Achievement Awards Group (AAGroup) represents a group of companies that specialise in designing and implementing employee, channel and customer engagement solutions and is required to comply with The Protection of Personal Information Act 4 of 2013 (“POPIA”). AAGroup, as the responsible party, is required to inform Data Subjects representing clients, program participants, employees, customers and independent contractors whose data we store and process of how their Personal Information is used, stored, disclosed and destroyed.
The right to privacy is a basic human right, recognised and protected by the South African Constitution and POPIA. POPIA aims to protect individuals privacy through providing guidelines which are intended to be applied to the storage, processing and use of Personal Information.
Through the provision of its services, AAGroup is automatically involved in the collection, processing, use and disclosure of certain aspects of the Personal Information of Data Subjects. A person’s right to privacy entails having control over their Personal Information and being able to conduct their affairs free from unwanted intrusions. Personal Information is an asset that belongs to the Data Subject and AAGroup is obliged to protect such data in accordance with the provisions of POPIA.
The scope of the Policy is defined by the provisions of POPIA and will include the Personal Information of all Data Subjects. It includes AAGroup’s responsibility in respect of third party operators, who process Personal Information on behalf of AAGroup in terms of a contract or mandate, without being under the direct authority of AAGroup.
- Information Technology Security Policy
- Data Security Policy
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use
- dissemination by means of transmission, distribution or making available in any other form, or
- merging, linking, as well as any restriction, degradation, erasure or destruction of information
- Writing on any material
- Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other devices, and any material subsequently derived from information so produced, recorded or stored
- Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means
- Book, map, plan, graph or drawing
- Photograph, film, negative, tape or other devices in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced
- Promoting or offering to supply, in the ordinary course of business, any goods or services to the Data Subject, or
- Requesting the Data Subject to provide Personal Information of any kind for any reason
The purpose of this policy is to protect AAGroup from the compliance risks associated with the protection of Personal Information which includes:
- Breaches of confidentiality – e.g. AAGroup could suffer loss in revenue where it is found that the Personal Information of Data Subjects has been shared or disclosed inappropriately
- Failing to offer choice – e.g. all Data Subjects should be free to choose how and for what purpose AAGroup uses information relating to them
- Reputational damage- AAGrouup could suffer reputational damage following an adverse event such as a computer hacker distributing or deleting Personal Information held by AAGroup.
This policy demonstrates AAGroup’s commitment to protecting the privacy rights of Data Subjects in the following manner:
- Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice.
- By cultivating an organisational culture that recognises privacy as a valuable human right.
- By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of Personal Information.
- By creating business practices that will provide reasonable assurance that the rights of Data Subjects are protected and balanced with the legitimate business needs of AAGroup
- By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer in order to protect the interests of AAGroup and Data Subjects
- By raising awareness through training and providing guidance to individuals who process Personal Information so that they can act confidently and consistently
- AAGroup governing body
- All departments, business units and divisions of AAGroup
- All employees, independent contractors and interns
- All third party contractors, suppliers and other persons acting on behalf of AAGroup
5.1. RIGHTS OF DATA SUBJECTS
- The right to access Personal Information
AAGroup recognises that a Data Subject has the right to establish whether AAGroup holds Personal Information related to him, her or it including the right to request access to that Personal Information. AAGroup will provide a ‘Personal Information Request Form’ to be completed as part of the request.
- The right to have Personal Information corrected or deleted
The Data Subject has the right to request, where necessary, that their Personal Information must be corrected or deleted where AAGroup is no longer authorised to retain the Personal Information.
- The right to object to the processing of Personal Information
The Data Subject has the right, on reasonable grounds, to object to the processing of their Personal Information. In such circumstances, AAGroup will give due consideration to the request and the requirements of POPIA and may cease to use or disclose the Data Subject’s Personal Information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the Personal Information where applicable.
- The right to object to Direct Marketing
The Data Subject has the right to object to the processing of their Personal Information for purposes of Direct Marketing by means of unsolicited electronic, written or audible communications.
- The right to complain to the Information Regulator
The Data Subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of their Personal Information.
- The right to be informed
The data subject has the right to be notified that their Personal Information is being collected by AAGroup. The Data Subject also has the right to be notified in any situation where AAGroup has reasonable grounds to believe that the Personal Information of the Data Subject has been accessed or acquired by an unauthorised person.
5.2 General guiding principles
All employees and persons acting on behalf of AAGroup will at all times be subject to, and act in accordance with, the following guiding principles:
Failing to comply with POPIA could potentially damage AAGroup’s reputation or expose AAGroup to civil claims for damages. The protection of Personal Information is therefore everybody in AAGroup’s responsibility.
AAGroup will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement and monitoring of desired behaviour. AAGroup will take appropriate actions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.
5.2.2 Processing limitation
AAGroup will ensure that Personal Information under its control is processed:
- in a fair, lawful and non-excessive manner
- only with the informed Consent of the Data Subject
- only for a specifically defined purpose
- only for the duration required to provide service to Clients and other regulatory requirements.
AAGroup will inform the Data Subject of the reasons for collecting their Personal Information and obtain written Consent prior to processing Personal Information. Alternatively, where services or transactions are concluded over the telephone or electronic video feed, AAGroup will maintain a voice recording of the stated purpose for collecting the Personal Information followed by the Data Subject’s subsequent Consent. AAGroup will under no circumstances distribute or share Personal Information between separate legal entities, associated companies (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.
5.2.3 Purpose specification
All of AAGroup ’s business departments and operations must be informed by the Head of the department to allow for transparency of the process. AAGroup will process Personal Information only for specific, explicitly defined and legitimate reasons and will inform Data Subjects of these reasons prior to collecting or recording the Data Subject’s Personal Information.
5.2.4 Further processing limitation
Personal Information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Therefore, where AAGroup seeks to process Personal Information it holds for a purpose other than the original purpose or not compatible with the original purpose, AAGroup will first obtain additional Consent from the Data Subject.
5.2.5 Information quality
AAGroup will take all reasonable steps to ensure that all Personal Information collected is complete and accurate.
5.2.6 Open communication
AAGroup will ensure that it establishes and maintains a ‘Contact Us’ facility, for instance via its website or through an electronic helpdesk, for Data Subjects who want to:
- enquire whether AAGroup holds related Personal Information, or
- request access to related Personal Information, or
- request AAGroup to update or correct related Personal Information, or
- make a complaint concerning the processing of Personal Information
Security safeguards: AAGroup shall apply internationally acceptable security controls commensurate with the sensitivity and privacy nature of the information being stored.
Therefore AAGroup will:
- manage the security of its Filing System to ensure that Personal Information is adequately protected.
- ensure security measures are applied in a context-sensitive manner.
- ensure all paper and electronic records comprising Personal Information are securely stored and made accessible only to authorised individuals.
- ensure all new employees will sign employment contracts containing contractual terms for the use and storage of employee information.
- confidentiality clauses will be included to reduce the risk of unauthorised disclosures of Personal Information.
- all existing employees will sign an addendum to their employment containing the relevant Consent and confidentiality clauses.
- Third-party Suppliers will sign declarations with AAGroup where they pledge their commitment to POPIA and the lawful processing of any Personal Information pursuant to the agreement.
5.2.7 Data Subject Participation and Consent
A Data Subject may request the correction or deletion of his / her / its Personal Information held by AAGroup who will provide the facility to do so.
Where applicable, AAGroup will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.
We offer family membership options on certain programs
We capture the name and ID number of minors, but only when their parent has registered them onto the program. Processing of minor’s data is only done via Consent of parent or guardian and we obtain the information directly from the parent or guardian. We do not correspond directly with any minors, as all communications go via the Principal member, who is of age.
- The child’s Personal Information will not be disclosed to a third party.
- The child’s details are not used for marketing purposes.
- The information is not going to be made public.
- Consent is acquired via our program / campaign websites. All registration pages have a POPI Terms tick box that needs to be accepted. Existing participants will also receive this pop-up on their login to the website if they have not accepted this before. The pop-up says:
By agreeing to these Terms on our website or the application, you Consent that we may process personal data that we collect from you in accordance with these Terms:
<Client name> and the program organisers, Achievement Awards Group may use your personal data that you supply to us upon registration to the Program (such as your name, address, contact details, etc.), together with any other information relating to your transactions and participation on the Program for the purposes of (1) administering the Program; (2) sending you news of our special events, offers, promotions either via email or SMS; (3) market research.
- We have addendums in place with our clients relating to any data collected by our clients and sent to us. They are well informed and have agreed to get Consent in these circumstances where they have collected the data.
- The Consent acceptance is recorded in aa.participantagreement table against the participant profile. Reports can be generated to show this acceptance of POPI terms.
- Withdrawal of Consent is managed via deregistration from the program/campaign. Upon request, their data can be anonymised.
5.3 Information officers
AAGroup has appointed an Information Officer who will be responsible for ensuring compliance with POPIA. Mr. Leon du Toit, the General Manager of AAGroup will assume the role of the Information Officer. AAGroup will register the Information Officer with the South African Information Regulator established under POPIA prior to performing his or her duties.
5.4 Specific duties and responsibilities
5.4.1 Governing Body
AAGroup’s Executive Committee cannot delegate its accountability and is ultimately answerable for ensuring that AAGroup meets its legal obligations in terms of POPIA. The Executive Committee may however delegate some of its responsibilities in terms of POPIA to management or other capable individuals.
5.4.2 The Executive Committee is responsible for ensuring that:
- AAGroup appoints an Information Officer when legally required and that
- All persons responsible for the processing of Personal Information on behalf of AAGroup
- are appropriately trained and supervised to do so
- understand that they are contractually obligated to protect the Personal Information they come into contact with
- are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them
- Ensure that Data Subjects who want to make enquires about their Personal Information are made aware of the procedure that needs to be followed should they wish to do so
- Will schedule periodic POPI audits in order to accurately assess and review the ways in which AAGroup collects, holds, uses, shares, discloses, destroys and processes Personal Information
5.4.3 The Information Officer is responsible for:
- Taking steps to ensure AAGroup’s reasonable compliance with the provision of POPIA
- Keeping Executive Committee updated about AAGroup’s information protection responsibilities under POPIA. In the case of a security breach, the Information Officer must inform and advise the Executive Committee of their obligations pursuant to POPIA
- Continually analysing privacy regulations and aligning them with AAGroup’s Personal Information processing procedures. This will include reviewing AAGroup’s information protection procedures and related policies
- Ensuring that POPI audits are scheduled and conducted on a regular basis
- Ensuring that AAGroup makes it convenient for Data Subjects who want to update their Personal Information or submit POPIA related complaints to AAGroup i.e. maintaining a “contact us” facility on AAGroup ’s website
- Approving any contracts entered into with operators, employees and other third parties that may have an impact on the Personal Information held by AAGroup. This will include overseeing the amendment of AAGroup’s employment contracts and other service level agreements
- Encouraging compliance with the conditions required for the lawful processing of Personal Information
- Ensuring that employees and other persons acting on behalf of AAGroup are fully aware of the risks associated with the processing of Personal Information and that they remain informed about AAGroup ’s security controls
- Organising and overseeing the awareness training of employees and other individuals involved in the processing of Personal Information on behalf of AAGroup
- Addressing employees’ POPIA related questions
- Addressing all POPIA related requests and complaints made by AAGroup ’s Data Subjects.
- Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of Personal Information and will consult with the Information Regulator where appropriate, with regard to any other matter
- The Information Officer / acting Information Officer will appoint relevant Head of Departments to assist in his / her responsibilities
5.4.4 The IT Manager is responsible for ensuring AAGroup’s:
- IT infrastructure, Filing Systems and any other devices used for processing Personal Information meet acceptable industry security standards.
- Electronically held Personal Information is kept only on designated drives and servers and uploaded only to approved cloud computing services.
- Servers containing Personal Information are sited in a secure location, away from the general office space
- All electronically stored Personal Information is backed up and tested on a regular basis.
- All back-ups containing Personal Information are protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Personal Information being transferred electronically is encrypted or password protected.
- All servers and computers containing Personal Information are protected by a firewall and industry related security software to ensure reasonable precaution is taken to protect such Personal Information.
- Performing regular IT audits to ensure that the security of AAGroup ’s hardware and software systems are functioning properly
- Regular IT audits are performed to verify whether electronically stored Personal Information has been accessed or acquired by any unauthorised persons.
- Proper due diligence is performed prior to contracting with operators or any other third-party service providers to process Personal Information on AAGroup ’s behalf
5.4.5 The Creative Solution’s Hub is responsible for:
- Approving and maintaining the protection of Personal Information statements and disclaimers that are displayed on AAGroup’s website, including those attached to communications such as emails and electronic newsletters
- Addressing any Personal Information protection queries from journalists or media outlets such as newspapers
- Where necessary, working with persons acting on behalf of AAGroup to ensure that any outsourced marketing initiatives comply with POPIA.
5.4.6 Employees and Independent Contractors acting on behalf of AAGroup:
- Will, during the course of the performance of their services, gain access to and become acquainted with the Personal Information of certain Data Subjects.
- Are required to treat Personal Information as a confidential business asset and to respect the privacy of Data Subjects.
- May not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within AAGroup or externally, any Personal Information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties
- Must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a Data Subject’s Personal Information
- Will only process Personal Information where:
- The Data Subject, or a competent person where the Data Subject is a child, consents to the processing
- The processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party
- The processing complies with an obligation imposed by law on the responsible party
- The processing protects a legitimate interest of the Data Subject
- The processing is necessary for pursuing the legitimate interests of AAGroup or of a third party to whom the information is supplied
- The Data Subject clearly understands why and for what purpose their Personal Information is being collected
- The Data Subject has granted AAGroup with explicit electronic written or verbally recorded Consent to process their Personal Information
- Will consequently, prior to processing any Personal Information, obtain a specific and informed expression of will from the Data Subject, in terms of which permission is given for the processing of Personal Information.
Informed Consent is therefore
- When the Data Subject clearly understands for what purpose their Personal Information is needed and who it will be shared with.
- Can be obtained in written form which includes any appropriate electronic medium that is accurately and readily reducible to printed form. Alternatively, AAGroup will keep a voice recording of the Data Subject’s Consent in instances where transactions are concluded telephonically or via electronic video feed.
Consent to process a Data Subject’s Personal Information will be obtained directly from the Data Subject except where:
- the Personal Information has been made public
- where valid written Consent has been given by the Client on behalf of program participants
- the information is necessary for effective law enforcement
Employees and other persons acting on behalf of AAGroup will under no circumstances:
- Process or have access to Personal Information where such processing or access is not a requirement to perform their respective work-related tasks or duties
- Save copies of Personal Information directly to their own private computers, laptops or other mobile devices like tablets or smartphones. All Personal Information must be accessed and updated from AAGroup ’s central database or a dedicated server.
- Share Personal Information informally. In particular, Personal Information should never be sent by email, as this form of communication is not secure
- Where access to Personal Information is required, this may be requested from the relevant line manager or the Information Officer
- Transfer Personal Information outside of South Africa without express permission from the Data Subject.
Employees and independent contractors acting on behalf of AAGroup are responsible for:
- Keeping all Personal Information that they come into contact with secure, by following the guidelines outlined within this policy
- Ensuring that Personal Information is held in as few places as is necessary. No unnecessary additional records, Filing Systems and data sets should therefore be created
- Ensuring that Personal Information is encrypted prior to sending or sharing the information electronically
The IT Manager will support employees and where required, other persons acting on behalf of AAGroup with the sending or sharing of Personal Information to or with authorised external persons:
- Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store Personal Information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons
- Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks
- Ensuring that where Personal Information is stored on removable storage media such as external drives, CDs or DVDs that these are kept locked away securely when not being used
- Ensuring that where Personal Information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet
- Ensuring that where Personal Information has been printed, that the paper printouts are not left unattended where unauthorised individuals could see or copy them i.e. close to the printer
- Taking reasonable steps to ensure that Personal Information is kept accurate and up to date i.e.confirming a Data Subject’s contact details when the client or customer phones or communicates via email. Where a Data Subject’s information is found to be out of date, authorisation must first be obtained from the relevant line manager or the Information Officer to update the information accordingly
- Taking reasonable steps to ensure that Personal Information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where Personal Information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the Personal Information in the appropriate manner
- Undergoing POPIA Awareness training from time to time
- Where an employee or a person acting on behalf of AAGroup becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of Personal Information, he or she must immediately report this event or suspicion to the Information Officer.
5.5 POPI audit
- Identify the processes used to collect, record, store, disseminate and destroy Personal Information
- Determine the flow of Personal Information throughout AAGroup i.e. AAGroup’s various business units, divisions, brands and other associated organisations
- Redefine the purpose for gathering and processing Personal Information
- Ensure that the processing parameters are still adequately limited
- Ensure that new Data Subjects are made aware of the processing of their Personal Information
- Re-establish the rationale for any further processing where information is received via a third party
- Verify the quality and security of Personal Information
- Monitor the extent of compliance with POPIA and this policy
- Monitor the effectiveness of internal controls established to manage AAGroup’s POPI related compliance risk
5.6 Request to access personal information procedure
- Request what Personal Information AAGroup holds about them and why
- Request access to their Personal Information
- Be informed how to keep their Personal Information up to date
5.7 POPI complaints procedure
Data Subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. AAGroup will address all POPI related complaints in accordance with the following procedure:
- Complaints must be submitted to AAGroup in writing using the prescribed form available via firstname.lastname@example.org
- Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within one working day
- The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within two working days
- The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA
- The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on AAGroup’s Data Subjects
- Where the Information Officer has reason to believe that the Personal Information of Data Subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with AAGroup’s EXCO where after the affected Data Subjects and the Information Regulator will be informed of this breach
- The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to AAGroup’s EXCO within seven working days of receipt of the complaint. In all instances, AAGroup will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines
The Information Officer’s response to the Data Subject may comprise any of the following:
- A suggested remedy for the complaint
- A dismissal of the complaint and the reasons as to why it was dismissed
- An apology (if applicable) and any disciplinary action that has been taken against any employees involved
- Where the Data Subject is not satisfied with the Information Officer’s suggested remedies the Data Subject has the right to complain to the Information Regulator
- The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPI related complaints