1. Policy Statement
- The purpose of this Policy is to record the Company’s policies and undertakings with regard to the protection of Personal Information and to ensure the Company have identified and addressed all of the compliance risks associated with the relevant Data Protection Legislation.
- This Policy’s specifically aims to address at least the following:
- The compromising and breach of ICT Systems, security safeguards and confidentiality;
- Consents and the Company’s Processing limitations with respect to Personal Information;
- The storage and safekeeping of Personal Information;
- The processes relating to the sharing and disclosure of Client’s Personal Information to third parties;
- To ensure the development and implementation of best practices and internal control measures to address the compliance risk associated with the protection of personal information;
- This Policy is a demonstration of the Company’s commitment to protecting its Clients’ Personal Information in accordance with the Act.
- This Policy will have application to all Personal Information supplied by a Client to the Company for purposes of rendering the Services to such Client and will continue to endure for the same period of the Service Agreement / Mandate.
- The Company is obliged, in terms of the Act, to comply with the provisions of the Act in occurrence of a Processing of Personal Information, and same being entered into a Record by a Responsible Party, domiciled within the Republic of South Africa.
- Accordingly, the Policy will apply to the Company, its managing partners, all branches, divisions and / or units of the Company, the Company’s employees, contractors, suppliers or service providers.
- The Policy must be read in conjunction with the Act and other Data Protection Legislation (to the extent applicable to the Company) and PAIA.
- The Company subscribes to the Protection of Personal Information Act Principles and will:
Obtain and process your information fairly.
- Keep your information only for one or more specified, explicit, and lawful purposes.
- Use and disclose your information only in ways compatible with these purposes.
- Keep your information safe and secure.
- Keep your information accurate, complete, and up to date.
- Ensure that your information is adequate, relevant, and not excessive.
- Retain your information for no longer than is necessary for the purpose or purposes.
- Provide a copy of your personal data kept to you on request.
- The Company subscribes to the Protection of Personal Information Act Principles and will:
3. Conditions to Protecting Personal
The Company and all persons to whom this Policy finds application (refer clause 2 above), will adhere to the following principles and conditions, imposed by the Act, in relation to the protection of Clients’ Personal Information:
- The Company will develop and implement internal structures and mechanisms to ensure that all of the provisions of the Act and this Policy are complied with by all its employees, contractors, suppliers or service providers during and after the Processing of Personal Information.
- Processing Limitation
- The Company will further ensure that the Processing of Personal Information from Clients are specific to its scope of Service(s), and provided the Processing of Personal Information is fair, lawful and non-excessive.
- The Company undertakes to inform the Client / Data Subject of the reasons for collecting his / her / its Personal Information and obtain written consent prior to Processing such Personal Information. The Company and its employees will not disclose the Personal Information of a Client without such Client’s prior written consent being attained (refer Schedule 2 annexed to this Policy).
- Alternatively, where Services are tendered over the telephone or electronic video feed, the Company will maintain a voice recording of the stated purpose for collecting the Personal Information followed by the Client / Data Subject’s subsequent consent.
- The Company will not distribute a Client / Data Subject’s Personal Information to any other persons whom are not directly involved with facilitating the purpose for which the Personal Information was originally Processed by the Company.
- Purpose Specification
- The Company will ensure that Personal Information is collected solely for the purpose of rendering the Services to a Client, in terms of its Service Agreement / Mandate. The organisation will inform data subjects of these reasons prior to Processing the Client’s Personal Information.
- Further Processing Limitation
- Personal Information will not be processed for a secondary purpose or reason unless such further processing is necessary for the fulfilment of the Services to the Client / Data Subject
- Information Quality
- The Company will ensure that employees are trained and competent to ensure that all Personal Information collected and Processed is complete, accurate and not misleading. However, Clients are ultimately responsible for the accuracy and the correctness of the data and Personal Information they convey to and provide the Company with.
- Where Personal Information is collected and Processed from third parties, the Company will take reasonable steps to confirm that the data and Personal Information is correct by verifying the accuracy of the data and Personal Information directly with the Client or by way of independent sources.
- Open Communication
- The Company will take reasonable steps to ensure that Clients are notified (and are made aware at all times) that their Personal Information is being Processed.
- The organisation will ensure that it establishes and maintains a ‘contact us’ facility, on its website or through an electronic helpdesk, for Clients whom have queries in relation to their Personal Information.
- Security Safeguards – General
- The Company will manage the security of its Filing Systems (including ICT Systems) to ensure that Personal Information of Clients are adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction.
- The Company will continuously review its security protocols which will include regular testing of Filing Systems (including ICT Systems) and measures put in place to combat cyber-attacks on the Company’s ICT Systems.
- Internal Access to Client’s Personal Information
- Access to a Client’s Personal Information is limited to essential employees that are required to access the Company’s Systems for purposes of rendering the Service(s) to the Client or maintenance purposes.
- With respect to employees, contractors, and service providers, background checks are done by the Company that may include a criminal record and credit check are conducted on all employees and contractors before they are hired.
- Employees whom retire, transfer from any internal department, resign etc. are removed immediately from mailing lists and access control lists.
- All employees will be required to sign employment contracts (or addendums to existing employment agreements) containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of Client’s Personal Information for which the Company is responsible.
- Physical Access to Company’s Systems and Records
- The Company will ensure that all paper and electronic Records comprising Personal Information are securely stored and made accessible only to authorised individuals.
- The Company employs physical safety measures such gated security, keycard entry, receptionist to identify/welcome anyone who does not have access, office park CCTV. These access records and procedures are reviewed by management regularly.
- The Company has an up-to-date Software and Technology Usage Policy in relation to the use of any of the Company’s ICT Systems, office technology and software (e.g. telephone, mobile phone, fax, email, internet, intranet, and remote access, etc.) by its staff. This policy is understood and signed by each Employee.
- Under no circumstances may an employee or partner of the Company download a copy of any database, without the express permission in writing from the managing partners of the Company together with the express permission of the Client (who’s Personal Information may be affected) , detailing the requirement and why such download would be necessary and the intended usage of such data will be.
- Databases and Hosting
- All ICT Systems are reviewed on an ongoing basis to identify possible weaknesses or new vulnerabilities. ICT System event and system logs are reviewed weekly to identify possible intrusion attempts.
- The Company’s database is located and controlled in South Africa. All data saved to the database is only accessible from South African IP Addresses. All backups are stored on a different server to the database server, and in a separate location.
- Should a Client / Data Subject be identified with a virus, through any means electronic, notification, email submission, or otherwise, then the Client will be informed that the security of his/ her / its Personal Information may have been jeopardised.
- Data Subject Participation
- A Client / Data Subjects may request the correction or deletion of his, her or its personal information held by the organisation.
- The Company will ensure that it provides a facility for Clients / Data Subjects who want to request the correction of deletion of their personal information.
4. Types of personal information we collect
- Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, age, physical or mental health, well-being, disability, language, and birth.
- Information relating to the education, medical, financial, criminal or employment history.
- Identifying number, name, symbol, e-mail address, physical address, telephone number, location information.
- Biometric information (employees).
- Correspondence sent/received that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
- We also collect and store any relevant communication e.g. emails, meeting notes etc.
5. Information sources
- We may also supplement the information you have provided with information we receive from other providers like Astute, Google searches, sanction list information requests, independent FICA verification agencies and Insurers to offer a more efficient, consistent and personalised experience.
6. Using personal information
- Administering our relationship with you (including communications and reporting);
- Marketing and explaining our products and services;
- Providing a product / service to a you;
- As part of employee on-boarding or any other internal human resources functions;
- Conducting credit reference searches or verification;
- Confirming, verifying, and updating contact details;
- For the detection and prevention of fraud, crime, money laundering or other malpractice;
- For audit and record keeping purposes;
- In connection with legal proceedings;
- To carry out the services you have requested and to maintain and constantly improve our relationship with you;
- Providing communications in respect of FSP NAME and regulatory matters that may affect you;
- In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law for example to comply with the Financial Intelligence Centre Act requirement to report cash- and suspicious transactions or transactions involving terrorist property;
- To carry out the transaction(s) requested;
- For underwriting purposes;
- Assessing and processing claims;
- For purposes of claims history; and or
- Conducting market or customer satisfaction research
7. Sharing personal information
- We will disclose your personal information to service providers, affiliates for business purpose e.g. to facilitate transactions.
- We have a mutual understanding with all our service providers with regards to the protection of Personal Information.
- Due to the nature of our infrastructure information may also be shared with:
- Microsoft Corporation
8. Sending personal information to foreign countries
- Some of the service providers that we use are located in other countries, for example our cloud storage service providers are located in the European Union. If we send information to anyone who is located in a country that does not have the same level of protection of personal information as South Africa or the European Union, we require that they undertake to protect the personal information of our customers to the same level that we do.
- We provide for appropriate safeguards by means of contracts between us and our foreign service providers.
9. Monitoring of communications
- We record and monitor telephone conversations and electronic communications with you for the purposes of (i) ascertaining the details of instructions given, the terms on which any transaction was executed or any other relevant circumstances, (ii) ensuring compliance with our regulatory obligations; and / or (iii) detecting and preventing the commission of financial crime.
- We have implemented appropriate technical measures to prevent data breaches and have taken reasonable steps to minimise the impact of a breach
- We regularly monitor our systems for possible vulnerabilities and security breaches, but no system is perfect and we cannot guarantee that we will never experience a breach of any of our physical, technical or managerial safeguards. If something should happen, we have taken steps to minimise the threat to your privacy. We will let you know of any breaches which affect your personal information and inform you how you can help minimise the impact.