PROTECTION OF PERSONAL INFORMATION (POPI Act)
POLICY MANUAL AND COMPLIANCE FRAMEWORK
Accountability.
SANNA must ensure that the conditions for lawful processing of personal information set out in the Act, and all the required measures, are complied with.
Processing limitation.
- Business processes provide the context for processing personal information – i.e. the specific purpose
- Data collection must be proportionate for purpose – for member Registration and Discipline
- Data processing must be for a legitimate purpose – member Database and Discipline
- Member must give consent – Consent forms given to complete
- Collection of personal data must be directly from the data subject unless it is contained in a public record
- Data models prevent inference of prohibited data elements by means of DADIE Database
- Limit the transfer of personal data to service providers – No transfer to service providers
- Data subject must be able to object, in prescribed manner.
Purpose Specification.
- Collection of personal information must be for a specifically defined, lawful purpose related to a function of SANNA.
- Association members must be aware of the purpose of collecting data. The purpose for processing personal information must be clear.
- Record retention must not be longer than necessary unless required by law, a contract or the member has consented. A record of the use of personal data to make a decision must be retained for such period required by a law or long enough for the member to request access to the record Destroy, delete or DE-identify as soon as a member has submitted a resignation document. Destruction of personal information must be in a manner that prevents reconstruction in an intelligible form.
Openness.
The member must be aware of the collection of the data and the name and address of the responsible party, whether voluntary or mandatory, and of any law authorising collection, except if:
- Members is already aware of personal information being kept
- all particulars are stated in PAIA information manual
- Member consents to non-compliance
- information will be used without identifying Member
- personal information is already in the public domain.
Member Participation.
Establish communication processes with Member (via the Information Officer) Provide Member with access to personal information Enable Member to request correction of personal data Manner of access to information is defined in PAIA manual.
Security Safeguards Business controls for maintaining integrity:
- Identify personal data (structured and unstructured) in all business processes (formal and informal)
- Identify business processing manual controls
- Identify application systems and IT processes that support the business processes Identify programmed procedures supporting the complete and accurate processing of personal data
- Maintain appropriate granularity in user access controls
- Maintain appropriate application level security
- Maintain appropriate information resource protection
- Prevent data leakage (structured and unstructured data)
- Maintain the capability to detect security breaches
- Regularly review contractual obligations of third parties Prohibit the processing of special personal information Comply with the requirements of Information Officer and/or Information Regulator.
Further Processing Limitation.
Further processing must be compatible with original purpose Be aware of the potential consequences of further processing Take note of any contractual rights and obligations Take steps to prevent further processing of personal data Data mining must not exceed original purpose Allow retention for historical, statistical or research purposes Stop unlawful processing.
Information Quality.
Maintain the accuracy of collected personal information Check that personal data is not misleading Ensure that personal data is up-to-date. Be aware of the impact the integrity of personal data has on the purpose for collecting personal data.
Note: master data must exclude unnecessary records
Note: master data must be secured, and accessed only on the need-to-know basis.
Master Data will be kept within DADIE database, secure and password protected.
Action Plan.
Business purposes for processing data is to maintain a register of all Naturists in South Africa. Use DADIE to register and processing personal data.
- Contact and communicate with Members.
- Obtain consent from Members via official consent form
- Enable Member to object to processing of personal data
- Perform risk assessment for the protection of personal data
- Educate staff
- Implement a system of internal control to maintain integrity – DADIE
- Secure structured and unstructured data
- Reduce record retention, destroy unnecessary personal data when no longer required except in the case of Disciplinary findings (Blacklisting)
- Change contracts and obligations of service providers (additional costs of outsourcing for increased security)
- Appoint an Information Officer for Member to liaise with
- Respond to requests of the Information Officer
- Comply with requirements of the Regulator.
Reference:
- SANNA – South African National Naturist Association
- PAIA – Promotion of Access to Information Act
- DADIE – Official database management tool for SANNA to regulate membership.
Chairman of SANNA
Website: www.sanna.org.za
Facebook: https://www.facebook.com/groups/285301238300903/