POPI ACT – GNA

PROTECTION OF PERSONAL INFORMATION (POPI Act)
POLICY MANUAL AND COMPLIANCE FRAMEWORK

Accountability.

SANNA must ensure that the conditions for lawful processing of personal information set out in the Act, and all the required measures, are complied with.

Processing limitation.

Business processes provide the context for processing personal information – i.e. the specific purpose
Data collection must be proportionate for purpose – for member Registration and Discipline
Data processing must be for a legitimate purpose – member Database and Discipline
Member must give consent – Consent forms given to complete
Collection of personal data must be directly from the data subject unless it is contained in a public record
Data models prevent inference of prohibited data elements by means of DADIE Database
Limit the transfer of personal data to service providers – No transfer to service providers
Data subject must be able to object, in prescribed manner.

Purpose Specification.

Collection of personal information must be for a specifically defined, lawful purpose related to a function of SANNA.
Association members must be aware of the purpose of collecting data. The purpose for processing personal information must be clear.
Record retention must not be longer than necessary unless required by law, a contract or the member has consented. A record of the use of personal data to make a decision must be retained for such period required by a law or long enough for the member to request access to the record Destroy, delete or DE-identify as soon as a member has submitted a resignation document. Destruction of personal information must be in a manner that prevents reconstruction in an intelligible form.

Openness.

The member must be aware of the collection of the data and the name and address of the responsible party, whether voluntary or mandatory, and of any law authorising collection, except if:

Members is already aware of personal information being kept
all particulars are stated in PAIA information manual
Member consents to non-compliance
information will be used without identifying Member
personal information is already in the public domain.

Member Participation.

Establish communication processes with Member (via the Information Officer) Provide Member with access to personal information Enable Member to request correction of personal data Manner of access to information is defined in PAIA manual.

Security Safeguards Business controls for maintaining integrity:

Identify personal data (structured and unstructured) in all business processes (formal and informal)
Identify business processing manual controls
Identify application systems and IT processes that support the business processes Identify programmed procedures supporting the complete and accurate processing of personal data
Maintain appropriate granularity in user access controls
Maintain appropriate application level security
Maintain appropriate information resource protection
Prevent data leakage (structured and unstructured data)
Maintain the capability to detect security breaches
Regularly review contractual obligations of third parties Prohibit the processing of special personal information Comply with the requirements of Information Officer and/or Information Regulator.

Further Processing Limitation.

Further processing must be compatible with original purpose Be aware of the potential consequences of further processing Take note of any contractual rights and obligations Take steps to prevent further processing of personal data Data mining must not exceed original purpose Allow retention for historical, statistical or research purposes Stop unlawful processing.

Information Quality.

Maintain the accuracy of collected personal information Check that personal data is not misleading Ensure that personal data is up-to-date. Be aware of the impact the integrity of personal data has on the purpose for collecting personal data.
Note: master data must exclude unnecessary records
Note: master data must be secured, and accessed only on the need-to-know basis.
Master Data will be kept within DADIE database, secure and password protected.

Action Plan.

Business purposes for processing data is to maintain a register of all Naturists in South Africa. Use DADIE to register and processing personal data.

Contact and communicate with Members.
Obtain consent from Members via official consent form
Enable Member to object to processing of personal data
Perform risk assessment for the protection of personal data
Educate staff
Implement a system of internal control to maintain integrity – DADIE
Secure structured and unstructured data
Reduce record retention, destroy unnecessary personal data when no longer required except in the case of Disciplinary findings (Blacklisting)
Change contracts and obligations of service providers (additional costs of outsourcing for increased security)
Appoint an Information Officer for Member to liaise with
Respond to requests of the Information Officer
Comply with requirements of the Regulator.

Reference:

SANNA – South African National Naturist Association
PAIA – Promotion of Access to Information Act
DADIE – Official database management tool for SANNA to regulate membership.

Chairman of SANNA
Website: www.sanna.org.za
Facebook: https://www.facebook.com/groups/285301238300903/

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.