The following control measures will be the responsibility of Hendre Vorster, who will be the Risk owner as well as the Control owner:

  • Annual Review

  • Information Officer

  • Deputy Information Officer

  • POPI Audit

  • POPI Awareness Training

POLICY STATEMENT:

  • This policy forms part of Jonker Vorster’s Privacy Policy.

  • Any reference to “Jonker Vorster” shall be interpreted to include the Directors, its employees, volunteers, contractors, suppliers, and any other persons acting on behalf of Jonker Vorster Inc. and will be required to familiarise themselves with the policy’s requirements and undertake to comply with the stated processes and procedures.

  • Risk owners and control owners are responsible for overseeing and maintaining control procedures and activities.

1.       INTRODUCTION

 

  • The right to privacy is an integral human right recognised and protected in the South African Constitution and the Protection of Personal Information Act 4 of 2013 (“POPI”).

  • POPI aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner.

  • Through the provision of quality professional services, Jonker Vorster Inc. is necessarily involved in the collection, use and disclosure of certain aspects of personal information of clients, customers, employees, and other stakeholders.

  • A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.

  • Given the importance of privacy, Jonker Vorster Inc. is committed to effectively managing personal information in accordance with POPI’s provisions.

2.       DEFINITIONS

 

2.1     Personal Information

Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:

  • race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;

  • information relating to the education or the medical, financial, criminal or employment history of the person;

  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

  • the biometric information of the person;

  • the personal opinions, views or preferences of the person;

  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further  correspondence that would reveal the contents of the original correspondence;

  • the views or opinions of another individual about the person;

  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

2.2     Data Subject

          This refers to the natural or juristic person to whom personal information relates, such as an individual                    client, customer or a company that supplies Jonker Vorster Inc. with a mandate to represent them in any                matter.

2.3     Responsible Party

          The responsible party is the entity that needs the personal information for a particular reason and                            determines the purpose of and means for processing the personal information. In this case, Jonker Vorster            Inc. is the responsible party.

2.4     Operator

          An operator means a person who processes personal information for a responsible party in terms of a                    contract or mandate, without coming under the direct authority of that party, for example, a third-party                  service provider that has contracted with Jonker Vorster Inc. to shred documents containing personal                      information. When dealing with an operator, it is considered good practice for a responsible party to                      include an indemnity clause.

2.5     Information Officer

          The Information Officer is responsible for ensuring Jonker Vorster’s compliance with POPI.

          Where no Information Officer is appointed, the Managing Director of Jonker Vorster Inc. will be                              responsible for performing the Information Officer’s duties.

          Once appointed, the Information Officer must be registered with the South African Information Regulator              established under POPI prior to performing his or her duties. Deputy Information Officers can also be                    appointed to assist the Information Officer.

2.6     Processing

          The act of processing information includes any activity or any set of operations, whether or not by                          automatic means, concerning personal information and includes:

  • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

  • dissemination by means of transmission, distribution or making available in any other form; or

  • merging, linking, as well as any restriction, degradation, erasure, or destruction of information.

2.7     Record

          Means any recorded information, regardless of form or medium, including:

  • Writing on any material;

  • Information produced, recorded or stored by means of any recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;

  • Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;

  • Book, map, plan, graph or drawing;

  • Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced

2.8     Filing System

  Means any structured set of personal information, whether centralised, decentralised or dispersed on a          functional or geographical basis, which is accessible according to specific criteria.

2.9     Unique Identifier

          Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes              of the operations of that responsible party and that uniquely identifies that data subject in relation to that              responsible party.

2.10    De-Identify

           This means to delete any information that identifies a data subject, or which can be used by a reasonably               foreseeable method to identify, or when linked to other information, that identifies the data subject.

2.11    Re-Identify

            In relation to personal information of a data subject, means to resurrect any information that has been                    de-identified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable              method to identify the data subject.

2.12     Consent

            Means any voluntary, specific, and informed expression of will in terms of which permission is given for                  the processing of personal information.

2.13     Direct Marketing

            Means to approach a data subject, either in person or by mail or electronic communication, for the direct              or indirect purpose of:

  • Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or

  • Requesting the data subject to donate any kind for any reason.

2.14   Biometrics

          Means a technique of personal identification that is based on physical, physiological or behavioural                        characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice                              recognition.

 

3.       POLICY PURPOSE

 

3.1     The purpose of this policy is to protect Jonker Vorster Inc. from the compliance risks associated with the                protection of personal information which includes:

  • Breaches of confidentiality - for instance, Jonker Vorster Inc. could suffer loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately.

  • Failing to offer choice - for instance, all data subjects should be free to choose how and for what purpose Jonker Vorster Inc. uses information relating to them.

  • Reputational damage - for instance, Jonker Vorster Inc. could suffer a decline in shareholder value following an adverse event such as a computer hacker deleting the personal information from legal files held by Jonker Vorster Inc.

3.2     This policy demonstrates Jonker Vorster Inc’s commitment to protecting the privacy rights of data subjects            in the following manner:

  • Through stating desired behaviour and directing compliance with the provisions of POPI and best practice.

  • By cultivating an organisational culture that recognises privacy as a valuable human right.

  • By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.

  • By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of Jonker Vorster Inc.

  • By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary, Deputy Information Officers to protect the interests of Jonker Vorster Inc. and data subjects.

  • By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.

 

4.       POLICY APPLICATION

 

         This policy and its guiding principles applies to:

  • Jonker Vorster Inc’s board of directors.

  • All branches, business units and divisions of Jonker Vorster Inc.

  • All employees and volunteers.

  • All contractors, suppliers and other persons acting on behalf of Jonker Vorster Inc.

The policy’s guiding principles find application in all situations and must be read in conjunction with POPI as well as Jonker Vorster Inc’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).

 

The legal duty to comply with POPI’s provisions is activated in any situation where there is:

  • A processing of

  • Personal information.

  • Entered into a record.

  • By or for a responsible person.

  • Who is domiciled in South-Africa.

 

POPI does not apply in situations where the processing of personal information:

  • is concluded in the course of purely personal or household activities, or

  • where the personal information has been de-identified.

 

5.       RIGHTS OF DATA SUBJECTS

 

          Where appropriate, Jonker Vorster Inc. will ensure that its clients and customers are made aware of the                  rights conferred upon them as data subjects. Jonker Vorster Inc. will ensure that it gives effect to the                      following seven rights.

 

5.1     The Right to Access Personal Information

          Jonker Vorster Inc. recognises that a data subject has the right to establish whether Jonker Vorster Inc.                  holds personal information related to him, her or it includes the right to request access to that personal                  information. An example of a “Personal Information Request Form” can be found under Annexure “A”.

 

5.2     The Right to have Personal Information Corrected or Deleted

          The data subject has the right to request, where necessary, that his, her or its personal information must                 be corrected or deleted where Jonker Vorster Inc. is no longer authorised to retain the personal                               information.

 

5.3     The Right to Object to the Processing of Personal Information

          The data subject has the right, on reasonable grounds, to object to the processing of his, her or its                          personal information. In such circumstances, Jonker Vorster Inc. will give due consideration to the request              and the requirements of POPI. Jonker Vorster Inc. may cease to use or disclose the data subject’s personal            information and may, subject to any statutory and contractual record keeping requirements, also approve              the destruction of the personal information.

 

5.4     The Right to Object to Direct Marketing

          The data subject has the right to object to the processing of his, her or its personal information for                          purposes of direct marketing by means of unsolicited electronic communications.

 

5.5     The Right to Complain to the Information Regulator

          The data subject has the right to submit a complaint to the Information Regulator regarding an alleged                  infringement of any of the rights protected under POPI and to institute civil proceedings regarding the                  alleged non-compliance with the protection of his, her or its personal information. An example of a “POPI            Complaint Form” can be found under Annexure “B”.

 

5.6     The Right to be Informed

          The data subject has the right to be notified that his, her or its personal information is being collected by              Jonker Vorster Inc. The data subject also has the right to be notified in any situation where Jonker Vorster              Inc. has reasonable grounds to believe that the personal information of the data subject has been                          accessed or acquired by an unauthorised person.

 

6.       GENERAL GUIDING PRINCIPLES

 

          All employees and persons acting on behalf of Jonker Vorster Inc. will always be subject to, and act in                    accordance with, the following guiding principles:

 

6.1     Accountability

 Failing to comply with POPI could potentially damage Jonker Vorster Inc’s reputation or expose Jonker   Vorster to a civil claim for damages. The protection of personal information is therefore everybody’s   responsibility. Jonker Vorster Inc’s will ensure that the provisions of POPI and the guiding principles   outlined in this policy are complied with through the encouragement of desired behaviour. However,   Jonker Vorster Inc. will take appropriate sanctions, which may include disciplinary action, against those   individuals who through their intentional or negligent actions and/or omissions fail to comply with the   principles and responsibilities outlined in this policy.

 

6.2     Processing Limitation

 Jonker Vorster Inc. will ensure that personal information under its control is processed:

  • in a fair, lawful and non-excessive manner, and

  • only with the informed consent of the data subject, and

  • only for a specifically defined purpose.

  • Jonker Vorster Inc. will inform the data subject of the reasons for collecting his, her or its personal information and obtain written consent prior to processing personal information.

  • Alternatively, where services or transactions are concluded over the telephone or electronic video feed, Jonker Vorster Inc. will maintain a voice recording of the stated purpose for collecting the personal information followed by the data subject’s subsequent consent.

  • Jonker Vorster Inc. will under no circumstances distribute or share personal information between separate legal entities, associated organisations (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.

  • Where applicable, the data subject must be informed of the possibility that their personal information will be shared with other linked entities of Jonker Vorster Inc. business and be provided with the reasons for doing so.

  • An example of a “POPI Notice and Consent Form” can be found under “Annexure C”.

 

6.3     Purpose Specification

  All Jonker Vorster Inc.’s business units and operations must be informed by the principle of transparency.      Jonker Vorster Inc. will process personal information only for specific, explicitly defined, and legitimate          reasons. Jonker Vorster Inc. will inform data subjects of these reasons prior to collecting or recording the      data subject’s personal information.

 

6.4     Further Processing Limitation

          Personal information will not be processed for a secondary purpose unless that processing is compatible              with the original purpose. Therefore, where Jonker Vorster Inc. seeks to process personal information, it                holds for a purpose other than the original purpose for which it was originally collected, and where this                  secondary purpose is not compatible with the original purpose, Jonker Vorster Inc. will first obtain                          additional consent from the data subject.

 

6.5     Information Quality

 Jonker Vorster Inc. will take reasonable steps to ensure that all personal information collected is complete,   accurate and not misleading. The more important it is that the personal information be accurate (for   example, the beneficiary details of a life insurance policy are of the utmost importance), the greater the   effort Jonker Vorster Inc. will put into ensuring its accuracy.Where personal information is collected or   received from third parties, Jonker Vorster Inc. will take reasonable steps to confirm that the information is   correct by verifying the accuracy of the information directly with the data subject or by way of independent   sources.

 

 

6.6     Open Communication

 Jonker Vorster Inc. will take reasonable steps to ensure that data subjects are notified (are always aware)   that their personal information is being collected including the purpose for which it is being collected and   processed.

 Jonker Vorster Inc. will ensure that it establishes and maintains a “contact us” facility, for instance via its   website or through an electronic helpdesk, for data subjects who want to

  • Enquire whether Jonker Vorster Inc. holds related personal information, or

  • Request access to related personal information, or

  • Request Jonker Vorster Inc. to update or correct related personal information, or

  • Make a complaint concerning the processing of personal information.

 

6.7     Security Safeguards

 Jonker Vorster Inc. will manage the security of its filing system to ensure that personal information is   adequately protected. To this end, security controls will be implemented in order to minimise the risk of   loss, unauthorised access, disclosure, interference, modification or destruction.

 Security measures also need to be applied in a context-sensitive manner - for example, the more sensitive   the personal information, such as medical information or credit card details, the greater the security   required. Jonker Vorster Inc. will continuously review its security controls which will include regular testing   of protocols and measures put in place to combat cyber-attacks on Jonker Vorster Inc. IT network. Jonker   Vorster Inc. will ensure that all paper and electronic records comprising personal information are securely   stored and made accessible only to authorised individuals. All new employees will be required to sign   employment contracts containing contractual terms for the use and storage of employee information.   Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal   information for which Jonker Vorster Inc. is responsible. All existing employees will, after the required   consultation process has been followed, be required to sign an addendum to their employment containing   the relevant consent and confidentiality clauses. Jonker Vorster Inc. operators and third-party service   providers will be required to enter into service level agreements with Jonker Vorster Inc. where both   parties pledge their mutual commitment to POPI and the lawful processing of any personal information   pursuant to the agreement.

 

 An example of “Employee Consent and Confidentiality Clause” for inclusion in Jonker Vorster Inc.   employment contracts can be found under “Annexure D”.

 

 An example of an “Service Level Agreement Confidentiality Clause” for inclusion in Jonker Vorster Inc.   Service Level Agreements can be found under “Annexure E”.

 6.8     Data Subject Participation

           A data subject may request the correction or deletion of his, her or its personal information held by                         Jonker Vorster Inc. Jonker Vorster Inc. will ensure that it provides a facility for data subjects who want to                request   the correction or deletion of their personal information. Where applicable, Jonker Vorster Inc.                  will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.

7.       INFORMATION OFFICERS

 

 Jonker Vorster Inc. appointed an Information Officer and where necessary, a Deputy Information Officer to   assist the Information Officer. Jonker Vorster Inc.’s Information Officer is responsible for ensuring   compliance with POPI. There are no legal requirements under POPI for an organisation to appoint an   Information Officer. Appointing an Information Officer is however, considered to be a good business   practice, particularly within larger organisations. Where no Information Officer is available, the Managing   Director of Jonker Vorster Inc.will assume the role of the Information Officer. Consideration will be given on   an annual basis to the re-appointment or replacement of the Information Officer and the reappointment or   replacement of any Deputy Information Officers. Jonker Vorster Inc. registered the Information Officer with   the South African Information Regulator established under POPI prior to performing her duties.

8.       SPECIFIC DUTIES AND RESPONSIBILITIES

 

8.1     Board of Directors

 Jonker Vorster Inc’s Board of Directors cannot delegate its accountability and is ultimately answerable for   ensuring that Jonker Vorster Inc. meets its legal obligations in terms of POPI. The Board of Directors may   however delegate some of its responsibilities in terms of POPI to management or other capable   individuals.

 

The Board of Directors is responsible for ensuring that:

 

  • Jonker Vorster Inc. appoints an Information Officer, and if necessary, a Deputy Information Officer.

  • All persons responsible for the processing of personal information on behalf of Jonker Vorster Inc. are appropriately trained and supervised to do so,

  • understand that they are contractually obligated to protect the personal information they come into contact with, and

  • are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them.

  • Data subjects who want to make enquires about their personal information are made aware of the procedure that needs to be followed should they wish to do so.

  • The scheduling of a periodic POPI Audit to accurately assess and review the ways in which Jonker Vorster Inc. collects, holds, uses, shares, discloses, destroys, and processes personal information.

8.2       Information Officer

            Jonker Vorster Inc.’s Information Officer is responsible for:

  • Taking steps to ensure Jonker Vorster Inc.’s reasonable compliance with the provision of POPI.

  • Keeping the Board of Directors updated about Jonker Vorster Inc. information protection responsibilities under POPI - for instance, in the case of a security breach, the Information Officer must inform and advise the Board of Directors of their obligations pursuant to POPI.

  • Continually analysing privacy regulations and aligning them with Jonker Vorster Inc. personal information processing procedures. This will include reviewing Jonker Vorster Inc. information protection procedures and related policies.

  • Ensuring that POPI Audits are scheduled and conducted on a regular basis.

  • Ensuring that Jonker Vorster Inc. makes it convenient for data subjects who want to update their personal information or submit POPI related complaints to Jonker Vorster Inc. - for instance, maintaining a “contact us” facility on Jonker Vorster Inc. website.

  • Approving any contracts entered with operators, employees and other third parties which may have an impact on the personal information held by Jonker Vorster Inc.. This will include overseeing the amendment of Jonker Vorster Inc. employment contracts and other service level agreements.

  • Encouraging compliance with the conditions required for the lawful processing of personal information.

  • Ensuring that employees and other persons acting on behalf of Jonker Vorster Inc. are fully aware of the risks associated with the processing of personal information and that they remain informed about Jonker Vorster Inc. security controls.

  • Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of Jonker Vorster Inc.

  • Addressing employees’ POPI related questions.

  • Addressing all POPI related requests and complaints made by Jonker Vorster Inc’s data subjects.

  • Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, regarding any other matter

   The Deputy Information Officer will assist the Information Officer in performing his or her duties.

8.3       IT Manage

    Jonker Vorster Inc. IT Manager is responsible for:

  • Ensuring that Jonker Vorster Inc.’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards.

  • Ensuring that all electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services.

  • Ensuring that servers containing personal information are sited in a secure location, away from the general office space.

  • Ensuring that all electronically stored personal information is backed-up and tested on a regular basis.

  • Ensuring that all back-ups containing personal information are protected from unauthorised access, accidental deletion and malicious hacking attempts.

  • Ensuring that personal information being transferred electronically is encrypted.

  • Ensuring that all servers and computers containing personal information are protected by a firewall and acceptable security software.

  • Performing regular IT audits to ensure that the security of Jonker Vorster Inc.’s hardware and software systems are functioning properly.

  • Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by any unauthorised persons.

  • Performing a proper due diligence review prior to contracting with operators or any other third-party service providers to process personal information on Jonker Vorster Inc.’s behalf - for instance, cloud computing services.

8.4       Marketing & Communication Manager

   Jonker Vorster Inc.’s Marketing & Communication Manager is responsible for:

  • Approving and maintaining the protection of personal information statements and disclaimers that are displayed on Jonker Vorster Inc. website, including those attached to communications such as emails and electronic newsletters.

  • Addressing any personal information protection queries from journalists or media outlets such as newspapers.

  • Where necessary, working with persons acting on behalf of Jonker Vorster Inc. to ensure that any outsourced marketing initiatives comply with POPI.

8.5       Employees and other Persons acting on behalf of Jonker Vorster Inc.

  • Employees and other persons acting on behalf of Jonker Vorster Inc. will, during the performance of their services, gain access to and become acquainted with the personal information of certain clients, suppliers, and other employees.

  • Employees and other persons acting on behalf of Jonker Vorster Inc. are required to treat personal information as a confidential business asset and to respect the privacy of data subjects.

  • Employees and other persons acting on behalf of Jonker Vorster Inc. may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within Jonker Vorster Inc. or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties.

  • Employees and other persons acting on behalf of Jonker Vorster Inc. must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information.

  • Employees and other persons acting on behalf of Jonker Vorster Inc. will only process personal information where:

  • The data subject, or a competent person where the data subject is a child, consents to the processing; or

  • The processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; or

  • The processing complies with an obligation imposed by law on the responsible party; or

  • The processing protects a legitimate interest of the data subject; or

  • The processing is necessary for pursuing the legitimate interests of Jonker Vorster Inc. or of a third party to whom the information is supplied.

  • Furthermore, personal information will only be processed where the data subject:

  • Clearly understands why and for what purpose his, her or its personal information is being collected; and

  • Has granted Jonker Vorster Inc. with explicit written or verbally recorded consent to process his, her or its personal information.

  • Employees and other persons acting on behalf of Jonker Vorster Inc. will consequently, prior to processing any personal information, obtain a specific and informed expression of will from the data subject, in terms of which permission is given for the processing of personal information.

  • Informed consent is therefore when the data subject clearly understands for what purpose his, her or its personal information is needed and who it will be shared with.

  • Consent can be obtained in written form which includes any appropriate electronic medium that is accurately and readily reducible to printed form, alternatively, Jonker Vorster Inc. will keep a voice recording of the data subject’s consent in instances where transactions are concluded telephonically or via electronic video feed.

  • Consent to process a data subject’s personal information will be obtained directly from the data subject, except where:

  • the personal information has been made public, or

  • where valid consent has been given to a third party, or

  • the information is necessary for effective law enforcement.

 

Employees and other persons acting on behalf of Jonker Vorster Inc. will under no circumstances:

 

  • Process or have access to personal information where such processing or access is not a requirement to perform their respective work-related tasks or duties.

  • Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal information must be accessed and updated from Jonker Vorster Inc. central database or a dedicated server.

  • Share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure. Where access to personal information is required, this may be requested from the relevant line manager or the Information Officer.

  • Transfer personal information outside of South Africa without the express permission from the Information Officer.

 

Employees and other persons acting on behalf of Jonker Vorster Inc. are responsible for:

 

  • Keeping all personal information that they encounter secure, by taking sensible precautions and following the guidelines outlined within this policy.

  • Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.

  • Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of Jonker Vorster Inc., with the sending or sharing of personal information to or with authorised external persons.

  • Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons.

  • Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.

  • Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.

  • Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it - for instance, in a locked drawer of a filing cabinet.

  • Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them - for instance, close to the printer.

  • Taking reasonable steps to ensure that personal information is kept accurate and up to date - for instance, confirming a data subject’s contact details when the client or customer phones or communicates via email. Where a data subject’s information is found to be out of date, authorisation must first be obtained from the relevant line manager or the Information Officer to update the information accordingly.

  • Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the personal information in the appropriate manner.

  • Undergoing POPI Awareness training from time to time.

 

Where an employee, or a person acting on behalf of Jonker Vorster Inc., becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, he or she must immediately report this event or suspicion to the Information Officer or the Deputy Information Officer.

 

9.       POPI AUDIT

 

Jonker Vorster Inc.’s Information Officer will schedule periodic POPI Audits.

The purpose of a POPI audit is to:

  • Identify the processes used to collect, record, store, disseminate and destroy personal information.

  • Determine the flow of personal information throughout Jonker Vorster Inc. - for instance, Jonker Vorster Inc.’s various business units, divisions, branches, and other associated organisations.

  • Redefine the purpose for gathering and processing personal information.

  • Ensure that the processing parameters are still adequately limited.

  • Ensure that new data subjects are made aware of the processing of their personal information.

  • Re-establish the rationale for any further processing where information is received via a third party.

  • Verify the quality and security of personal information.

  • Monitor the extend of compliance with POPI and this policy.

  • Monitor the effectiveness of internal controls established to manage Jonker Vorster Inc.’s POPI related compliance risk.

 

In performing the POPI Audit, Information Officers will liaise with line managers to identify areas within in Jonker Vorster Inc’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.

 

Information Officers will be permitted direct access to and have demonstrable support from line managers and Jonker Vorster Inc.’s Board of Directors in performing their duties.

 

10.     REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE

 

 Data subjects have the right to:

  • Request what personal information Jonker Vorster Inc.. holds about them and why.

  • Request access to their personal information.

  • Be informed how to keep their personal information up to date.

 

Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.

Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against Jonker Vorster Inc.’s PAIA Policy.

 

The Information Officer will process all requests within a reasonable time.

 

11.     POPI COMPLAINTS PROCEDURE

 

 Data subjects have the right to complain in instances where any of their rights under POPI have been   infringed upon. Jonker Vorster Inc. takes all complaints very seriously and will address all POPI related   complaints in accordance with the following procedure:

 

  • POPI complaints must be submitted to Jonker Vorster Inc. in writing. Where so required, the Information Officer will provide the data subject with a “POPI Complaint Form”.

  • Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.

  • The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 5 working days.

  • The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner.

  • In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPI.

  • The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on Jonker Vorster Inc.’s data subjects.

  • Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with Jonker Vorster Inc.’s Board of Directors where after the affected data subjects and the Information Regulator will be informed of this breach.

  • The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to Jonker Vorster Inc.’s Board of Directors within 7 working days of receipt of the complaint. In all instances, Jonker Vorster Inc. will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.

  • The Information Officer’s response to the data subject may comprise any of the following:

  • A suggested remedy for the complaint,

  • A dismissal of the complaint and the reasons as to why it was dismissed,

  • An apology (if applicable) and any disciplinary action that has been taken against any employees involved.

  • Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.

  • The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPI related complaints.

 

12.     DISCIPLINARY ACTION

 

 Where a POPI complaint or a POPI infringement investigation has been finalised, Jonker Vorster Inc.   may recommend any appropriate administrative, legal and/or disciplinary action to be taken against   any employee reasonably suspected of being implicated in any non-compliant activity outlined within   this policy.

 

 In the case of ignorance or minor negligence, Jonker Vorster Inc. will undertake to provide further   awareness training to the employee.

 

 Any gross negligence or the wilful mismanagement of personal information, will be considered a   serious form of misconduct for which Jonker Vorster Inc. may summarily dismiss the employee.   Disciplinary procedures will commence where there is sufficient evidence to support an employee’s   gross negligence.

 

 Examples of immediate actions that may be taken subsequent to an investigation include:

 

  • A recommendation to commence with disciplinary action.

  • A referral to appropriate law enforcement agencies for criminal investigation.

  • Recovery of funds and assets to limit any prejudice or damages caused.

 

 

 

ANNEXURE A:

 

PERSONAL INFORMATION REQUEST FORM

Please submit the completed form to the Information Officer

Name:

Contact Number:

Email Address:

Please be aware that we may require you to provide proof of identification prior to processing your request.

There may also be a reasonable charge for providing copies of any information requested.

 

A. Particulars of Data Subject

Name & Surname:

Identity Number:

Postal Address:

Contact Number:

Email Address:

 

B. Request

I request Jonker Vorster Inc. to:

(a) Inform me whether it holds any of my personal information 

(b) Provide me with a record or description of my personal information 

(c) Correct or update my personal information 

(d) Destroy or delete a record of my personal information 

 

C. Instructions (if any)

 

 

 

 

D. Signature Page

Signature:                                                          Date:

 

 

 

 

 

 

ANNEXURE B:

 

POPI COMPLAINT FORM

 

We are committed to safeguarding your privacy and the confidentiality of your personal information and are bound by the Protection of Personal Information Act.

 

Please submit your complaint to the Information Officer:

 

Name:

Contact Number:

Email Address:

 

Where we are unable to resolve your complaint, to your satisfaction you have the right to complaint to the Information Regulator.

 

The National Information Regulator: Adv Pansy Tlakula

Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Email: inforreg@justice.gov.za

Website: http://www.justice.gov.za

 

A. Particulars of Complainant

Name & Surname:

Identity Number:

Postal Address:

Contact Number:

Email Address:

 

B. Details of Complaint

 

 

C. Desired Outcome

 

 

D. Signature Page

Signature:                                                                    Date:

 

 

 

ANNEXURE C:

 

POPI NOTICE AND CONSENT FORM

We understand that your personal information is important to you and that you may be apprehensive about disclosing it. Your privacy is just as important to us and we are committed to safeguarding and processing your information in a lawful manner.

 

We also want to make sure that you understand how and for what purpose we process your information. If for any reason you think that your information is not processed in a correct manner, or that your information is being used for a purpose other than that for what it was originally intended, you can contact our Information Officer. You can request access to the information we hold about you at any time and if you think that we have outdated information, please request us to update or correct it.

 

Our Information Officer’s Contact Details

Name: Hendre Vorster

Contact Number 021 001 4757

Email Address: hendre@jvattorneys.co.za

 

Purpose for Processing your Information

We collect, hold, use and disclose your personal information mainly to provide you with access to the services that we provide. We will only process your information for a purpose you would reasonably expect, including:

 

  • Providing you with advice and services that suit your needs as requested.

  • To verify your identity and to conduct credit reference searches.

  • To issue, administer, manage your data and assist you as a software service provider.

  • To process your client data, send out automated correspondence to your clients by sms, email and registered email.

  • To notify you of new processes, legislation or developments that may be of interest to you.

  • To confirm, verify and update your details.

  • To comply with any legal and regulatory requirements.

 

Some of your information that we hold may include, your first and last name, email address, a home, postal or other physical address, other contact information, your title, birth date, gender, occupation, qualifications, past employment, residency status, your investments, assets, liabilities, insurance, income, expenditure, family history, medical information, your banking details. We further may request the name of all legal entities in which you may have an interest, what the interest is, its registration number, VAT number, registered address, trade references, financial statements and banking details.

 

Consent to Disclose and Share your Information

We may need to share your and/or your client’s information to provide advice, reports, analyses or services that you have requested.

 

Where we share your or your client’s information, we will take all precautions to ensure that the third party will treat your information with the same level of protection as required by us. Your information may be hosted on servers managed by a third-party service provider, which may be located outside of South Africa.

 

I hereby authorize and consent to Jonker Vorster Inc. sharing my personal information with the following persons:

 

Name & Surname:

Signature:

Date:

 

 

ANNEXURE D:

 

EMPLOYEE CONSENT AND CONFIDENTIALITY CLAUSE

 

  • “Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise.

  • “POPI” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time.

  • The employer undertakes to process the PI of the employee only in accordance with the conditions of lawful processing as set out in terms of POPI and in terms of the employer’s relevant policy available to the employee on request and only to the extent that it is necessary to discharge its obligations and to perform its functions as an employer and within the framework of the employment relationship and as required by South African law.

  • The employee acknowledges that the collection of his/her PI is both necessary and requisite as a legal obligation, which falls within the scope of execution of the legal functions and obligations of the employer. The employee therefore irrevocably and unconditionally agrees:

  • That he/she is notified of the purpose and reason for the collection and processing of his or her PI insofar as it relates to the employer’s discharge of its obligations and to perform its functions as an employer.

  • That he/she consents and authorises the employer to undertake the collection, processing and further processing of the employee’s PI by the employer for the purposes of securing and further facilitating the employee’s employment with the employer.

  • Without derogating from the generality of the aforementioned, the employee consents to the employer’s collection and processing of PI pursuant to any of the employer’s Internet, Email and Interception policies in place insofar as PI of the employee is contained in relevant electronic communications.

  • To make available to the employer all necessary PI required by the employer for the purpose of securing and further facilitating the employee’s employment with the employer.

  • To absolve the employer from any liability in terms of POPI for failing to obtain the employee’s consent or to notify the employee of the reason for the processing of any of the employee’s PI.

  • To the disclosure of his/her PI by the employer to any third party, where the employer has a legal or contractual duty to disclose such PI.

  • The employee further agrees to the disclosure of his/her PI for any reason enabling the employer to carry out or to comply with any business obligation the employer may have or to pursue a legitimate interest of the employer in order for the employer to perform its business on a day to day basis.

  • The employee authorises the employer to transfer his/her PI outside of the Republic of South Africa for any legitimate business purpose of the employer within the international community. The employer undertakes not to transfer or disclose his/her PI unless it is required for its legitimate business requirements and shall comply strictly with legislative stipulations in this regard.

  • The employee acknowledges that during the course of the performance of his/her services, he/she may gain access to and become acquainted with the personal information of certain clients, suppliers and other employees. The employee will treat personal information as a confidential business asset and agrees to respect the privacy of clients, suppliers and other employees.

  • To the extent that he/she is exposed to or insofar as PI of other employees, data subjects or third parties are disclosed to him/her, the employee hereby agree to be bound by appropriate and legally binding confidentiality and non-usage obligations in relation to the PI of third parties or employees.

  • Employees may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within Jonker Vorster Inc. or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties on behalf of the employer.

 

 

ANNEXURE E:

 

SERVICE LEVEL AGREEMENT (SLA) CONFIDENTIALITY CLAUSE

  • “Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise, the name of all legal entities in which you may have an interest, what the interest is, its registration number, VAT number, registered address, trade references, financial statements and banking details.

  • “POPI” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time.

  • The parties acknowledge that for the purposes of this agreement that the parties may come into contact with, or have access to PI and other information that may be classified, or deemed as private or confidential and for which the other party is responsible. Such PI may also be deemed or considered as private and confidential as it relates to any third party who may be directly or indirectly associated with this agreement. Further, it is acknowledged and agreed by the parties that they have the necessary consent to share or disclose the PI and that the information may have value.

  • The parties agree that they will at all times comply with POPI’s Regulations and Codes of Conduct and that it shall only collect, use and process PI it comes into contact with pursuant to this agreement in a lawful manner, and only to the extend required to execute the services, or to provide the goods and to perform their respective obligations in terms of this agreement.

  • The parties agree that it shall put in place, and at all times maintain, appropriate physical, technological and contractual security measures to ensure the protection and confidentiality of PI that it, or its employees, its contractors or other authorised individuals comes into contact with pursuant to this agreement.

  • Unless so required by law, the parties agree that it shall not disclose any PI as defined in POPI to any third party without the prior written consent of the other party, and notwithstanding anything to the contrary contained herein, shall any party in no manner whatsoever transfer any PI out of the Republic of South Africa.

 

 

 

 

ANNEXURE F:

 

INFORMATION OFFICER APPOINTMENT LETTER

I here with and with immediate effect appoint you as the Information Officer as required by the Protection of Personal Information Act (Act 4 of 2013). This appointment may at any time be withdrawn or amended in writing.

  • You are entrusted with the following responsibilities:

  • Taking steps to ensure Jonker Vorster Inc’s reasonable compliance with the provision of POPI.

  • Keeping the Board of Directors updated about Jonker Vorster Inc’s information protection responsibilities under POPI - for instance, in the case of a security breach, the Information Officer must inform and advise the Board of Directors of their obligations pursuant to POPI.

  • Continually analysing privacy regulations and aligning them with Jonker Vorster Inc’s personal information processing procedures. This will include reviewing Jonker Vorster Inc’s information protection procedures and related policies.

  • Ensuring that POPI Audits are scheduled and conducted on a regular basis.

  • Ensuring that Jonker Vorster Inc. makes it convenient for data subjects who want to update their personal information or submit POPI related complaints to Jonker Vorster Inc. , to do so - for instance, maintaining a “contact us” facility on Jonker Vorster Inc’s website.

  • Approving any contracts entered with operators, employees and other third parties which may have an impact on the personal information held by Jonker Vorster Inc. This will include overseeing the amendment of Jonker Vorster Inc’s employment contracts and other service level agreements.

  • Encouraging compliance with the conditions required for the lawful processing of personal information.

  • Ensuring that employees and other persons acting on behalf of Jonker Vorster Inc. are fully aware of the risks associated with the processing of personal information and that they remain informed about Jonker Vorster Inc’s security controls.

  • Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of Jonker Vorster Inc.

  • Addressing employees’ POPI related questions.

  • Addressing all POPI related requests and complaints made by Jonker Vorster Inc’s data subjects.

  • Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter.

 

I hereby accept the appointment as Information Officer

Name & Surname: Hendre Vorster

Signature: Hendre Vorster

Date: 22/06/2021

 

 

 

 

 

 

 

 

 

 

PROTECTION OF PERSONAL INFORMATION POLICY

  • Jonker Vorster Inc. establish a Regulatory Risk & Compliance Management Framework.

  • We implemented control measures (actions, activities, processes and/or procedures) that will provide reasonable assurance that Jonker Vorster Inc’s compliance obligations are met and that non-compliances are prevented, detected, and corrected.

  • Control measures are periodically investigated and evaluated to ensure continuing effectiveness.

CONTROL MEASURES