAIA request process.

 

5             Records Kept In Terms Of The Other Legislation

5.1              We are subject to many laws and regulations, some of which require us to keep certain records. 

 

 

6             Description Of Subjects We Hold Records On And Categories Of Records

6.1              Described below are the records which we hold, divided into categories for ease of reference:

 

Personnel Records 

 

Personnel records include: 

 

  • personal records (provided by personnel themselves);
  • records provided by a third party relating to personnel;
  • conditions of employment and other personnel-related contractual and quasi-legal records;
  • internal evaluation records and other internal records;
  • training schedules and material;
  • pension records;
  • employee benefits records;
  • labour relations records;
  • employment equity records and
  • correspondence relating to personnel

 

Client Records 

 

Client records include: 

 

  • contracts and records of correspondence and enquiries;
  • financial records;
  • records pertaining to services rendered by the Company;
  • records provided by a client to a third party acting for or on behalf of the Company;
  • records provided by a third party;
  • records generated by or within the Company relating to its clients, including transactional data.

 

Private Body Records 

 

Private Body Records” are records which include, but are not limited to, records which pertain to the Company’s own affairs including: 

 

  • financial records;
  • operational records;
  • databases;
  • information technology systems and documents;
  • marketing records;
  • internal correspondence;
  • service records;
  • statutory records;
  • internal policies and procedures;
  • trademarks and intellectual property.

 

Other Party Records

 

  • personnel, customer or private body records which are held by another party on the Company’s behalf, as opposed to the records held by the Company itself.
  • records held by the Company pertaining to other parties, including without limitation, financial records, correspondence, contractual records, and records about the Company’s contractors / vendors / suppliers / service providers.

 

7              Information Related to POPIA

7.1              Requests for personal information under POPIA must be made in accordance with the provisions of PAIA.  This process is outlined in paragraph 9 below.

7.2              If we provide you with your personal information, you have the right to request the correction, deletion or destruction of your personal information, in the prescribed form. You may also object to the processing of your personal information in the prescribed form.

7.3              We have attached the prescribed forms to this Manual for your convenience.

7.4              We will give you a written estimate of the fee for providing you with your personal information, before providing you with the services. We may also require you to provide us with a deposit for all or part of the fee prior to giving you the requested personal information.

7.5              Purpose of processing:

7.5.1            POPIA provides that personal information may only be processed lawfully and in a reasonable manner that

                    does not infringe on the data subject’s privacy.

7.5.2            The type of personal information that we process will depend on the purpose for which it is collected. 

7.5.3            We may use, transfer, share and disclose your personal information for the purposes of:

  • providing you with services, offerings and keeping you informed,
  • enriching the accuracy and quality of our data;
  • managing the account or contract / relationship with us;
  • detecting and preventing fraud and money laundering and / or in the interest of security and crime prevention;
  • assessing and dealing with complaints and requests;
  • operational, marketing, auditing, legal and record keeping requirements;
  • identifying and verifying your identity or the identify of your beneficial owner;
  • transferring or processing your personal information outside of the Republic of South Africa to such countries that may not offer the same level of data protection as the Republic of South Africa, including for cloud storage purposes and the use of any of our websites;
  • complying with applicable laws, including lawful requests for information received from law enforcement, bureaus, government and tax collection agencies;
  • recording and / or monitoring your telephone calls and electronic communications to / with the Company in order to process instructions and requests;
  • conducting market research and providing information about the Company’s products or services from time to time via our website, email, telephone or other means;
  • disclosing personal information to third parties for reasons set out in our privacy notice or where it is not unlawful to do so;
  • monitoring, keeping record of and having access to all forms of correspondence or communications received by or sent from the Company or any of its employees, agents or contractors, including monitoring, recording and using as evidence all communications between parties;
  • create valuation models;
  • credit reporting;
  • debt collection and related purposes;
  • statistical, historical and research purposes;
  • data analytics;
  • tracing;
  • We may from time to time (and at any time) contact you about services, products and offerings available from the Company or specific Group subsidiaries which we believe may be of interest to you, by email, phone, text or other electronic means, unless you have unsubscribed from receiving such communications.

 

7.6              Personal information that is processed includes; 

  • names, addresses, contact details, date of birth, identity/passport/registration number, bank details, company details, vat/tax number, credit records, account information, judgements, defaults and financial information
  • records of correspondence or enquiries from you or anyone acting on your behalf; details of any contracts and transactions.

 

7.6.1          Categories of data subjects include;

  • our employees,
  • clients,
  • any third parties with whom we conduct business.

 

7.6.2         Categories of personal information includes personal information and special personal information

 

7.7            Categories of recipients for purposes of processing personal information

7.7.1         Personal information may be shared with other entities in the group, our agents and sub-contractors, partners, vendors and selected third parties, including credit providers, credit bureaus, debt collectors, and service providers who process the information on our behalf for the purposes set-out in 8.5.3 above.

 

  • Actual or planned trans-border flows of personal information

7.8.1         The Company may need to transfer a Data Subject’s information to service providers in countries outside South Africa, in which case it will fully comply with applicable South African data protection legislation. 

  • These countries may not have data protection laws which are similar to those of South Africa.

 

7.9            General description of information security measures

7.9.1          The Company employs appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of personal information.

7.9.1.1     The following policies have been put in place to govern the way the Company treats personal information;

  • POPI policy
  • Record retention policy
  • Promotion of access to information policy
  • Privacy incident management policy
  • Privacy notice
  • Our HR code of conduct handbook codifies what is deemed acceptable conduct for employees performing their work as it relates to confidentiality and the security of personal information of customers, suppliers, and the Company.

 

7.9.1.2    The following protocols have been put in place to control the way the Company treats personal information;

  • Protocols for handling complaints
  • Transborder controls
  • Protocols for requests to access, correct and delete personal information
  • Monitoring and assurance reviews testing the ongoing adequacy and effectiveness of controls
  • Privacy incident management tool was created to effectively log and track potential privacy incidents
  • Due diligence evaluations have been deployed to evaluate prospective Operator’s propensity to secure the privacy, confidentiality and integrity of personal information prior to appointment.
  • Operator contracts and agreements include privacy clauses
  • Operator attestations allow us to assess current Operator’s ongoing propensity to secure the privacy, confidentiality and integrity of personal information they process on our behalf.

7.9.1.3       The Company’s IT Security Control environment includes controls such as ;

  • Access restrictions
  • Authentication
  • Virus and malware protection
  • Firewall protection
  • Segregation of duties
  • Encryption
  • Monitoring and alert tools
  • Cyber insurance
  • Use of SFTP sites
  • Formatting hard drives of devices to remove information when those devices are reused.
    • Data sharing agreements are in place to govern the secure processing and confidentiality of information between internal group entities linking the information (ensuring more control and less risk). We are often required to sign non-disclosure agreements with external entities prior to having information shared with us.
    • Consent clauses and disclosures (where applicable) have been embedded onto forms, templates, documents, applications, websites and interfaces where personal information is processed.
    • All employees have been provided with comprehensive POPI training and are required to undergo an assessment in order to deem them competent in their understanding of the POPI Act and its principles.

 

8             Request Procedure

8.1            Completion of the prescribed form

8.1.1          Any request for access to a record from a private body in terms of PAIA must substantially correspond with the form attached hereto marked Appendix A

8.1.2         A request for access to information which does not comply with the formalities as prescribed by PAIA will be set-aside.

 

8.2             Payment of the prescribed fees

8.2.1            A fee may be payable, depending on the type of information requested, as described under Appendix B – Fees in respect of private bodies.

8.2.2           There are two categories of fees which are payable:

8.2.2.1        The request fee: R140

8.2.2.2         The access fee: This is calculated by taking into account reproduction costs, search and preparation costs, as well as postal costs.  

8.2.3            Section 54 of PAIA entitles the Company to levy a charge or to request a fee to enable it to recover the cost of processing a request and providing access to records.  The fees that may be charged are set out in Regulations promulgated under PAIA.  

8.2.4         Where a decision to grant a request has been taken, the record will not be disclosed until the necessary fees have been paid in full.

8.2.5           POPIA provides that a data subject may, upon proof of identity, request the Company to confirm, free of charge, all the information it holds about the data subject and may request access to such information, including information about the identity of third parties who have or have had access to such information. 

8.2.6           POPIA also provides that where the data subject is required to pay a fee for services provided to him / her, the Company must provide the data subject with a written estimate of the payable amount before providing the service and may require that the data subject pays a deposit for all or part of the fee. 

 

9            Objection 

9.1              POPIA provides that a data subject may object, at any time, to the processing of personal information by the Company, on reasonable grounds relating to his/her particular situation, unless legislation provides for such processing. The data subject must complete the prescribed form attached hereto as Appendix C – FORM 1 – Objection to the processing of personal information in terms of section 11(3) of POPIA Regulations relating to the protection of personal information, 2018 [Regulation 2] and submit it to the Information Officer at the postal or physical address or electronic mail address set out above.

 

10          Correction 

10.1         A data subject may also request the Company to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or destroy or delete a record of personal information about the data subject that the Company is no longer authorised to retain records in terms of POPIA’s retention and restriction of records provisions. 

10.2       A data subject that wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information must submit a request to the Information Officer at the postal or physical address or electronic mail address set out above on the form attached hereto as Appendix D – FORM 2 – Request for correction or deletion of personal information or destroying or deletion of record of personal information in terms of section 24(1) of POPIA’s Regulations relating to the protection of personal information, 2018 [Regulation 3]

 

11           Proof Of Identity

11.1            Proof of identity is required to authenticate your identity and the request. You will, in addition to this prescribed form, be required to submit acceptable proof of identity such as a certified copy of your identity document or other legal forms of identity.

 

12               Timelines For Consideration Of A Request For Access

12.1            Requests will be processed within 30 (thirty) days, unless the request contains considerations that are of such a nature that an extension of the time limit is needed.

12.2            Should an extension be required, you will be notified, together with reasons explaining why the extension is necessary.

 

13                Grounds For Refusal Of Access And Protection Of Information

13.1            There are various grounds upon which a request for access to a record may be refused.  These grounds include:

13.1.1         the protection of personal information of a third person (who is a natural person) from unreasonable disclosure;

13.1.2         the protection of commercial information of a third party (for example: trade secrets; financial, commercial, scientific or technical information that may harm the commercial or financial interests of a third party);

13.1.3          if disclosure would result in the breach of a duty of confidence owed to a third party;

13.1.4         if disclosure would jeopardise the safety of an individual or prejudice or impair certain property rights of a third person;

13.1.5         if the record was produced during legal proceedings, unless that legal privilege has been waived;

13.1.6         if the record contains trade secrets, financial or sensitive information or any information that would put The Company at a disadvantage in negotiations or prejudice it in commercial competition; and/or

13.1.7         if the record contains information about research being carried out or about to be carried out on behalf of a third party or by The Company.

13.2            Section 70 of PAIA contains an overriding provision. Disclosure of a record is compulsory if it would reveal (i) a substantial contravention of, or failure to comply with the law; or (ii) there is an imminent and serious public safety or environmental risk; and (iii) the public interest in the disclosure of the record in question clearly outweighs the harm contemplated by its disclosure.

13.3            If the request for access to information affects a third party, then such third party must first be informed within 21 (twenty one) days of receipt of the request.  The third party would then have a

further 21 (twenty one) days to make representations and/or submissions regarding the granting of access to the record.

 

14                Remedies Available To A Requester On Refusal Of Access

14.1            If the Information Officer decides to grant a requester access to the particular record, such access must be granted within 30 (thirty) days of being informed of the decision.

14.2            There is an appeal procedure that may be followed after a request to access information has been refused, which will be described in the correspondence addressed to you by the Information Officer.

14.3            In the event that you are not satisfied with the outcome of the appeal, you are entitled to apply to the Information Regulator or a court of competent jurisdiction to take the matter further.

14.4            Where a third party is affected by the request for access and the Information Officer has decided to grant you access to the record, the third party has 30 (thirty) days in which to appeal the decision in a court of competent jurisdiction.  If no appeal has been lodged by the third party within 30 (thirty) days, you must be granted access to the record.

 

15            Availability Of This Manual

15.1            Copies of this Manual are available for inspection, free of charge, at the registered offices of the Company at the address listed above.

15.2      Copies will also be made available on the Company website/s.