POLICY STATEMENT
1.1 General
Nazareth House is committed to protecting all persons’ privacy and recognises that it needs to comply with statutory requirements whenever it collects, processes, and distributes personal information. South Africa has included the right to privacy within the South African Bill of Rights (the Constitution of the Republic of South Africa, 108 of 1996) and has given effect to that right through the Protection of Personal Information Act 4 of 2013 (POPI).
Nazareth House is committed to protecting the privacy of our residents, employees, donors, and partners, in line with POPI and related South African legislation, including, the Promotion of Access to Information Act 2 of 2000 and good established governance.
Nazareth House is established, mandated and governed by the Non-Profit Organisations Act and the Constitution of Nazareth House and relevant policies. In order to perform its functions, Nazareth House needs to process personal information about all persons with which it deals and interacts with from time to time. There are various reasons why Nazareth House may need to process such information, such as monitoring, caring, safeguarding and assisting residents, the health and safety of all staff and residents, and employees’ details or other stakeholders, donors or partners.
Nazareth House may also be obligated by Law or governing bodies to process such information for
reporting, statistical or other purposes.
1.2 Objective of this Policy
This policy establishes and enables an organisational framework for the processing of personal information that holds respect for data subjects, transparency, accountability and auditability at its core. The purpose of this policy is therefore to demonstrate Nazareth House’s commitment to safeguarding personal information of all persons, including juristic persons, with whom it interacts and to ensure that the organisation and its employees comply with the requirements imposed by POPI.
Without limiting the generality of the above purpose, the further purposes are to:
• establish an organizational policy that will provide direction with respect to the manner of compliance with POPI.
• give effect to the right to privacy and at the same time balance the right to privacy against other rights such as the right to access to information, and to protect important interests such as the free flow of information.
• regulate the way personal information may be processed.
• establish measures to ensure respect for and to promote, enforce and fulfil the rights protected.
• protect Nazareth House’s records and information in order to ensure the continuation of the
day to day running of the organisation.
1.3 Definitions
‘Data subject’, as defined by POPI, means the person to whom personal information relates. Data subjects may include, but are not limited to:
· Residents (current, past, applicants)
· Guardians (current, past, applicants)
· Employees employed by Nazareth Care (past, current, candidates/applicants)
· Temporary and casual staff
· Visitors to the organisation
· Suppliers
· Board of Management
· Unions, and other statutory bodies or organisations
· Organisation facility users
· Donors, sponsors, partners, stakeholders and advertisers
· Benefactors, legators or other testamentary bodies
· Members of the public
· Beneficiaries
‘Personal information’, as defined in POPI, means information relating to an identifiable, living individual or identifiable, existing company, including, but not limited to:
· information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin,
colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
· information relating to the education or the medical, financial, criminal or employment history of the
person.
· any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
· the biometric information of the person.
· the personal opinions, views or preferences of the person.
· correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or
further correspondence that would reveal the contents of the original correspondence.
· the views or opinions of another individual about the person.
· the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
A ‘Process’ is a collection of practices that takes inputs from several sources (including other processes), manipulates the inputs and produces outputs (such as services, publications or research findings).
‘Process owner’ is the individual accountable for the performance of a process.
‘Processing’, as defined by POPI means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including:
· The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval,
alteration, consultation or use,
· disseminations by means of transmission, distribution, or making available in any other form, or merging, linking, as well as restriction, degradation, erasure, or destruction of information.
‘Responsible party’ means Nazareth House, who engages in the act of processing personal information.
‘Special Personal Information’ means any information that could be used to identify a data subject and includes:
· Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,
health, DNA, sexual life and criminal behaviour.
· Personal information concerning an individual incapable of consenting themselves.
‘Organisation’ means Nazareth House, which includes its departments, bodies, organisations and employees.
2. PROCEDURE DESCRIPTION
2.1 Scope
The scope of POPI includes organisations as entities that handle personal information for administrative and marketing purposes. This policy has organisation-wide application. This policy applies to personal information collected by the organisation in connection with the services it offers. This may include information collected offline through our communication channels and online through our website, branded pages on third party platforms and applications accessed or used through such websites or third-party platforms which are operated by or on behalf of the organisation. This policy is hereby incorporated into and forms part of the terms and conditions of use on the applicable organisational sites.
This policy does not apply to information collected by third party websites, platforms and/or applications (“third party sites”) which we do not control; information collected by third party sites which you access via links on the organisation sites; and/or banners, sweepstakes and other advertisements or promotions on third party sites that we may sponsor or participate in.
2.2 Rights of Data Subjects
The organisation respects a data subject’s right to have his, her or its personal information processed lawfully.
Data subjects have the right to:
• be notified that personal information about him, her or it is being collected or that his, her or its personal
information has been accessed or acquired by an unauthorised person.
• establish whether the organisation holds personal information of that data subject and to request access thereto.
• request, where necessary, the correction, destruction or deletion of his, her or its personal information.
• object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information.
• object to the processing of his, her or its personal information at any time for purposes of direct marketing.
• not be subjected, under certain circumstances, to a decision which is based solely on the automated processing of his, her or its personal information intended to provide a profile of such person.
• submit a complaint to the Regulator regarding the alleged interference with the protection of the personal
information.
• institute civil proceedings regarding the alleged interference with the protection of his, her or its personal
information.
2.3 Lawful Processing
The organisation processes personal information lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
2.4 Minimality
Only information which is necessary for the specific purpose for which it is collected, is processed. Information which is collected is adequate, relevant and not excessive. Information is collected in a manner which does not infringe the rights of the data subject.
2.5 Consent
The organisation only processes personal information with the express consent of the data subject or a competent person where the data subject is incapable of consenting themselves.
The organisation processes personal information without express written consent, if:
• processing is necessary to carry out actions for the conclusion or performance of a contract to which
the data subject is party.
• processing complies with an obligation imposed by law on the organisation.
• processing protects a legitimate interest of the data subject.
• processing is necessary for the proper performance of a public law duty by the organisation.
• processing is necessary for pursuing the legitimate interests of the organisation or of a third party to whom
the information is supplied.
The data subject or competent person may withdraw his, her or its consent, at any time: provided that the
lawfulness of the processing of personal information before such withdrawal or the processing of personal
information will not be affected.
A data subject may object, at any time, to the processing of personal information in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing. If a data subject has objected to the processing of personal information, the organisation no longer processes the personal information and the relationship between the organisation and the data subject may be terminated.
2.6 Collection of Personal Information
The organisation collects personal information from the data subject directly, except as otherwise provided for below.
The organiaston collects personal information from other sources other than the data subject directly if:
• the information is contained in or derived from a public record or has deliberately been made public by the
data subject.
• the data subject, or a competent person where the data subject is incapable of consenting themselves, has consented to the collectionof the information from another source.
• collection of the information from another source would not prejudice a legitimate interest of the data
subject.
• collection of the information from another source is necessary:
– to avoid prejudice to the maintenance of the law by the organisation, including the prevention, detection,
investigation, prosecution and punishment of offences.
– to comply with an obligation imposed by law or to enforce legislation.
– for the conduct of proceedings in any court or tribunal that have commenced or are reasonably
contemplated.
– in the interests of national security.
– to maintain the legitimate interests of the organisation or of a third party to whom the information is
supplied.
• compliance would prejudice a lawful purpose of the collection.
• compliance is not reasonably practicable in the circumstances of the particular case.
2.7 Specific Purpose
The organisation collects personal information for a specific, explicitly defined and lawful purpose related to a function or activity of the organisation. The organisation takes steps to ensure that the data subject is aware of the purpose of the collection of the information.
2.8 Retention & Restriction of Records
The organisation does not retain records of personal information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
• retention of the record is required or authorised by law.
• the organisation reasonably requires the record for lawful purposes related to its functions or activities.
• retention of the record is required by a contract between the parties thereto.
• the data subject, or a competent person where the data subject is incapable of consenting themselves, has consented to the retention of the record.
The organisation restricts processing of personal information if:
• its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy
of the information.
• the organisation no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof.
2.9 Further Processing
Further processing of personal information is done in accordance or compatible with the purpose for which it was collected initially.
2.10 Quality Information
The organisation takes reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which personal information is collected or further processed.
2.11 Security & Integrity
The organisation aims and strives to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
• loss of, damage to or unauthorised destruction of personal information; and
• unlawful access to or processing of personal information.
It is the objective of the organisation to take reasonable measures to:
• identify all reasonably foreseeable internal and external risks to personal information in its possession or
under its control.
• establish and maintain appropriate safeguards against the risks identified.
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously
implemented safeguards.
Anyone processing personal information on behalf of the organisation:
• processes such information only with the knowledge or authorisation of the organisation.
• treats personal information which comes to their knowledge as confidential and must not disclose it, unless
required by law or in the course of the proper performance of their duties.
• The organisation ensures, by way of written contracts between the organisation and an operator, that the operator which processes personal information for the organisation, establishes and maintains the sufficient and proper security measures as required by the Act.
2.12 Special Personal Information
The organisation processes special personal information when:
• processing is carried out with the consent of a data subject.
• processing is necessary for the establishment, exercise or defense of a right or obligation in law.
• processing is necessary to comply with an obligation of international public law.
• processing is for historical, statistical or research purposes to the extent that the purpose serves a public
interest and the processing is necessary for the purpose concerned; or it appears to be impossible or would
involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure
that the processing does not adversely affect the individual privacy of the data subject to a disproportionate
extent.
• Information has deliberately been made public by the data subject.
The organisation, subject to the non-compliance points below, does not process special personal information concerning:
• the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,
health or sex life or biometric information of a data subject; or
• the criminal behaviour of a data subject to the extent that such information relates to the alleged
commission by a data subject of any offence; or any proceedings in respect of any offence allegedly
committed by a data subject or the disposal of such proceedings.
2.13 Personal Information of Individuals incapable of Consenting Themselves
The organisatioon processes personal information of individuals incapable of consenting themselves:
• with the prior consent of a competent person.
• where it is necessary for the establishment, exercise or defence of a right or obligation in law.
• where it is necessary to comply with an obligation of international public law.
• where it is necessary for historical, statistical or research purposes to the extent that the purpose serves a
public interest and the processing is necessary for the purpose concerned; or it appears to be impossible
or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to
ensure that the processing does not adversely affect the individual privacy of the individual to a disproportionate
extent.
• which has deliberately been made public by the individual with the consent of a competent person.
2.14 Transfers of Personal Information outside the Republic
The organisation does not transfer personal information about a data subject to a third party who is in a foreign country unless:
• the third party who is the recipient of the information is subject to a law, binding corporate rules or binding
agreement which provide an adequate level of protection that effectively upholds principles for reasonable
processing of the information that are substantially similar to the conditions for the lawful processing of
personal information relating to a data subject who is a natural person and, where applicable, a juristic
person; and includes provisions, that are substantially similar to this section, relating to the further transfer
of personal information from the recipient to third parties who are in a foreign country;
• the data subject consents to the transfer.
• the transfer is necessary for the performance of a contract between the data subject and the organisation, or for
the implementation of pre-contractual measures taken in response to the data subject’s request.
• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the
data subject between the organisation and a third party.
• the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent
of the data subject to that transfer; and if it were reasonably practicable to obtain such consent, the data
subject would be likely to give it.
2.15 Non-Compliance with this Policy
Failure to apply and explain the principles within this policy to processing of personal information may render the organisation or the individuals, involved with processing, non-compliant with South African privacy-related legislation.
This non-compliance may lead to fines and claims against the organisation and/or the individuals involved under South African legislation. Non-compliance may further expose the organisation to significant reputational harm and data subjects to unnecessary risk and harm. Based on the nature of the non-compliance, the organisation may execute its information breach procedures:
• the organisation may take disciplinary action against staff, residents, donors, partners, and stakeholders, for non-compliance with this policy.
• the organisation may take action, as allowed by contractual agreement or relevant legislation, against members of institutional statutory bodies and third-party suppliers and vendors for non-compliance with this policy.