This manual was prepared in accordance with section 51 of the Promotion of Access to Information Act, 2000 and incorporates the requirements of the Protection of Personal Information Act, 2013.
This manual applies to
atWORK Internet Software Solutions Proprietary Limited
(registration number: 2001/013302/07)
and its subsidiaries and related companies
TABLE OF CONTENTS
5. CONTACT DETAILS OF THE MANAGING DIRECTOR [Section 51(1)(a) of PAIA]
6. DETAILS OF THE INFORMATION OFFICER [Section 51(1)(b) of PAIA]
7. GUIDE OF SA HUMAN RIGHTS COMMISSION [SECTION 51(1)(b) of PAIA]
8. NOTICE IN TERMS OF SECTION 52(2) OF PAIA (IF ANY) [SECTION 51(1)(c) OF PAIA]
9. CATEGORIES OF RECORDS AVAILABLE ONLY ON REQUEST [SECTION 51(1)(e) OF PAIA]
10. RECORDS AVAILABLE WITHOUT A REQUEST TO ACCESS IN TERMS OF PAIA
11. RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION [SECTION 51(1)(d) OF PAIA]
12. PROCEDURE TO REQUEST ACCESS TO A RECORD OF ATWORK [SECTION 51(1)(e) OF PAIA]
13. REFUSAL OF ACCESS TO A RECORD
14. AVAILABLE REMEDIES WHERE ACCESS TO A RECORD IS REFUSED
15. PREREQUISITES FOR ACCESS TO RECORDS
16. PRESCRIBED FEES [SECTION 51(1)(f) OF PAIA]
18. PROCESSING OF PERSONAL INFORMATION BY ATWORK
19. PURPOSE FOR PROCESSING OF PERSONAL INFORMATION_
20. CATEGORIES OF DATA SUBJECTS AND PERSONAL INFORMATION
22. OBJECTION BY DATA SUBJECT TO PROCESSING OF PERSONAL INFORMATION
24. LIMITATIONS ON THE FURTHER PROCESSING OF INFORMATION
25. CROSS-BORDER INFORMATION FLOWS
26. ACCESS TO PERSONAL INFORMATION BY DATA SUBJECT
27. SAFETY MEASURES FOR THE PROTECTION OF PERSONAL INFORMATION
28. MAKING USE OF AN OPERATOR OR ACTING AS AN OPERATOR
PAIA AND POPIA MANUAL
I. PART 1: GENERAL PROVISIONS
1.1 The Promotion of Access to Information Act (Act no. 2 of 2000) (“PAIA”) was enacted on 3 February 2000, giving effect to the constitutional right in terms of section 32 of the Bill of Rights contained in the Constitution of the Republic of South Africa 108 of 1996 (the “Constitution”) of access to any information held by the state and any information that is held by another person and that is required for the exercise or protection of any rights.
1.2 The Constitution also recognizes that every person has the right to privacy. In order to protect this right to privacy and specifically the personal information of persons, the Protection of Personal Information Act (Act no. 4 of 2013) (“POPIA”) was promulgated. atWORK recognizes that it is a Responsible Party in terms of POPIA and is therefore bound by the rules laid down for the processing of personal information.
1.3 In terms of section 51 of PAIA, the Information Officer of a private body is required to ensure that a manual is developed, monitored, maintained and made available as prescribed.
1.4 Where a request is made in terms of PAIA, the body to whom the request is made is obliged to release the information, subject to applicable legislative and/ or regulatory requirements, except where PAIA expressly provides that the information may be adopted when requesting information from a public or private body.
2.1 For purposes of this manual, the following definitions shall apply (and cognate expressions shall have similar meanings) —
2.1.1 “atWORK” means atWORK Internet Software Solutions Proprietary Limited (registration number: 2001/013302/07) and its subsidiaries and related companies;
2.1.2 “Child” means a natural person under the age of 18 years who is not legally competent, without the assistance of a Competent Person, to take any action or decision in respect of any matter concerning him- or herself.
2.1.3 “Competent Person” Any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.
2.1.4 “Consent” Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of Personal Information;
2.1.5 “Data Subject” means the person to whom Personal Information relates;
2.1.6 “De-identify” means in relation to Personal Information of a Data Subject, to delete any information that identifies the Data Subject, that can be used or manipulated by a reasonably foreseeable method to identify the Data Subject, or can be linked by a reasonably foreseeable method to other information that identifies the Data Subject;
2.1.7 “Deputy Information Officer” means the person designated as such in terms of par. 3.2 below;
2.1.8 “Direct Marketing”: means to approach a Data Subject, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject, or requesting the Data Subject to make a donation of any kind for any reason.
2.1.9 “ECT Act” means the Electronic Communications and Transactions Act, Act 25 of 2002;
2.1.10 “electronic communication” has the meaning set out in section 1 of the ECT Act, being. communication by means of data messages. Data messages is defined in section 1 of ECT Act as meaning data generated, sent, received or stored by electronic means and includes:
2.1.10.1 voice, where the voice is used in an automated transaction; and
2.1.10.2 a stored record;
2.1.11 “Information Officer” in relation to atWORK (being a private body), means the chief executive officer of atWORK in terms of section 1 of PAIA;
2.1.12 “Information Regulator” means a juristic person established in terms of section 39 of POPIA, which -
2.1.12.1 has jurisdiction through the Republic;
2.1.12.2 is independent and is subject only to the Constitution and to the law and must be impartial and perform its functions and exercise its powers without fear, favour or prejudice;
2.1.12.3 must exercise its powers and perform its functions in accordance with POPIA and PAIA;
2.1.12.4 is accountable to the National Assembly;
2.1.13 “Manual” means this information manual prepared in terms of section 51 of PAIA, and incorporating the requirements of POPIA;
2.1.14 “Operator” means a person who processes Personal Information for a Responsible Party in terms of a contract or mandate, without coming under the direct control of that party;
2.1.15 “PAIA” means the Promotion of Access to Information Act (Act no. 4 of 2013), as amended or re-enacted from time to time including all Schedules thereto and the Regulations;
2.1.16 “Person” means a natural person or juristic person;
2.1.17 “Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
2.1.17.1 information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
2.1.17.2 information relating to the education or the medical, financial, criminal or employment history of the person;
2.1.17.3 any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
2.1.17.4 the biometric information of the person;
2.1.17.5 the personal opinions, views or preferences of the person;
2.1.17.6 correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
2.1.17.7 the views or opinions of another individual about the person;
2.1.17.8 the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;
2.1.18 “Personnel” means any person who works for, or provides services to, or on behalf of atWORK and receives or is entitled to receive remuneration and any other person who assist in carrying out or conducting the business of atWORK, including, without limitation, directors (executive and non-executive), all permanent, temporary and part-time staff, as well as contract workers;
2.1.19 “POPIA” means the Protection of Personal Information Act (Act no. 4 of 2013), as amended or re-enacted from time to time including all Schedules thereto and the Regulations;
2.1.20 ‘‘Processing”, “Processed” or “Process” means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
2.1.20.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
2.1.20.2 dissemination by means of transmission, distribution or making available in any other form;
2.1.20.3 merging, linking, as well as restriction, degradation, erasure or destruction of information;
2.1.21 “Public Record” means a record that is accessible in the public domain and which is in the possession of or under the control of a public body, whether or not it was created by that public body.
2.1.22 “Record” means any recorded information:
2.1.22.1 regardless of form or medium including any of the following:
2.1.22.1.1 writing on any material;
2.1.22.1.2 information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
2.1.22.1.3 label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
2.1.22.1.4 book, map, plan, graph or drawing;
2.1.22.1.5 photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
2.1.22.2 in the possession or under the control of a Responsible Party;
2.1.22.3 whether or not it was created by a Responsible Party;
2.1.22.4 regardless of when it came into existence.
2.1.23 “Regulator” means the Information Regulator established in terms of section 39 of POPIA;
2.1.24 “Requester” means any person, including but not limited to a public body or official thereof, making a request for access to a record of atWORK in terms of this Manual;
2.1.25 “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information;
2.1.26 “Special Personal Information” means the following Personal Information of a Data Subject, namely religious or philosophical beliefs, race or ethnic origin, trade union membership, pollical persuasion, biometric information, health, and criminal behaviour, as contemplated in section 26(a) and (b) of POPIA.
II. PART 2: PROMOTION OF ACCESS TO INFORMATION
3.1 atWORK is a business in the software industry that sells CRM solutions, practice management, compliance management and financial planning tools for financial advisors.
3.2 This Manual of atWORK is available at its premises: Castle View South, Corner of Lois and Tsitsa Street, Erasmuskloof, Pretoria, as well as on its website, http://www.atwork.co.za.
4.1 The purpose of this Manual is to inform persons and entities dealing with atWORK and its subsidiaries and related companies of the manner in which:
4.1.1 they may request access to information held by atWORK;
4.1.2 their personal information will be collected and processed.
to promote the right of access to information, to foster a culture of transparency and accountability within atWORK by giving the right to information that is required for the exercise or protection of any right and to actively promote a society in which the people of South Africa have effective access to information to enable them to exercise and protect their rights.
4.2 In order to promote effective governance of private bodies, it is necessary to ensure that everyone is empowered and educated to understand their rights in relation to public and private bodies.
4.3 Section 9 of PAIA recognises that the right to access information cannot be unlimited and should be subject to justifiable limitations, including, but not limited to:
4.3.1 limitations aimed at the reasonable protection of privacy;
4.3.2 commercial confidentiality; and
4.3.3 effective, efficient and good governance; and
4.3.4 in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution.
4.4 This Manual complies with the requirements of guide mentioned in section 10 of PAIA and recognises that the appointed Information Regulator will be responsible to regulate compliance with PAIA and POPIA and its regulations by private and public bodies.
5. CONTACT DETAILS OF THE MANAGING DIRECTOR [Section 51(1)(a) of PAIA]
|
Managing Director: |
Pierre Dippenaar |
|
Registered Address: |
Castle View South, Corner of Lois and Tsitsa Street, Erasmuskloof, Pretoria |
|
Postal Address: |
Postnet Suite 202, Private Bag X10, Elardus Park, 0047 |
|
Telephone Number: |
0861 289 9675 (0861 ATWORK) |
|
Website: |
6. DETAILS OF THE INFORMATION OFFICER [Section 51(1)(b) of PAIA]
6.1 PAIA prescribes the appointment of an Information Officer for private bodies where such Information Officer is responsible to, inter alia, assess request for access to information. The head of a private body fulfils such a function in terms of Section 51.
6.2 atWORK has appointed an Information Officer to assess such a request for access to information as well as to oversee its required functions in terms of PAIA.
6.3 The Information Officer appointed in terms of PAIA also refers to the Information Officer as referred to in POPIA. The Information Officer oversees the functions and responsibilities as required for in terms of both PAIA as well as the duties and responsibilities in terms of Section 55 of POPIA after registering with the Information Regulator.
6.4 The Information Officer may appoint, where it is deemed necessary, Deputy Information Officers, as allowed in terms of Section 17 of PAIA as well as Section 56 of POPIA.
6.5 This is in order to render atWORK as accessible as reasonable possible for Requesters of its records and to ensure fulfilment of its obligations and responsibilities as prescribed in terms of Section 55 of POPIA.
6.6 All requests for information in terms of PAIA must be addressed to the Information Officer.
6.7 Contact details of the Information Officer:
|
Pierre Dippenaar |
|
|
Registered Address: |
Castle View South, Corner of Lois and Tsitsa Street, Erasmuskloof, Pretoria |
|
Telephone Number: |
0861 289 9675 (0861 ATWORK) |
|
Email: |
|
Deputy Information Officer: |
Niclaas Roets |
|
Telephone Number: |
|
|
Position: |
Chief Operations Officer |
|
Email: |
|
|
Responsible division: |
Business Operations |
|
Deputy Information Officer: |
Liesl Ludeke |
|
Telephone Number: |
|
|
Position: |
Platform Owner |
|
Email: |
|
|
Responsible division: |
Information Technology |
|
Deputy Information Officer: |
Anina Coetzee |
|
Telephone Number: |
|
|
Position: |
Manager: Finance, Admin and Legal |
|
Email: |
|
|
Responsible division: |
Finance, Administration and Legal |
7. GUIDE OF SA HUMAN RIGHTS COMMISSION [SECTION 51(1)(b) of PAIA]
7.1 PAIA grants a Requester access to records of a private body, if the record is required for the exercise or protection of any rights. If a public body lodges a request, the public body must be acting in the public interest.
7.2 Requests in terms of PAIA shall be made in accordance with the prescribed procedures, at the rates provided. The forms and tariff are dealt with in paragraphs 6 and 7 of the Act.
7.3 Requesters are referred to the Guide in terms of Section 10 of PAIA which has been compiled by the South African Human Rights Commission, which will contain information for the purposes of exercising Constitutional Rights. The Guide is available on request from the SAHRC.
7.4 The contact details of the SA Human Rights Commission are:
|
Contact body: |
The South African Human Rights Commission |
|
Physical Address: |
PAIA Unit 29 Princess of Wales Terrace Corner of York and Andrew Streets , Parktown |
|
Postal Address: |
Private Bag 2700, Houghton 2041 |
|
Telephone Number: |
+27 11 877 3600 |
|
E-Mail: |
PAIA@sahrc.org.za |
|
Website: |
8. NOTICE IN TERMS OF SECTION 52(2) OF PAIA (IF ANY) [SECTION 51(1)(c) OF PAIA]
No notice has been published on the categories of records that are automatically available without a person having to request access in terms of Section 52(2) of PAIA.
9. CATEGORIES OF RECORDS AVAILABLE ONLY ON REQUEST [SECTION 51(1)(e) OF PAIA]
9.1 Records held by atWORK
This table sets out the categories of information that atWORK holds. The information is classified and grouped according to records relating to the following subjects and categories:
|
SUBJECT |
CATEGORY |
|
Companies Act Records |
Documents of Incorporation; Index of names of Directors; Memorandum of Incorporation; Minutes of meetings of the Board of Directors; Minutes of meetings of Shareholders; Proxy forms; Register of directors’ shareholdings; Share certificates; Share Register and other statutory registers and/or records and/or documents; Special resolutions/Resolutions passed at General and special general meetings; Records relating to the appointment of: Auditors; Directors; Prescribed Officer. Public Officer; and Secretary |
|
Financial Records |
Accounting Records; Annual Financial Reports; Annual Financial Statements Asset Registers; Bank Statements; Banking details and bank accounts; Banking Records; Debtors / Creditors statements and invoices; General ledgers and subsidiary ledgers; General reconciliation; Invoices; Paid Cheques; Policies and procedures; Rental Agreements; and Tax Returns. |
|
Income Tax Records |
PAYE Records; Documents issued to employees for income tax purposes; Records of payments made to SARS on behalf of employees; All other statutory compliances: VAT Regional Services Levies Skills Development Levies UIF Workmen’s Compensation |
|
Personnel Documents and Records |
Accident books and records; Address Lists; Disciplinary Code and Records; Employee benefits arrangements rules and records; Employment Contracts; Employment Equity Plan; Forms and Applications; Grievance Procedures; Leave Records; Medical Aid Records; Payroll reports/ Wage register; Pension Fund Records; Safety, Health and Environmental records; Salary Records; Standard letters and notices; Training Manuals; Training Records. |
|
Procurement Department |
Standard Terms and Conditions for supply of services and products; Contractor, client and supplier agreements; Lists of suppliers, products, services and distribution; and Policies and Procedures. |
|
Sales Department |
Customer details User details; Compliance Officer details; Debit order details; Information and records provided by a third party |
|
Marketing Department |
Advertising and promotional material |
|
Risk Management and Audit |
Audit reports; Risk management frameworks; and Risk management plans. |
|
Safety, Health and Environment |
Complete Safety, Health and Environment Risk Assessment Environmental Managements Plans Inquiries, inspections, examinations by environmental authorities |
|
IT Department |
Computer / mobile device usage policy documentation; Disaster recovery plans; Hardware asset registers; Information security policies/standards/procedures; Information technology systems and user manuals; Information usage policy documentation; Project implementation plans; Software licensing; and System documentation and manuals. |
|
Corporate Social Responsibility (CSR) |
CSR schedule of projects/record of organisations that receive funding; Reports, books, publications and general information related to CSR spend; Records and contracts of agreement with funded organisations. |
9.2 Note that the accessibility of the records may be subject to the grounds of refusal set out in this Manaul. Amongst other, records deemed confidential on the part of a third party, will necessitate permission from the third party concerned, in addition to normal requirements, before atWORK will consider access.
10. RECORDS AVAILABLE WITHOUT A REQUEST TO ACCESS IN TERMS OF PAIA
10.1 Records of a public nature, typically those disclosed on atWORK website and in its various annual reports, may be accessed without the need to submit a formal application.
10.2 Other non-confidential records, such as statutory records maintained at CIPC, may also be accessed without the need to submit a formal application, however, please note that an appointment to view such records will still have to be made with the Information Officer.
11. RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION [SECTION 51(1)(d) OF PAIA]
11.1 Unless disclosure is prohibited in terms of legislation, regulations, contractual agreement or otherwise, records that are required to be made available in terms of these acts shall be made available for inspection by interested parties in terms of the requirements and conditions of PAIA, the below mentioned legislation and applicable internal policies and procedures, should such interested parties be entitled to such information.
11.2 A request to access must be done in accordance with the prescriptions of PAIA.
11.3 Where applicable to its operations, atWORK retains records and documents in terms of the legislation below:
11.3.1 Auditing Professions Act (Act no. 26 of 2005);
11.3.2 Basic Conditions of Employment Act (Act no. 75 of 1997);
11.3.3 Broad- Based Black Economic Empowerment Act (Act no. 75 of 1997);
11.3.4 Companies Act (Act no. 71 of 2008);
11.3.5 Compensation for Occupational Injuries & Diseases Act (Act no. 130 of 1993);
11.3.6 Competition Act (Act no. 89 of 1998);
11.3.7 Constitution of the Republic of South Africa 1996;
11.3.8 Copyright Act (Act no. 98 of 1978);
11.3.9 Electronic Communications Act (Act no. 36 of 2005);
11.3.10 Electronic Communications and Transactions Act (Act no. 25 of 2002);
11.3.11 Employment Equity Act (Act no. 55 of 1998);
11.3.12 Financial Intelligence Centre Act (Act no. 38 of 2001);
11.3.13 Income Tax Act (Act no. 58 of 1962);
11.3.14 Intellectual Property Laws Amendment Act (Act no. 38 of 1997);
11.3.15 Labour Relations Act (Act no. 66 of 1995);
11.3.16 Long Term Insurance Act (Act no. 52 of 1998);
11.3.17 Occupational Health & Safety Act (Act no. 85 of 1993);
11.3.18 Pension Funds Act (Act no. 24 of 1956);
11.3.19 Prescription Act (Act no. 68 of 1969);
11.3.20 Prevention of Organised Crime Act (Act no. 121 of 1998);
11.3.21 Promotion of Access to Information Act (Act no. 2 of 2000);
11.3.22 Protection of Personal Information Act (Act no. 4 of 2013);
11.3.23 Regulation of Interception of Communications and Provision of Communication Related Information Act (Act no. 70 of 2002);
11.3.24 Skills Development Levies Act (Act no. 9 of 1999)
11.3.25 Short-term Insurance Act (Act no. 53 of 1998);
11.3.26 Unemployment Insurance Contributions Act (Act no. 4 of 2002);
11.3.27 Unemployment Insurance Act (Act no. 30 of 1966);
11.3.28 Value Added Tax Act (Act no. 89 of 1991).
11.4 Although we have used our best endeavours to supply a list of applicable legislation, it is possible that this list may be incomplete. Whenever it comes to our attention that existing or new legislation allows a Requester access on a basis other than as set out in PAIA, we shall update the list accordingly. If a Requester believes that a right of access to a record exists in terms of other legislation listed above or any other legislation, the Requester is required to indicate what legislative right the request is based on, to allow the Information Officer the opportunity of considering the request in light thereof.
11.5 The accessibility of documents and records under the legislation above may be subject to the grounds of refusal set out in this Manual and in PAIA.
12. PROCEDURE TO REQUEST ACCESS TO A RECORD OF ATWORK [SECTION 51(1)(e) OF PAIA]
12.1 The Requester must comply with all the procedural requirements contained in PAIA relating to the request for access to a record.
12.2 The Requester must complete FORM C (Request for Access to Record of a Private Body) attached as Schedule 3 , and submit same as well as payment of a request fee and a deposit (if applicable) to the Information Officer or the Deputy Information Officer at the postal or physical address, fax number or electronic mail address as noted in paragraph 5 (Details of Information Officer) above.
12.3 The prescribed from must be filled in with sufficient information to enable the Information Officer to identify:
12.3.1 the record or records requested; and
12.3.2 the identity of the Requester.
12.4 The Requester should indicate which form of access is required and specify a postal address of fax number of the Requester in the Republic.
12.5 The Requester must state that he/she requires the information in order to exercise or protect a right, and clearly state what the nature of the right is so to be exercised or protected. The Requester must clearly specify why the record is necessary to exercise or protect such a right (Section 53(2)(d) of PAIA).
12.6 atWORK will process the request within 30 (thirty) days, unless the Requester has stated special reasons to the satisfaction of the Information Officer that circumstances dictate that the above time periods not be complied with.
12.7 The Requester shall be advised whether access is granted or denied in writing. If, in addition, the Requester requires the reasons for the decision in any other manner, the Requester will be obliged to state which manner and the particulars required.
12.8 If a request is made on behalf of another person, then the Requester must submit proof of the capacity in which the Requester is making the request to the reasonable satisfaction of the Information Officer (section 53(2)(f)).
12.9 If an individual is unable to complete the prescribed form because of illiteracy or disability, such a person may make the request orally.
12.10 The Requester must pay the prescribed fee, before any further processing can take place.
12.11 All information as listed in this paragraph 12 herein should be provided and failing which the process will be delayed until the required information is provided. The prescribed time periods will not commence until the Requester has furnished all the necessary and required information. The Information Officer shall sever a record, if possible, and grant only access to that portion requested and which is not prohibited from being disclosed.
13. REFUSAL OF ACCESS TO A RECORD
13.1 PAIA provides that a private body, such as atWORK, may under certain circumstances refuse access to a record or information that has been requested.
13.2 The main grounds for atWORK to refuse a request for information in terms of PAIA include a refusal in terms of:
13.2.1 Section 63 of PAIA, relating to the mandatory protection of the privacy of a third party who is a natural person or a deceased person or a juristic person, as included in POPIA, which would involve the unreasonable disclosure of personal information of that natural or juristic person;
13.2.2 Section 64 of PAIA, relating to the mandatory protection of the commercial information of a third party if the record contains:
13.2.2.1 trade secrets of the third party;
13.2.2.2 financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party;
13.2.2.3 information disclosed in confidence by a third party to atWORK, if the disclosure could put that third party at a disadvantage in negotiations or commercial competition;
13.2.3 Section 65 of PAIA, relating to the mandatory protection of confidential information of third parties if it is protected in terms of any agreement;
13.2.4 Section 66 of PAIA, relating to the mandatory protection of the safety of individuals and the protection of property;
13.2.5 Section 67 of PAIA, relating to the mandatory protection of records which would be regarded as privileged in legal proceedings;
13.2.6 Section 68 of PAIA, relating to the mandatory protection of atWORK’s commercial information and activities, including:
13.2.6.1 trade secrets of atWORK;
13.2.6.2 financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of atWORK;
13.2.6.3 information which, if disclosed could put atWORK at a disadvantage in negotiations or commercial competition;
13.2.6.4 a computer program or software which is owned by atWORK, and which is protected by copyright;
13.2.6.5 the research information of atWORK or a third party, if its disclosure would disclose the identity of atWORK, the researcher or the subject matter of the research and would place the research at a serious disadvantage;
13.2.7 Section 69 of PAIA, relating to the mandatory protection of research information of a third party; and
13.2.8 the mandatory protection of personal information and for disclosure of any personal information to, in addition to any other legislative, regulatory or contractual agreements, comply with the provisions of POPIA.
13.3 Requests for information that are clearly frivolous or vexatious, or which involve an unreasonable diversion of resources shall be refused.
13.4 All requests for information will be assessed on their own merits and in accordance with the applicable legal principles and legislation.
13.5 If a requested record cannot be found or if the record does not exist, the Information Officer shall, by way of an affidavit or affirmation, notify the Requester that it is not possible to give access to the requested record.
13.6 Such a notice will be regarded as a decision to refuse a request for access to the record concerned for the purpose of PAIA. If the record should later be found, the Requester shall be given access to the record in the manner stipulated by the Requester in the prescribed form, unless the Information Officer refuses access to such record.
14. AVAILABLE REMEDIES WHERE ACCESS TO A RECORD IS REFUSED
14.1 Internal Remedies
atWORK does not have internal appeal procedures. The decision made by the Information Officer is final. Requesters will have to exercise such external remedies at their disposal if the request for information is refused, and the requestor is not satisfied with the answer supplied by the Information Officer.
14.2 External Remedies
14.2.1 A Requester that is dissatisfied with the Information Officer's refusal to disclose information, may within 30 (thirty) days of notification of the decision, may apply to a Court for relief.
14.2.2 A third party dissatisfied with the Information Officer's decision to grant a request for information, may within 30 (thirty) days of notification of the decision, apply to a Court for relief. For purposes of the Act, the Courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another court of similar status and a Magistrate's Court designated by the Minister of Justice and Constitutional Development and which is presided over by a designated Magistrate.
15. PREREQUISITES FOR ACCESS TO RECORDS
15.1 Records held by atWORK may be accessed by requests only once the prerequisite requirements for access have been met.
15.2 A Requester is any person making a request for access to a record of atWORK. There are two types of Requesters:
15.2.1 Personal Requester
15.2.1.1 A personal Requester is a Requester who is seeking access to a record containing Personal Information about the Requester.
15.2.1.2 atWORK will voluntarily provide the requested information or give access to any record with regard to the Requester's Personal Information. The prescribed fee for reproduction of the information requested will be charged.
15.2.2 Other Requester
15.2.2.1 This Requester (other than a personal Requester) is entitled to request access to information on third parties.
15.2.2.2 In considering such a request, atWORK will adhere to the provisions of PAIA. Section 71 of PAIA requires that the Information Officer take all reasonable steps to inform a third party to whom the requested record relates of the request, informing him/her that he/she may make a written or oral representation to the Information Officer why the request should be refused or, where required, give written consent for the disclosure of the Information.
15.3 atWORK is not obliged to voluntarily grant access to such records. The Requester must fulfil the prerequisite requirements, in accordance with the requirements of PAIA and as stipulated in Part 3 of Chapter 5, including the payment of a request fee and access fee.
16. PRESCRIBED FEES [SECTION 51(1)(f) OF PAIA]
16.1 Fees Provided by PAIA
16.1.1 PAIA provides for two types of fees, namely:
16.1.1.1 A request fee, which is a form of administration fee to be paid by al! Requesters except personal Requesters, before the request is considered and is not refundable; and
16.1.1.2 An access fee, which is paid by all Requesters in the event that a request for access is granted. This fee is inclusive of costs involved by the private body in obtaining and preparing a record for delivery to the Requester.
16.1.2 When the request is received by the Information Officer, such officer shall by notice require the Requester, other than a personal Requester, to pay the prescribed request fee, before further processing of the request in terms of Section 54(1) of PAIA.
16.1.3 If the search for the record has been made and the preparation of the record for disclosure, including arrangement to make it available in the requested form, requires more than the hours prescribed in the regulations for this purpose, the Information Officer shall notify the Requester to pay as a deposit the prescribed portion of the access fee which would be payable if the request is granted.
16.1.4 The Information Officer shall withhold a record until the Requester has paid the fees as indicated below.
16.1.5 A Requester whose request for access to a record has been granted, must pay an access fee that is calculated to include, where applicable, the request fee, the process fee for reproduction and for search and preparation, and for any time reasonably required in excess of the prescribed hours to search for and prepare the record for disclosure including making arrangements to make it available in the request form.
16.1.6 If a deposit has been paid in respect of a request for access, which is refused, then the Information Officer concerned must repay the deposit to the Requester.
16.2 Reproduction Fee
Where atWORK has voluntarily provided a list of categories of records that will automatically be made available to any person requesting access thereto, the only charge that may be levied for obtaining such records, will be a fee for reproduction of the record in question.
|
Reproduction of Information Fees |
Fees to be Charged |
|
Information in an A-4 size page photocopy or part thereof |
R 1.10 |
|
A printed copy of an A4-size page or part thereof |
R 0.75 |
|
A copy in computer-readable format, for example USB or compact disc |
R 70.00 |
|
A transcription of visual images, in an A4-size page or part thereof |
R 40.00 |
|
A copy of visual images |
R 60.00 |
|
A transcription of an audio record for an A4-size page or part thereof |
R 20.00 |
|
A copy of an audio record |
R 30.00 |
16.3 Request Fees
Where a Requester submits a request for access to information held by an institution on a person other than the Requester himself/herself, a request fee in the amount of R50,00 is payable up-front before the institution will further process the request received.
16.4 Access Fees
16.4.1 An access fee is payable in all instances where a request for access to information is granted, except in those instances where payment of an access fee is specially excluded in terms of PAIA or an exclusion is determined by the Minister in terms of Section 54(8) of PAIA.
16.4.2 The applicable access fees which will be payable are:
|
Access of Information Fees |
Fees to be Charged |
|
Information in an A-4 size page photocopy or part thereof |
R 1.10 |
|
A printed copy of an A4-size page or part thereof |
R 0.75 |
|
A copy in computer-readable format, for example: USB Compact disc |
R 70.00 R 70.00 |
|
A transcription of visual images, in an A4-size page or part thereof |
R 40.00 |
|
A copy of visual images |
R 60.00 |
|
A transcription of an audio record for an A4-size page or part thereof |
R 20.00 |
|
A copy of an audio record (*per hour or part of an hour reasonably required for such search) |
R 30.00* |
16.5 Deposits
16.5.1 Where atWORK receives a request for access to information held on a person other than the Requester himself/herself and the Information Officer upon receipt of the request is of the opinion that the preparation of the required record of disclosure will take more than 6 (six) hours, a deposit is payable by the Requester.
16.5.2 The amount of the deposit is equal to 1/3 (one third) of the amount of the applicable access fee.
16.6 Collection Fees
16.6.1 The initial "request fee" of R50,00 must be deposited into the bank account of atWORK and a copy of the deposit slip, application form and other correspondence or documents, forwarded to the Information Officer via email.
16.6.2 The officer will collect the initial "request fee" of applications received directly by the Information Officer via email.
16.6.3 All fees are subject to change as allowed for in the Act and as a consequence of such escalations may not always be immediately available at the time of the request being made. Requesters shall be informed of any changes in the fees prior to making a payment.
17. DECISION
17.1 atWORK will, within 30 (thirty) days of receipt of the request, decide whether to grant or decline the request and give notice with reasons (if required) to that effect.
17.2 The 30 (thirty) day period within which atWORK has to decide whether to grant or refuse the request, may be extended for a further period of not more than (30) thirty days if the request is for a large number of information, or the request requires a search for information held at another office of atWORK and the information cannot reasonably be obtained within the original 30 (thirty) day period.
17.3 atWORK will notify the Requester in writing should an extension be sought.
III. PART 3: PROTECTION OF PERSONAL INFORMATION
18. PROCESSING OF PERSONAL INFORMATION BY ATWORK
18.1 Chapter 3 of POPIA provides for the minimum conditions for lawful processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA.
18.2 atWORK needs Personal Information relating to both individual and juristic persons in order to carry out its business and organisational functions. The manner in which this information is Processed and the purpose for which it is Processed is determined by atWORK.
18.3 atWORK is accordingly a Responsible Party for the purposes of POPIA and will ensure that the Personal Information of a Data Subject:
18.3.1 is processed lawfully, fairly and transparently. This includes the provision of appropriate information to Data Subjects when their data is collected by atWORK, in the form of privacy or data collection notices. atWORK must also have a legal basis (for example, consent) to process Personal Information;
18.3.2 is processed only for the purposes for which it was collected;
18.3.3 will not be processed for a secondary purpose unless that processing is compatible with the original purpose;
18.3.4 is adequate, relevant and not excessive for the purposes for which it was collected;
18.3.5 is accurate and kept up to date;
18.3.6 will not be kept for longer than necessary;
18.3.7 is processed in accordance with integrity and confidentiality principles; this includes physical and organisational measures to ensure that Personal Information, in both physical and electronic form, are subject to an appropriate level of security when stored, used and communicated by atWORK, in order to protect against access and acquisition by unauthorised persons and accidental loss, destruction or damage;
18.3.8 is processed in accordance with the rights of Data Subjects, where applicable.
18.4 Data Subjects have the right to:
18.4.1 be notified that their Personal Information is being collected by atWORK. The Data Subject also has the right to be notified in the event of a data breach;
18.4.2 know whether atWORK holds Personal Information about them, and to access that information. Any request for information must be handled in accordance with the provisions of this Manual;
18.4.3 request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained personal information;
18.4.4 object to atWORK’s use of their Personal Information and request the deletion of such Personal Information (deletion would be subject to atWORK’s record keeping requirements);
18.4.5 object to the processing of Personal Information for purposes of direct marketing by means of unsolicited electronic communications; and
18.4.6 complain to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged noncompliance with the protection of his, her or its personal information;
18.4.7 not to be subject, under certain circumstances, to a decision which is based solely on the basis of the automated processing of Personal Information intended to provide a profile of such person;
18.4.8 to submit a complaint to the Regulator regarding the alleged interference with the protection of the Personal Information of any Data Subject or to submit a complaint to the Regulator in respect of a determination of an adjudicator;
18.4.9 to institute civil proceedings regarding the alleged interference with the protection of Personal Information.
18.5 atWORK will not process the Personal Information of any Data Subject unless:
18.5.1 Consent is obtained from the Data subject;
18.5.2 processing is necessary for the establishment, exercise or defense of a right or obligation in law;
18.5.3 processing is necessary to comply with an obligation of international public law;
18.5.4 processing is for historical, statistical or research purposes to the extent that:
18.5.4.1 the purpose serves a public interest, and the processing is necessary for the purpose concerned; or
18.5.4.2 it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the Data Subject to a disproportionate extent;
18.5.5 information has deliberately been made public by the Data Subject;
18.5.6 processing is authorised by Regulator;
18.5.7 relating to religious or philosophical belief, processing is carried out by the spiritual or religious organisation to which the Data Subject belongs or to which their family members belong;
18.5.8 relating to race or ethnic origin, processing is carried out to identify Data Subjects or comply with specific legislation;
18.5.9 relating to trade union membership, processing is carried out by the trade union to which the Data Subject belongs;
18.5.10 relating to political persuasion, processing is carried out by or for an institution, founded on political principles if the information is of their members or employees or for purposes of forming a political party;
18.5.11 relating to health or sex life, processing is carried out by:
18.5.11.1 medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the Data Subject;
18.5.11.2 insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations;
18.5.11.3 schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life;
18.5.11.4 any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties;
18.5.11.5 any public body, if such processing is necessary in connection with the implementation of prison sentences or detention measures;
18.5.11.6 administrative bodies, pension funds, employers or institutions working for them;
18.5.12 relating to criminal behaviour or biometric information, processing is carried out by bodies charged by law with applying criminal law or by responsible parties who have obtained that information in accordance with the law, or by the employer in accordance with the rules established in compliance with labour legislation.
18.6 atWORK undertakes that it will only Process the Personal Information of a Child if such Processing is:
18.6.1 carried out with the prior consent of a Competent Person;
18.6.2 necessary for the establishment, exercise or defense of a right or obligation in law;
18.6.3 necessary to comply with an obligation of international public law;
18.6.4 for historical, statistical or research purposes to the extent that:
18.6.4.1 the purpose serves a public interest, and the processing is necessary for the purpose concerned; or
18.6.4.2 it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent;
18.6.4.3 of Personal Information which has deliberately been made public by the Child with the consent of a Competent Person;
18.6.4.4 authorised by the Regulator.
18.7 atWORK will apply for and obtain prior authorisation from the Regulator if it plans to do any of the following:
18.7.1 process any unique identifiers of Data Subjects for a purpose other than the one for which the identifier was specifically intended at collection; and with the aim of linking the information together with information processed by other responsible parties;
18.7.2 process information on criminal behaviour or on unlawful or objectionable conduct on behalf of third parties;
18.7.3 process information for the purposes of credit reporting;
18.7.4 transfer special Personal Information, or the Personal Information of children, to a third party in a foreign country that does not provide an adequate level of protection for the processing of Personal Information.
18.8 atWORK will obtain prior authorisation only once and not each time that Personal Information is received or processed, except where the processing departs from that which has been authorised.
18.9 atWORK may not carry out information processing that has been notified to the Regulator until the Regulator has completed its investigation or until they have received notice that a more detailed investigation will not be conducted. The Regulator must inform the responsible party in writing within four weeks of the notification as to whether or not it will conduct a more detailed investigation. On conclusion of the more detailed investigation the Regulator must issue a statement concerning the lawfulness of the information processing. If atWORK does not receive the Regulator’s decision within the time limits specified, it may presume a decision in its favour and continue with its processing.
19. PURPOSE FOR PROCESSING OF PERSONAL INFORMATION
19.1 atWORK will only collect Personal Information for a specific, explicitly defined and lawful purpose which relates to a function or activity carried out by atWORK.
19.1.1 atWORK will ensure that Personal Information collected is adequate, relevant and not excessive, when taking into account the specific purpose for which the information of that particular Data Subject is collected.
19.1.2 atWORK will always strive to collect Personal Information directly from you, the Data Subject concerned unless one of the following exclusions as laid down in POPIA applies:
19.1.2.1 the information is contained in or derived from a public record or has deliberately been made public by the Data Subject;
19.1.2.2 the Data Subject or a Competent Person where the Data Subject is a child has consented to the collection of the information from another source;
19.1.2.3 collection of the information from another source would not prejudice a legitimate interest of the Data Subject;
19.1.2.4 collection of the information from another source is necessary:
19.1.2.4.1 to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
19.1.2.4.2 to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act 34 of 1997);
19.1.2.4.3 for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
19.1.2.4.4 in the interests of national security; or
19.1.2.4.5 to maintain the legitimate interests of atWORK or of a third party to whom the information is supplied;
19.1.2.5 Compliance would prejudice a lawful purpose of the collection; or
19.1.2.6 Compliance is not reasonably practicable in the circumstances of the particular case.
19.2 atWORK specifically collects Personal Information for the following purposes:
19.2.1 Collection from Clients and users
19.2.1.1 performing duties in terms of any agreement with Clients;
19.2.1.2 making, or assist in making, credit decisions about Clients;
19.2.1.3 operating and managing Clients’ accounts and manage any application, agreement or correspondence Clients may have with atWORK;
19.2.1.4 communicating (including direct marketing) with Clients by email, SMS, letter, telephone or in any other way about atWORK’s products and services, unless Clients indicate otherwise;
19.2.1.5 forming a view of Clients as individuals and to identify, develop or improve products, that may be of interest to Clients;
19.2.1.6 carrying out market research, business and statistical analysis;
19.2.1.7 performing other administrative and operational purposes including the testing of systems;
19.2.1.8 recovering any debt Clients may owe atWORK;
19.2.1.9 complying with the atWORK’s regulatory and other obligations;
19.2.1.10 any other reasonably required purpose relating to atWORK’s business.
19.2.2 Collection from prospective Clients
19.2.2.1 verifying and updating information;
19.2.2.2 direct marketing;
19.2.2.3 any other reasonably required purpose relating to the processing of a prospective Client’s Personal Information reasonably related to the atWORK’s business.
19.2.3 Collection from employees
19.2.3.1 the same purposes as for Clients (above);
19.2.3.2 verification of applicant employees’ information during recruitment process;
19.2.3.3 general matters relating to employees, including pension, medical aid, disciplinary action and training;
19.2.3.4 any other reasonably required purpose relating to the employment or possible employment relationship.
19.2.4 Collection from suppliers and other businesses
19.2.4.1 verifying information and performing checks;
19.2.4.2 purposes relating to the agreement or business relationship or possible agreement or business relationships between the parties;
19.2.4.3 payment of invoices;
19.2.4.4 complying with atWORK’s regulatory and other obligations; and
19.2.4.5 any other reasonably required purpose relating to atWORK’s business.
19.3 If the information is not collected from you directly you will be informed of the purpose as soon as practicable or upon request.
20. CATEGORIES OF DATA SUBJECTS AND PERSONAL INFORMATION
20.1 The type of Personal Information collected from a Data Subject depends on the reason that the Data Subject is engaging with atWORK.
20.2 This paragraph sets out the various categories of Data Subjects that atWORK processes Personal Information on and the types of Personal Information relating thereto.
20.3 Clients of atWORK
For Clients of atWORK the information collected may include the following and is collected for the purpose of providing products or services to the Client:
20.3.1 name;
20.3.2 identity or company registration number;
20.3.3 names, identity numbers and contact particulars of directors;
20.3.4 postal and/or street addresses;
20.3.5 contact numbers and email addresses;
20.3.6 banking and financial information;
20.3.7 VAT and/or tax details;
20.3.8 information about products or services;
20.3.9 browsing habits and click patterns on atWORK websites;
20.3.10 other information not specified, reasonably required to be processed for business operations.
20.4 Suppliers and third parties
For Suppliers of atWORK the information collected may include the following and is collected for the purpose of ensuring that the Supplier is capable of rendering the service or product as required by atWORK and having sufficient detail to effect payment of any accounts or enforce any rights against them:
20.4.1 name;
20.4.2 identity or company registration number;
20.4.3 names, identity numbers and contact particulars of directors;
20.4.4 postal and/or street addresses;
20.4.5 contact numbers and email addresses;
20.4.6 banking details;
20.4.7 VAT and/or tax details;
20.4.8 information about products or services;
20.4.9 broad-based black economic empowerment status;
20.4.10 website details;
20.4.11 browsing habits and click patterns on atWORK websites;
20.4.12 other information not specified, reasonably required to be processed for business operations.
20.5 Prospective employees
For prospective employees atWORK may collect the following information for the purpose of determining whether the prospective employee may be a suitable candidate become employed with atWORK:
20.5.1 full names;
20.5.2 postal and/or street addresses;
20.5.3 contact numbers and email addresses;
20.5.4 identity number and copies of identity documents (including passports);
20.5.5 ethnic group;
20.5.6 age;
20.5.7 gender;
20.5.8 marital status;
20.5.9 nationality;
20.5.10 language;
20.5.11 employment history and references;
20.5.12 education and qualifications;
20.6 Employees
For employees of atWORK the following information may be collected for the purpose of ensuring compliance with the applicable labour and tax laws:
20.6.1 name and contact details;
20.6.2 identity number and copies of identity documents (including passports);
20.6.3 ethnic group;
20.6.4 age;
20.6.5 gender;
20.6.6 marital status;
20.6.7 nationality;
20.6.8 language;
20.6.9 employment history and references;
20.6.10 education and qualifications;
20.6.11 banking and financial details;
20.6.12 details of payments to third parties (deductions from salary);
20.6.13 employment contract;
20.6.14 employment equity plans;
20.6.15 medical aid details;
20.6.16 pension fund records;
20.6.17 remuneration/ salary records;
20.6.18 performance appraisals;
20.6.19 disciplinary records;
20.6.20 leave records;
20.6.21 training records;
20.6.22 next of kin names and contact numbers.
20.7 Other categories
20.7.1 In respect of Covid 19 screening the Personal Information collected is necessary to comply with the Disaster Management Act and supplementary regulations and directives. This information will be kept confidential unless disclosure is required by law, for instance should a positive case be identified. This information will be stored for a period of 14 (Fourteen) days and thereafter be destroyed. If you do not provide the information as required, we can limit or refuse you access to the premises.
20.7.2 Any closed-circuit television monitoring footage is only processed for security purposes and not shared with any person or entity outside atWORK.
21.1.1 atWORK undertakes to only process Personal Information of you as the Data Subject if any of the following applies, unless compliance is unnecessary in terms of the exclusions contained in POPIA:
21.1.1.1 the Data Subject or a Competent Person where the Data Subject is a child consents to the processing;
21.1.1.2 processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is party;
21.1.1.3 processing complies with an obligation imposed by law on atWORK;
21.1.1.4 processing protects a legitimate interest of the Data Subject;
21.1.1.5 processing is necessary for the proper performance of a public law duty by a public body; or
21.1.1.6 processing is necessary for pursuing the legitimate interests of atWORK or of a third party to whom the information is supplied.
21.1.2 atWORK notes that it bears the burden of proof for the Data Subject’s or Competent Person’s consent as referred to above.
21.1.3 You may withdraw your consent, or object to the processing of Personal Information, at any time and atWORK must inform you of this right, which we hereby do. The Data Subjects are also informed of the consequences should they withdraw consent, and where consent cannot be withdrawn as the Personal Information is required by law or for the proper execution of the contract or agreement.
22. OBJECTION BY DATA SUBJECT TO PROCESSING OF PERSONAL INFORMATION
22.1 Where you object to the processing of Personal Information, and the processing is not necessary for the proper execution of a contract or not required by law, atWORK will stop processing the data immediately.
22.2 Data Subjects must object to the processing of Personal Information by informing atWORK by completing FORM 1 ( Objection to the Processing of Personal Information in terms of Section 11(3) of the Protection of Personal Information Act ) attached as Schedule 1 hereto. On receipt of the corrected information atWORK will as soon as practically possible:
22.2.1 cease Processing the information and destroy or delete such information as it may have in its possession, unless legislation provides for such Processing;
22.2.2 inform the Data Subject of the result of the request and, where applicable, provide the Data Subject to his or her reasonable satisfaction with written confirmation that it has ceased Processing the Data Subject’s Personal Information;
22.2.3 inform each person or body or responsible party to whom the Personal Information has been disclosed of these steps.
23.1 atWORK undertakes that it will not retain information any longer than is necessary for achieving the purpose for which the information was collected or processed, unless:
23.1.1 retention of the record is required or authorised by law;
23.1.2 atWORK reasonably requires the record for lawful purposes related to its functions or activities;
23.1.3 retention of the record is required by a contract between the parties thereto; or
23.1.4 the Data Subject or a Competent Person where the Data Subject is a child has consented to the retention of the record.
23.2 Due to the administrative difficulties of managing different retention periods, atWORK’s policy is to retain all employee and supplier information for a maximum period of 7 years, unless required by law or practical considerations to retain it longer in terms of other applicable Company policies. This period will be communicated to Data Subjects.
23.3 All Personal Information belonging to Clients or users of Clients will be retained for such a period of time as may be advised by the Client and/or applicable user, whereupon it will be permanently deleted after a period of at least 90 days after a Client or user has requested deletion of the information, unless required by law or practical considerations to retain it longer. This period will be communicated to Data Subjects.
23.4 atWORK will also keep secure back-ups in terms of its information security management system for a period of 2 years after the active information has been deleted from its servers, after which period the back-ups will be permanently deleted.
23.5 Should a Data Subject not consent to the abovementioned retention periods, the retention period will default back to the prescribed period as per legislation. These Data subjects will be flagged to ensure that their records are destroyed after the retention period.
23.6 Records will be permanently destroyed after the aforementioned retention periods.
24. LIMITATIONS ON THE FURTHER PROCESSING OF INFORMATION
24.1 atWORK will only process information further if it is in accordance or compatible with the purpose for which it was collected. Further processing refers to any processing of Personal Information for reasons other than those for which it was obtained and that have already been communicated to the Data Subject .
24.2 Whether further processing is compatible with the original purpose for collection, will be determined by taking into account the following:
24.2.1 the relationship between the purpose of the intended further processing and the purpose for which the information has been collected;
24.2.2 the nature of the information concerned;
24.2.3 the consequences of the intended further processing for the Data Subject;
24.2.4 the manner in which the information has been collected; and
24.2.5 any contractual rights and obligations between the parties.
24.3 If the further processing is not in accordance or compatible with the original purpose for collection, atWORK will only process the information further if one of the following is applicable:
24.3.1 the Data Subject or a Competent Person where the Data Subject is a child has consented to the further processing of the information;
24.3.2 the information is available in or derived from a public record or has deliberately been made public by the Data Subject;
24.3.3 further processing is necessary:
24.3.3.1 to avoid prejudice to the maintenance of the law by any public body including the prevention, detection, investigation, prosecution and punishment of offences;
24.3.3.2 to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act 34 of 1997);
24.3.3.3 for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
24.3.3.4 in the interests of national security;
24.3.4 the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to:
24.3.4.1 public health or public safety; or
24.3.4.2 the life or health of the Data Subject or another individual;
24.3.5 the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or
24.3.6 the further processing of the information is in accordance with an exemption granted by the Regulator in terms of POPIA.
24.4 QUALITY OF INFORMATION
24.5 atWORK will take reasonably practical steps to ensure that the Personal Information is complete, accurate, not misleading and updated when necessary.
24.6 Data Subjects have the right to contest the accuracy of the information by informing atWORK by completing FORM 2 (Request for Correction or Deletion of Personal Information or Destroying or Deletion of Record of Personal Information in terms of Section 24(1) of the Protection of Personal Information Act) attached as Schedule 2 hereto. On receipt of the corrected information atWORK will as soon as practically possible:
24.6.1 correct the information or destroy or delete the information, depending on the relevant request;
24.6.2 provide the Data Subject, to his or her reasonable satisfaction, with credible evidence in support of the information, or where agreement cannot be reached between atWORK and the Data Subject, and if the Data Subject so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made;
24.6.3 inform each person or body or responsible party to whom the Personal Information has been disclosed of these steps;
24.6.4 inform the Data Subject of the result of the request.
25. CROSS-BORDER INFORMATION FLOWS
25.1 atWORK will not transfer Personal Information about a Data Subject to a third party who is in a foreign country unless one of the following is applicable:
25.1.1 the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that:
25.1.1.1 effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of Personal Information relating to a Data Subject who is a natural person and, where applicable, a juristic person; and
25.1.1.2 includes provisions, that are substantially similar to this section, relating to the further transfer of Personal Information from the recipient to third parties who are in a foreign country;
25.1.2 the Data Subject consents to the transfer;
25.1.3 the transfer is necessary for the performance of a contract between the Data Subject and the responsible party, or for the implementation of pre-contractual measures taken in response to the Data Subject’s request;
25.1.4 the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data Subject between the responsible party and a third party; or
25.1.5 the transfer is for the benefit of the Data Subject, and:
25.1.5.1 it is not reasonably practicable to obtain the consent of the Data Subject to that transfer; and
25.1.5.2 if it were reasonably practicable to obtain such consent, the Data Subject would be likely to give it.
25.2 atWORK does not, in the ordinary course of business transfer Personal Information to third parties in foreign countries and all data and Personal Information are stored on atWORK’s servers in South Africa.
26. ACCESS TO PERSONAL INFORMATION BY DATA SUBJECT
26.1 A Data Subject has the right to be aware of their Personal Information being processed and to take part in this process by either objecting to such processing or ensuring that the information is correct by requesting atWORK to remove or correct incorrect information.
26.2 atWORK will take all reasonably practicable measures to inform Data Subjects about the Personal Information being processed.
26.3 Any Data Subject may, having provided adequate proof of identity, request atWORK to confirm whether or not atWORK holds Personal Information about them and the identity of third parties who have, or have had access to the information. FORM C ( Request for Access to Record of a Private Body ) attached as Schedule 3 hereto must be used for this application. A Data Subject may need to pay a fee for these services which will always be charged in terms of the Promotion of Access to information Act. You may contact the Information Officer to obtain a list of these fees.
26.4 Access to information will be granted or refused, as the case may be, as requested by the Data Subject as provided for in the Promotion of Access to Information Act (PAIA) after taking into considerations all the requirements of this Act.
27. SAFETY MEASURES FOR THE PROTECTION OF PERSONAL INFORMATION
27.1 atWORK has implemented a comprehensive information security policy to secure the integrity and confidentiality of Personal Information in its possession or under its control and takes continuous appropriate, reasonable technical and organisational measures to prevent:
27.1.1 loss of, damage to or unauthorised destruction of Personal Information; and
27.1.2 unlawful access to or processing of Personal Information.
27.2 atWORK has obtained, and maintains, an ISO/IEC 27001:2013 (Information Security Management Systems – Requirements) certification from PECB Management Systems Inc, an accredited provider by the International Accreditation Service as a Management System Certification Body and Product Certification Agency.
27.3 The safeguards implemented by atWORK are of a reasonable standard taking into account the best industry practice and contain at least the following:
27.3.1 physical access controls to information stored op paper and on servers;
27.3.2 anti-virus programmes;
27.3.3 firewalls;
27.3.4 password access controls to digital records;
27.3.5 remote destruction;
27.3.6 an Information Security Policy;
27.3.7 subscribing to Secure System Engineering Principles;
27.3.8 a Supplier Security Policy;
27.3.9 an Incident Management Procedure;
27.3.10 an Acceptable Use Policy;
27.3.11 an Access Management Policy;
27.3.12 an Information Classification Policy.
28. MAKING USE OF AN OPERATOR OR ACTING AS AN OPERATOR
28.1 Where atWORK makes use of Operators in the processing of Personal Information, the following minimum standards will be adhered to:
28.1.1 Each operator must sign a POPIA service agreement with atWORK to ensure that the operator establishes and maintains the same level of security measures that atWORK does in order to ensure the safeguarding of information. The service agreement must provide that the operator must notify atWORK immediately where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorised person.
29.1 atWORK will, where there are reasonable grounds to believe that Personal Information of a Data Subject has been accessed by an authorised person notify the Regulator and the Data Subject (unless the identity of the Data Subject cannot be established) in terms of its Incident Management Procedure.
29.2 The notification will be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of atWORK’s information system.
29.3 The notification to a Data Subject shall be in writing and communicated to the Data Subject in at least one of the following ways:
29.3.1 Mailed to the Data Subject’s last known physical or postal address;
29.3.2 sent by e-mail to the Data Subject’s last known e-mail address;
29.3.3 placed in a prominent position on the website of atWORK;
29.3.4 published in the news media; or
29.3.5 as may be directed by the Regulator.
29.4 The following information will be included in notifications:
29.4.1 a description of the possible consequences of the security compromise;
29.4.2 a description of the measures that atWORK intends to take or have taken to address the security compromise;
29.4.3 a recommendation with regard to the measures to be taken by the Data Subject to mitigate the possible adverse effects of the security compromise; and
29.4.4 if known, the identity of the unauthorised person who may have accessed or acquired the Personal Information.
30.1 General principles
30.1.1 atWORK takes note that the processing of Personal Information of a Data Subject for the purpose of direct marketing by means of any form of electronic communication, including automatic calling machines, facsimile machines, SMSs or e-mail is prohibited unless the Data Subject:
30.1.1.1 has given his, her or its consent to the processing; or
30.1.1.2 is a Client of atWORK and:
30.1.1.2.1 atWORK has obtained the contact details of the Data Subject in the context of the sale of a product or service;
30.1.1.2.2 the processing is for the purpose of direct marketing of atWORK’s own similar products or services; and
30.1.1.2.3 the Data Subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details.
30.1.2 atWORK will also adhere to the following rules relating to direct marketing to Data Subjects:
30.1.2.1 atWORK may approach a Data Subject only once, and in the prescribed manner and form, for his consent to direct marketing. If the consent has been withheld previously, the Data Subject may not be approached again to request consent or to provide such direct marketing.
30.1.2.2 the request for consent will be in the format at prescribed by POPIA, substantially in accordance with FORM 4 ( Application for the Consent of a Data Subject for the Processing of Personal Information for the Purpose of Direct Marketing in terms of Section 69(2) of the Protection of Personal Information Act );
30.1.2.3 all direct marketing sent by electronic means will contain the identity of the sender or the person on whose behalf the communication has been sent, and an address or other contact details to which the recipient may send a request that such communication must cease.
30.1.2.4 A directory is kept of all Data Subjects who have opted-out of the direct marketing to ensure that they do not receive further marketing material.
30.2 Direct marketing to new potential clients
30.2.1 atWORK processes Personal Information for the purpose of direct marketing by means of electronic communication through the following channels:
30.2.1.1 Text and SMS, Voice calls or messages, Emails.
30.2.2 For new potential clients the following process needs to be followed in respect of direct marketing to these Data Subjects:
30.2.3 the source from which the information is obtained will be listed atWORK’s internal POPIA Compliance File.
30.2.4 a message is sent to Data Subject to inform them that their information has been collected for purposes of direct marketing and requests their consent. The Data Subject must reply with a positive response otherwise the details are removed from the subscriber list. If an e-mail is sent there is the option to ‘unsubscribe’.
30.2.5 All Data Subjects who do not provide a positive response and those who unsubscribe will be removed from the subscriber list and may not be contacted for the purposes of direct marketing again.
30.3 Direct marketing to existing clients
30.3.1 atWORK processes Personal Information for the purpose of direct marketing to existing clients by means of electronic communication through the following channels:
30.3.1.1 Text and SMS, Voice calls or messages, Emails.
30.3.2 For existing Clients, the following process needs to be followed in respect of direct marketing to these Data Subjects:
30.3.2.1 once the Data Subject has become a Client of atWORK, its information will be placed on a directory which is linked to the type of product or service it receives. Only similar products to those already offered to the Data Subject are marketed. atWORK will ensure that different directories are kept for different Clients based on the type of product or service offered to ensure compliance with this requirement.
30.3.2.2 A message is sent to Data Subject and the message will contain the option to ‘unsubscribe’, all Data Subjects who unsubscribe must be removed from the subscriber list and may not be contacted for the purposes of direct marketing again.
30.4 Use of listing services or public directories
30.4.1 atWORK notes that a Data Subject who is a subscriber to a printed or electronic directory of subscribers available to the public or obtainable through directory enquiry services, in which his, her or its Personal Information is included, must be informed, free of charge and before the information is included in the directory:
30.4.1.1 about the purpose of the directory;
30.4.1.2 about any further uses to which the directory may possibly be put, based on search functions embedded in electronic versions of the directory.
30.4.2 A Data Subject must be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its Personal Information or to request verification, confirmation or withdrawal of such information if the Data Subject has not initially refused such use.
30.4.3 atWORK does not make their directories available to the public.
31.1 atWORK will provide regular training to all new employees and all existing employees as well as the Information Officer.
32.1 atWORK will report any breach of information to the Regulator as provided for in this Manual.
32.2 atWORK takes note that any person may submit a complaint to the Regulator alleging interference with the protection of the Personal Information of a Data Subject or non-compliance with POPIA.
32.3 atWORK further notes that if it is aggrieved by the finding of any adjudicator it can submit a complaint to the Regulator in the prescribed manner and form. These forms will form part of atWORK’s internal POPIA Compliance File under FORM 5 ( Complaint Regarding Interference with the Protection of Personal Information/ Complaint Regarding the Determination of an Adjudicator in terms of Section 74 of the Protection of Personal Information Act ).
32.4 The Information Regulator may be contacted as follows:
|
Contact body: |
The Information Regulator |
|
Physical Address: |
Braampark Forum 3, 33 Hoofd Street, Braampark, Johannesburg |
|
Fax Number: |
|
|
E-Mail: |
|
|
Website: |
33.1 atWORK’s use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
SCHEDULE 1
FORM 1: OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Signed at ……………………………………this ………………. day of …………………………………… 20………..
............................................................
Signature of data subject/designated person
SCHEDULE 2
FORM 2: REQUEST FOR CORRECTION OF PROCESSING OF PERSONAL INFORMATION
|
Fax number/ E-mail address: |
|
|
C |
INFORMATION TO BE CORRECTED/DELETED/ DESTRUCTED/ DESTROYED |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
D |
REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(a) WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY ; and or REASONS FOR * DESTRUCTION OR DELETION OF A RECORD OF PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24(1)(b) WHICH THE RESPONSIBLE PARTY IS NO LONGER AUTHORISED TO RETAIN. (Please provide detailed reasons for the request) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Signed at .......................................... this ...................... day of ...........................20………...
...........................................................................
Signature of data subject/ designated person
SCHEDULE 3
FORM C: REQUEST FOR ACCESS TO INFORMATION
