DATA PROTECTION AND INFORMATION SECURITY
This Manual applies to:
Lazer Couriers CC t/a
Registration number: 1993/016647/23
14 Devon Road,
DATA PRIVACY AND INFORMATION SECURITY POLICY
The Senior Management of Lazer Couriers CC t/a Allied Transport hereby accepts the following Data Privacy and Information Security Policy for integration and implementation into the Company’s Information Management structure.
DATA PRIVACY AND INFORMATION SECURITY POLICY
TABLE OF CONTENTS
Management Control & Enforcement
Third Party Management
Actual or Planned Transborder Flows of Personal Information
Dealing with the Public Media
Terms & Definitions
Detailed description of key aspects incorporated in this policy
Revision of the Policy
Related legislation, Policies, Documentation & Agreements
DATA PRIVACY AND INFORMATION SECURITY POLICY
Data privacy is the rights and obligations of individuals and organisations with respect to the collection, use, retention and disclosure of personal information.
Information security is the protecting measures implemented by an organisation to protect the integrity of such data and information within that organisation from a wide range of threats in order to adhere to applicable legislation and to ensure business continuity, minimise business risk and maximise returns on investment.
Data privacy and Information security is an integral component of the Risk Management structure of Lazer Couriers CC t/a Allied Transport, hereinafter referred to as the “Company”.
The Company has an obligation to ensure appropriate security for all Information Security (IT) systems (data, equipment and processes) and personal information that it owns and/or controls on behalf of other responsible parties.
Appropriate levels of security will be determined by risk assessment, i.e assessment of threats to, impacts on and vulnerabilities of IT systems and information and the likelihood of their occurrence.
The need for Data privacy and Information security is driven by the following:
Legal, statutory, regulatory and contractual obligations; risk assessment; operational principles, objectives and requirements for information systems that the Company has defined or developed.
3. Policy Application
This policy will apply to:
- Lazer Couriers CC t/a Allied Transport (the “Company”);
- Any joint ventures, and/or other business organisations that are owned or controlled by the Company who receive or process personal information for, or on behalf of the Company;
- The employees and independent contractors of the Company;
- Personal information of external data subjects and data owners processed and/or stored by the Company, as well as the personal information of Company personnel.
4. Policy Scope
The policy will be promulgated to include the following domains and framework:
- Data security- Inclusive of data privacy principles, confidentiality, criticality, integrity and intellectual property rights;
- Communications security- Establishing network connections; Flow control systems inclusive of firewalls, encryption, dial-up communications, telephone systems, electronic mail systems, downloaded data, internet connections and telecommuting arrangements;
- Software security- inclusive of system access control and password management; privilege control and logging;
- Software development and change control- Inclusive of change control processes for workstations; third party involvement; handling of viruses and worms and software development processes.
- Physical access security- Inclusive of building and computer facilities access control;
- Computer location and environment- Inclusive of premises, emergency data centre premises and their construction, emergency power supply and equipment; alarm systems and contingency planning for emergency situations.
- Administrative security- Inclusive of user training and awareness; reporting of security problems and information security breach incidents; controls and risk assessment; outsourcing and third party contracts;
- Human Resource- Inclusive of a separate, but consequential Personnel Policy with alignment to relevant Data Privacy and Information Security principles and regulations, background checks, application and appointment procedures, qualifications and skills, Disciplinary Code and Protection of Personal Information agreements;
- Business Continuity Management- Inclusive of a separate, but consequential Business Continuation and Disaster Recovery Plan with contingency planning, testing of plans, identification and minimisation of business and Information Security risks.
5. Management intent
Against the background of the aforementioned, it is therefore the focused intent of the Company to incorporate all the applicable principles and regulations in this policy and to monitor and enforce compliance to its prescriptions by way of establishing the necessary mandated management and reporting structures to facilitate these outcomes.
In order to create effective and visible guidelines for the Company, its employees and any associated third party alliances or subcontractors, this policy has been specifically designed to meet the necessary compliance standards regarding the following aspects:
- Management of information security and data privacy within the structure of the Company;
- To manage and maintain the security of information and data processing facilities that are accessed, processed, communicated to, or managed by external parties;
- To ensure that all data and personal information receives an appropriate level of protection;
- To ensure that employees, contractors and third party users of the Company understand their responsibilities and are suitable for the roles they perform, or are considered for and to reduce the risk of theft, fraud or misuse of facilities;
- To ensure that employees, contractors and third party users of the Company are aware of personal information and data security, security threats and concerns their responsibilities and liabilities and are equipped to support the organisational Information Security policy of the Company in the course of their normal work and to reduce the risk of human error;
- To ensure that employees, contractors and third party users of the Company exit the employment or change employment in an orderly manner;
- To prevent unauthorised physical access and damage to, or interference with the premises, data or personal information related to the Company;
- To ensure the correct and secure operation of all data and information processing facilities within the Company;
- To implement and maintain the appropriate level of data and information security and service delivery agreements;
- To minimise the risk of system failures;
- To protect the integrity of software data and personal information;
- To maintain the integrity and availability of back-up of data, information and related processing facilities;
- To ensure the protection of data and personal information in any networks related to the Company, as well as protection of the supporting infrastructure;
- To prevent unauthorised disclosure, modification, removal or destruction of removable assets and media under the control of the Company;
- To ensure the security of electronic commerce services (where applicable) and their secure use within the Company;
- To detect unauthorised data and information processing activities within the Company;
- To ensure proper, authorised user access and to prevent unauthorised access and the compromise or theft of data and information of the Company;
- To prevent unauthorised user access and the compromise or theft of personal information or data from data / information processing facilities related to the operations and functions of the Company;
- To prevent unauthorised access to networked services if and when applicable;
- To prevent unauthorised access to the Company operating systems;
- To prevent unauthorised access to data and personal information held in any application systems within the Company;
- To ensure data and information security if and when mobile computing and teleworking facilities are employed by the Company;
- To ensure that security is an integral part of all relevant data and information systems in use by the Company;
- To prevent errors, loss, unauthorised modification or misuse of data and personal information in applications within the Company;
- To protect the confidentiality, authenticity or integrity of data and personal information within the Company by cryptographic means;
- To ensure the security of system files;
- To maintain the security of application software, data and information within the Company;
- To reduce risks resulting from exploitation of published technical vulnerabilities;
- To ensure that any breach in information and data security events and weaknesses associated with information systems within the Company are communicated in a manner allowing timely corrective action to be taken;
- To counteract interruptions to business activities and to protect critical business processes within the Company from the effects of major failures of data and information systems or disasters and to ensure their timely resumption;
- To avoid violations of any law, statutory, regulatory or contractual obligations and of any security requirements;
- To ensure compliance of systems used by the Company within its organisational security policies and standards; and
- To maximise the effectiveness of, and to minimise interference to or from the information and data systems audit process.
- Management Subscription
The management of the Company subscribes to the goals and principles of data and information security in line with relevant legislation and its business strategy and objectives.
The relationship of the Company with its personnel, clients and associates is based on mutual integrity and trust and it is therefore committed to maintaining this trust by protecting the privacy of personal information and data disclosed and received from any data subject or data owner at all times and to the best of its ability.
As part of this commitment, the Company will subscribe in all material respects to the following:
- Protection Of Personal Information Act 2013; Promotion of Access to Information Act 2000;
Generally Accepted Privacy Principles (G.A.P.P), consisting of the following:
- Management – the Company defines documents, communicates and assigns accountability for its privacy policies and procedures;
- Notice – the Company provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained and disclosed;
- Choice and Consent – the Company describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use and disclosure of personal information;
- Collection – the Company collects personal information only for the purposes identified in the notice;
- Use and Retention – the Company limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent and retains the information for only as long as necessary to fulfill the stated purposes
- Access – the Company provides individuals with convenient access to their personal information for review and updates;
- Disclosure (to third parties) – the Company discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual;
- Security (for privacy) – the Company protects personal information against unauthorised access (both physical and logical);
- Quality – the Company maintains accurate, complete and relevant personal information for the purposes identified in the notice;
- Monitoring and Enforcement – the Company monitors compliance with its Information Security policies and procedures and has procedures to address privacy-related complaints and disputes.
- Management Control and Enforcement
8.1. Information Officer and Deputy Information Officers
In order to comply with legislation and to facilitate and manage the outcomes of the declared intent of the management of the Company regarding this policy, the Information Officer for the Company will be the Managing Member or a duly authorised person of the Company according to the requirements as defined under Section 1 of the Protection Of Personal Information Act 2013 and read together with the prescriptions of Section 1 of the Promotion of Access to Information Act 2000.
The Information Officer will be duly registered with the Information Regulator as is required by the applicable legislation after its establishment and will report to the Senior Management, or Board of Directors of the Company as may be applicable.
The Company will also designate where necessary, an appropriate number of Deputy Information Officers as described under Section 56 of the Protection of Personal Information Act 2013, read together with the prescriptions of Section 17 of the Promotion of Access to Information Act 2000.
The Deputy Information Officers will also be duly registered with the Information Regulator after establishment as is required, reporting directly to the Information Officer of the Company and will in conjunction with the Information Officer.
The role and responsibilities of the Information Officer and by delegation also the Deputy Information Officer/(s), will be included in a formalised and documented job description for assessment and regulatory purposes and also to facilitate compliance to Section 55 of the Protection of Personal Information Act 2013.
The officers will perform in their respective capacities immediately after appointment, but will officially only take up their duties in terms of this Act after the establishment of the Information Regulator and their subsequent registration with the Regulator.
- Breach of Information Security Event
A breach of Information Security Event can be defined as “The actual or potential loss of personal data and/or any information that could lead to identity fraud or have any other significant impacts on individuals or the Company”
The prescriptions applicable to this matter will apply to all Company personnel and third party service providers under contract to the Company.
8.2.3. Identification of events/incidents
The following are common examples of events, which includes, but is not limited to:
- Loss or damage to paper based files containing classified or personal identifiable information;
- Loss of computer equipment due to crime or an individual’s carelessness;
- Loss of unencrypted computer media e.g. CD, data stick, laptop or other portable device;
- Corrupted data;
- Access to inappropriate websites in breach of policy;
- A computer virus;
- Successful hacking attack;
- Accessing a system or computer using someone else’s authorisation code, either fraudulently or by accident;
- Forced entry gained to a secure room/building housing classified information;
- Finding classified or confidential Company information outside Company premises;
- Finding Company paper or electronic records about identifiable individuals in any location outside of the Company premises;
- Discussing personnel or any other data subject’s personal information with someone else in an open area where the conversation can be overheard by outsiders;
- Personal identifiable information sent by insecure means/lost in transit (e.g. pay slips, HR records, financial statements, copies of i/d documents, etc.);
- Unauthorised copying of, or removal of personal identifiable information;
- A fax, e-mail or paper document with personal identifiable information sent to the incorrect recipient;
- Evidence of tampering/damage to data cabling between server and work stations or cabling not installed to acceptable industry safety standards;
- Unsecured handling of information storage systems/equipment during a period of disaster or serious damage to the housing complex due to e.g. fire, flooding, earthquake, sabotage, etc.
- Evidence of unauthorised cameras, monitoring devices, or listening equipment in the information processing facilities;
- Suspicious unaccompanied persons wandering around in information security areas;
- Allowing uncleared and/or un-identified third party I/T or other contractor personnel to work on information security systems of the Company;
- Evidence of unattended and unsecured information processing workstations not securely logged-off during the absence of the operator;
- Evidence of weak or no appropriate password management/log-on procedures;
- Any violation of related security protocols as prescribed by the Company Information Security Policy that can possibly lead to the loss of classified information.
- Reporting process
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the Company is obliged under Section 22, subsection 1 of the Protection of Personal Information Act (pending) to notify the Regulator and also (subject to subsection 3 ) the data subject of the event/incident.
Under this policy all Company employees and third party contractors to the Company are obligated to report any breach, or suspected breach of information security immediately to the Company via a prescribed process.
The prescribed process for reporting any breach of information security event related to any personal information owned by, or under control of the Company, will be that any person that has any knowledge or evidence of such an occurrence will be obliged to make a written initial report regarding the incident immediately after acquiring the knowledge or evidence of the incident to the Information Officer, or in his/her absence, to any of the members of Management.
A compulsory Breach of Information Security Event Report must be fully completed by the person witnessing or discovering the incident immediately after the initial report and submitted to the Information Officer, or in his/her absence, to any of the members of Management.
(NB – A signed copy of this report must be retained as receipt by the person that submits the report.)
The Information Officer will be mandated to make a factual assessment of the incident in order to take whatever remedial steps necessary to contain the situation and also for the regulatory reporting of the incident to the Information Regulator, data subject and data owner where it is deemed to be appropriate and applicable.
No other employee or any third party contractor of the Company will have any mandate to decide on the merits, or applicability of any reports in this category, unless specifically authorised to this effect in writing by the senior management of the Company.
Any violation of this prescription will be addressed via the Disciplinary Code, or the Third Party Management prescriptions of the Company as is applicable.
Any employee that is found to be responsible for an event where a breach of information security occurs through negligence, or non-compliance to the Company’s policy prescriptions, or any person that has knowledge of such an occurrence and fails to report the incident for whatever reason, will be held fully accountable for the incident and subjected to the Disciplinary Code procedures of the Company.
The contractual agreements of external third party contractors to the Company will be subject to immediate suspension or termination in the sole discretion of the senior management of the Company, pending investigation and recommendations of the Information Officer of the Company.
In the event of a monetary loss to the Company as a direct result of the occurrence of the breach in Information Security, the responsible party, or parties in both instances may be held fully liable for the loss and any costs for recovery thereof in the sole discretion of the senior management of the Company.
The severity of any disciplinary or other enforcement action taken by the Company will vary based on factors considered relevant by the Information Officer, including but not limited to:
- The sensitivity of the personal data disclosed or used in violation of this policy;
- The number of parties impacted by the violation of this policy;
- The duration of the improper disclosure or unauthorised use;
- Prior improper disclosure or use of personal information by any applicable accountable party;
- Whether the violation or neglect was inadvertent or the result of inadequate training, or supervision.
NOTE: Where the Information Officer believes that the conduct may constitute a violation of any applicable law, rule, or regulation, the conduct may be disclosed to appropriate law enforcement and regulatory authorities.
- Implementation Guidelines
8.3.1 Training & Dissemination of Information
This Policy has been put in place throughout the Company, training on the Policy and POPIA will
take place with all affected employees.
All new employees will be made aware at induction, or through training programmes, of their
responsibilities under the terms of this Policy and POPI.
Modifications and updates to data protection and information sharing policies, legislation, or
guidelines will be brought to the attention of all staff.
8.3.2 Employee Contracts
Each new employee will sign an Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure
Each employee currently employed within the Company will sign an addendum to their Employment Contract containing the relevant consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however it is stored. Failure to comply will result in the instigation of a disciplinary procedure.
8.3.3. Eight Processing Conditions
POPI is implemented by abiding by eight processing conditions. The Company shall abide by these principles in all its possessing activities.
The Company shall ensure that all processing conditions, as set out in POPI, are complied with when determining the purpose and means of processing Personal Information and during the processing itself. The Company shall remain liable for compliance with these conditions, even if it has outsourced its processing activities.
- Processing Limitation
- Lawful grounds
The processing of Personal Information is only lawful if, given the purpose of processing, the information is adequate, relevant and not excessive.
The Company may only process Personal Information if one of the following grounds of lawful processing exists:
- The Data Subject consents to the processing;
- Processing is necessary for the conclusion or performance of a contract with the Data Subject;
- Processing complies with a legal responsibility imposed on the Company;
- Processing protects a legitimate interest of the Data Subject;
- Processing is necessary for pursuance of a legitimate interest of the Company, or a third party to whom the information is supplied;
Special Personal Information includes:
- Religious, philosophical, or political beliefs;
- Race or ethnic origin;
- Trade union membership;
- Health or sex life;
- Biometric information (including blood type, fingerprints, DNA, retinal scanning, voice recognition, photographs);
- Criminal behaviour;
- Information concerning a child.
The Company may only process Special Personal Information under the following circumstances:
- The Data Subject has consented to such processing;
- The Special Personal Information was deliberately made public by the Data Subject;
- Processing is necessary for the establishment of a right or defence in law;
- Processing is for historical, statistical, or research reasons
- If processing of race or ethnic origin is in order to comply with affirmative action laws
All Data Subjects have the right to refuse or withdraw their consent to the processing of their Personal Information, and a Data Subject may object, at any time, to the processing of their Personal Information on any of the above grounds, unless legislation provides for such processing. If the Data subject withdraws consent or objects to processing then the Company shall forthwith refrain from processing the Personal Information.
- Collection directly from the Data Subject
Personal Information must be collected directly from the Data Subject, unless:
- Personal Information is contained in a public record;
- Personal Information has been deliberately made public by the Data Subject;
- Personal Information is collected from another source with the Data Subject’s consent;
- Collection of Personal Information from another source would not prejudice the Data Subject;
- Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right;
- Collection from the Data Subject would prejudice the lawful purpose of collection;
- Collection from the Data Subject is not reasonably practicable.
184.108.40.206. Purpose Specification
The Company shall only process Personal Information for the specific purposes as set out and defined above at paragraph 5.1.
- Further Processing
New processing activity must be compatible with original purpose of processing. Further processing will be regarded as compatible with the purpose of collection if:
- Data Subject has consented to the further processing;
- Personal Information is contained in a public record;
- Personal Information has been deliberately made public by the Data Subject;
- Further processing is necessary to maintain, comply with or exercise any law or legal right;
- Further processing is necessary to prevent or mitigate a threat to public health or safety, or the life or health of the Data Subject or a third party
220.127.116.11. Information Quality
The Company shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading and updated. The Company shall periodically review Data Subject records to ensure that the Personal Information is still valid and correct.
Employees should as far as reasonably practicable follow the following guidance when collecting
- Personal Information should be dated when received;
- A record should be kept of where the Personal Information was obtained;
- Changed to information records should be dated;
- Irrelevant or unneeded Personal Information should be deleted or destroyed;
- Personal Information should be stored securely, either on a secure electronic database or in a secure physical filing system.
The Company shall take reasonable steps to ensure that the Data Subject is made aware of:
- What Personal Information is collected, and the source of the information;
- The purpose of collection and processing;
- Where the supply of Personal Information is voluntary or mandatory, and the consequences of a failure to provide such information;
- Whether collection is in terms of any law requiring such collection;
- Whether the Personal Information shall be shared with any third party.
18.104.22.168. Data Subject Participation
Data Subjects have the right to request access to, amendment, or deletion of their Personal Information.
All such requests must be submitted in writing to the Information Officer. Unless there are grounds for refusal as set out in paragraph 6.2, above, the Company shall disclose the requested Personal Information:
- On receipt of adequate proof of identity from the Data Subject, or requester;
- Within a reasonable time;
- On receipt of the prescribed fee, if any;
- In a reasonable format
The Company shall not disclose any Personal Information to any party unless the identity of the requester has been verified.
22.214.171.124. Security Safeguards
The Company shall ensure the integrity and confidentiality of all Personal Information in its possession, by taking reasonable steps to:
- Identify all reasonably foreseeable risks to information security;
- Establish and maintain appropriate safeguards against such risks;
- Written records
- Personal Information records should be kept in locked cabinets, or safes;
- When in use Personal Information records should not be left unattended in areas where non-staff members may access them;
- The Company shall implement and maintain a “Clean Desk Policy” where all employees shall be required to clear their desks of all Personal Information when leaving their desks for any length of time and at the end of the day;
- Personal Information which is no longer required should be disposed of by shredding.
Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer.
- Electronic Records
- All electronically held Personal Information must be saved in a secure database;
- As far as reasonably practicable, no Personal Information should be saved on individual computers, laptops or hand-held devices;
- All computers, laptops and hand-held devices should be access protected with a password, fingerprint or retina scan, with the password being of reasonable complexity and changed frequently;
- The Company shall implement and maintain a “Clean Screen Policy” where all employees shall be required to lock their computers or laptops when leaving their desks for any length of time and to log off at the end of the day;
- Electronic Personal Information which is no longer required must be deleted from the individual laptop or computer and the relevant database. The employee must ensure that the information has been completely deleted and is not recoverable.
Any loss or theft of computers, laptops or other devices which may contain Personal Information must be immediately reported to the Information Officer, who shall notify the IT department, who shall take all necessary steps to remotely delete the information, if possible.
8.4. Direct Marketing
All Direct Marketing communications shall contain the Company’s details, and an address or method for the customer to opt-out of receiving further marketing communication.
8.4.1. Existing Customers
Direct Marketing by electronic means to existing customers is only permitted:
- If the customer’s details were obtained in the context of a sale or service; and
- For the purpose of marketing the same or similar products;
The customer must be given the opportunity to opt-out of receiving direct marketing on each occasion of direct marketing.
The Company may send electronic Direct Marketing communication to Data Subjects who have consented to receiving it. The Company may approach a Data Subject for consent only once.
8.4.3. Record Keeping
The Company shall keep record of:
- Date of consent
- Wording of the consent
- Who obtained the consent
- Proof of opportunity to opt-out on each marketing contact
- Record of opt-outs
8.5. Destruction of Documents
Documents may be destroyed after the termination of the retention period specified herein, or as determined by the Company from time to time.
Each department is responsible for attending to the destruction of its documents and electronic records, which must be done on a regular basis. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file. Original documents must be returned to the holder thereof, failing which, they should be retained by the Company pending such return.
The documents must made available for collection by the Shred-It, or other approved document disposal company.
Deletion of electronic records must be done in consultation with the IT Department, to ensure that deleted information is incapable of being reconstructed and/or recovered.
9. Third Party Management
All third party agreements with the Company will make provision for the clauses and conditions necessary for these parties to comply with the information security requirements in terms of this Policy and the remedial procedures to enforce these requirements.
The strict compliance of third parties to the conditions contained in the relevant agreements will be monitored by the Information Officer or delegated Deputy Information Officer/(s) of the Company as part of their job description and any violations reported to the Management Team for assessment and remedial actions where appropriate.
10. Actual or Planned Transborder Flows of Personal Information
Personal Information may be transmitted transborder to the Company’s authorised dealers and its suppliers in other countries, and Personal Information may be stored in data servers hosted outside South Africa, which may not have adequate data protection laws. The Company will endeavour to ensure that its dealers and suppliers will make all reasonable efforts to secure said data and Personal Information.
11. Dealing with the Public Media
Only Senior Management or designated representatives of the Company will be authorised to make any presentation, comment, statement or direct contact with the public media regarding any matter whatsoever regarding any Information Security incident, client information or any business issues directly related to the organisation and/or its operations.
Any employee, contractor, or associated third party that is found in violation of this ruling will be subjected to the applicable sanctions in accordance with the Company Disciplinary Code and/or any other related policy governance as may be applicable.
12. Terms and Definitions
Asset – anything that has value to the organisation.
Biometrics – means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.
Consent – means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.
Control – means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be of administrative, technical, management, or legal nature (note: Control is also used as a synonym for safeguard or counter measure).
Data Controller – a mandated individual who decides on the manner and purpose for which personal information is processed.
Data owner –for the purposes of this document, means the owner of personal information or data obtained by implicit or explicit consent of an individual (i.e. banking institutions).
Data Privacy – for the purposes of this document, data privacy is the act of securing personal data within an organisation by following good practice security procedures and implementing controls in order to confirm that personal data is secure.
Data Subject – the person or persons about whom personal information is collected, stored or processed.
Disclosure – in general terms personal information is disclosed when it is released to parties outside the organisation. (It does not include giving individuals information about themselves).
Guideline – a description that clarifies what should be done and how, to achieve the objectives set out in policies.
Information Officer – (of a private body) means the head or duly authorised person of a private body as contemplated in sec.1 of the Promotion of Access to Information Act 2000.
Information processing facilities – any information processing system, service or infrastructure, or the physical locations housing them.
Information security – preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation, and reliability can also be involved.
Information security event – means an identified occurrence of a system, service or network that is indicating a possible breach of information security policy prescription, or failure of safeguards, or a previously unknown situation that may be security relevant.
Information security incident – an information security incident is indicated by a single or series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security.
Legal Entity – for the purposes of this document, the term legal entity is applied to any organisation within the same ownership chain as an organisation who processes a data owners’ personal information and may include joint ventures(consolidated or unconsolidated), parent companies or any other organisation contracted by the data owner. All direct legal entities are required to adhere to the data owners’ requirements for data privacy and information security.
Media – any means of containment of data and information by way of, i.e. written documentation, CD, DVD, audio, visual recording, computerized filing, etc. – in context also referring to public news reporting entities, i.e. news papers, radio and television reporters or representatives.
Personal Information – for the purposes of this document and in line with pending South African legislation, personal information means information relating to an identifiable, living, natural person and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views, expressions or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
[All of the above is inclusive of information related to next of kin and information that is recorded in electronic formats (e.g. in databases, Word documents, Excel spreadsheets, E-mail, CCTV and voice recordings, etc.) and all information about the person recorded in structured hard copy filing systems (e.g. Personnel files).]
Policy – overall intention and direction as formally expressed by management.
Processing/Data Processing –any operation or set of operations which is performed upon personal information, whether or not by automatic means, such as collection, recording, organising, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Production Data – data that is used and/or produced during the normal day-to-day operations in the organisation.
Regulator –means the Information Regulator established in terms of sec.39 of the Protection of Personal Information Act.(pending).
Responsible party – means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Risk – combination of the probability of an event and its consequence.
Risk analysis – systematic use of information to identify sources and to estimate the risk. Risk assessment – overall process of risk analysis and risk evaluation.
Risk evaluation – process of comparing the estimated risk against given risk criteria to determine the significance of the risk.
Risk management – coordinated activities to direct and control an organisation with regard to risk (note: risk management typically includes risk assessment, risk treatment, risk acceptance and risk communication).
Risk treatment – process of selection and implementation of measures to modify and reduce risk.
Sanitation – for the purposes of this document, sanitation is the process of removing all traces of a data subject- or owner’s personal information from hard drives and other data storage media, before such equipment is exchanged, sold, discarded, passed to a new user or used for non-company purposes.
Test Data – data that is specifically recorded for test purposes and is not used for day-to-day operations within the organisation.
Third party/Subcontractor – any entity, whether an individual or a company, who is not part of a responsible party’s organisational structure, but works with the responsible party, or processes personal information on the responsible party’s behalf.
Threat – a potential cause of an unwanted incident, which may result in harm to a system or organisation.
Vulnerability – a weakness of an asset or group of assets that can be exploited by one or more threats.
13. Detailed Description of Key Aspects Incorporated in this Policy
The key aspects incorporated in this policy are also core-implementation elements and it is therefore crucial that its eventual implementation will be necessary for the maximum enhancement of the effectiveness and execution of the policy.
- Revision of the Policy
The policy will be reviewed every 3 (three) years to address any changes in the technical domain, or applicable legislation.
In the event of any critical interim developments regarding the above, immediate revision and adaption will be implemented as soon as reasonably possible and the revised documentation circulated and explained to all relevant parties through the Company’s awareness programs and/or information sessions.
The revision history index of the Policy will then also be updated accordingly.
- Related Legislation, Policies, Documentation and Agreements
- Protection of Personal Information Act 2013;
- Promotion of Access to Information Act. 2000;
- Companies Act No. 7 of 2008;
- Company Personnel Policy and Disciplinary Code;
- Company Confidentiality agreements: Employees, Third Parties and Contractors;
- Company Protection of Personal Information Agreements: Employees, Third Parties and contractors;
- Company Third Party Service- and Service Level Agreements;
ROBERT BRUCE MORDAUNT