POLICY STATEMENT

1.1 General

Nazareth House is committed to protecting all persons’ privacy and recognises that it needs to comply with statutory requirements whenever it collects, processes, and distributes personal information. South Africa has included the right to privacy within the South African Bill of Rights (the Constitution of the Republic of South Africa, 108 of 1996) and has given effect to that right through the Protection of Personal Information Act 4 of 2013 (POPI).

Nazareth House is committed to protecting the privacy of our residents, employees, donors, and partners, in line with POPI and related South African legislation, including, the Promotion of Access to Information Act 2 of 2000 and good established governance.

Nazareth House is established, mandated and governed by the Non-Profit Organisations Act and the Constitution of Nazareth House and relevant policies. In order to perform its functions, Nazareth House needs to process personal information about all persons with which it deals and interacts with from time to time. There are various reasons why Nazareth House may need to process such information, such as monitoring, caring, safeguarding and assisting residents, the health and safety of all staff and residents, and employees’ details or other stakeholders, donors or partners.

Nazareth House may also be obligated by Law or governing bodies to process such information for

reporting, statistical or other purposes.

1.2 Objective of this Policy

This policy establishes and enables an organisational framework for the processing of personal information that holds respect for data subjects, transparency, accountability and auditability at its core. The purpose of this policy is therefore to demonstrate Nazareth House’s commitment to safeguarding personal information of all persons, including juristic persons, with whom it interacts and to ensure that the organisation and its employees comply with the requirements imposed by POPI.

Without limiting the generality of the above purpose, the further purposes are to:

• establish an organizational policy that will provide direction with respect to the manner of compliance with POPI.

• give effect to the right to privacy and at the same time balance the right to privacy against other rights such as the right to access to information, and to protect important interests such as the free flow of information.

• regulate the way personal information may be processed.

• establish measures to ensure respect for and to promote, enforce and fulfil the rights protected.

• protect Nazareth House’s records and information in order to ensure the continuation of the

day to day running of the organisation.

1.3 Definitions

‘Data subject’, as defined by POPI, means the person to whom personal information relates. Data subjects may include, but are not limited to:

· Residents (current, past, applicants)

· Guardians (current, past, applicants)

· Employees employed by Nazareth Care (past, current, candidates/applicants)

· Temporary and casual staff

· Visitors to the organisation

· Suppliers

· Board of Management

· Unions, and other statutory bodies or organisations

· Organisation facility users

· Donors, sponsors, partners, stakeholders and advertisers

· Benefactors, legators or other testamentary bodies

· Members of the public

· Beneficiaries

‘Personal information’, as defined in POPI, means information relating to an identifiable, living individual or identifiable, existing company, including, but not limited to:

· information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin,

colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.

· information relating to the education or the medical, financial, criminal or employment history of the

person.

· any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.

· the biometric information of the person.

· the personal opinions, views or preferences of the person.

· correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or

further correspondence that would reveal the contents of the original correspondence.

· the views or opinions of another individual about the person.

· the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

A ‘Process’ is a collection of practices that takes inputs from several sources (including other processes), manipulates the inputs and produces outputs (such as services, publications or research findings).

‘Process owner’ is the individual accountable for the performance of a process.

‘Processing’, as defined by POPI means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including:

· The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval,

alteration, consultation or use,

· disseminations by means of transmission, distribution, or making available in any other form, or merging, linking, as well as restriction, degradation, erasure, or destruction of information.

‘Responsible party’ means Nazareth House, who engages in the act of processing personal information.

‘Special Personal Information’ means any information that could be used to identify a data subject and includes:

· Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,

health, DNA, sexual life and criminal behaviour.

· Personal information concerning an individual incapable of consenting themselves.

‘Organisation’ means Nazareth House, which includes its departments, bodies, organisations and employees.

2. PROCEDURE DESCRIPTION

2.1 Scope

The scope of POPI includes organisations as entities that handle personal information for administrative and marketing purposes. This policy has organisation-wide application. This policy applies to personal information collected by the organisation in connection with the services it offers. This may include information collected offline through our communication channels and online through our website, branded pages on third party platforms and applications accessed or used through such websites or third-party platforms which are operated by or on behalf of the organisation. This policy is hereby incorporated into and forms part of the terms and conditions of use on the applicable organisational sites.

This policy does not apply to information collected by third party websites, platforms and/or applications (“third party sites”) which we do not control; information collected by third party sites which you access via links on the organisation sites; and/or banners, sweepstakes and other advertisements or promotions on third party sites that we may sponsor or participate in.

2.2 Rights of Data Subjects

The organisation respects a data subject’s right to have his, her or its personal information processed lawfully.

Data subjects have the right to:

• be notified that personal information about him, her or it is being collected or that his, her or its personal

information has been accessed or acquired by an unauthorised person.

• establish whether the organisation holds personal information of that data subject and to request access thereto.

• request, where necessary, the correction, destruction or deletion of his, her or its personal information.

• object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information.

• object to the processing of his, her or its personal information at any time for purposes of direct marketing.

• not be subjected, under certain circumstances, to a decision which is based solely on the automated processing of his, her or its personal information intended to provide a profile of such person.

• submit a complaint to the Regulator regarding the alleged interference with the protection of the personal

information.

• institute civil proceedings regarding the alleged interference with the protection of his, her or its personal

information.

2.3 Lawful Processing

The organisation processes personal information lawfully and in a reasonable manner that does not infringe the privacy of the data subject.

2.4 Minimality

Only information which is necessary for the specific purpose for which it is collected, is processed. Information which is collected is adequate, relevant and not excessive. Information is collected in a manner which does not infringe the rights of the data subject.

2.5 Consent

The organisation only processes personal information with the express consent of the data subject or a competent person where the data subject is incapable of consenting themselves.

The organisation processes personal information without express written consent, if:

• processing is necessary to carry out actions for the conclusion or performance of a contract to which

the data subject is party.

• processing complies with an obligation imposed by law on the organisation.

• processing protects a legitimate interest of the data subject.

• processing is necessary for the proper performance of a public law duty by the organisation.

• processing is necessary for pursuing the legitimate interests of the organisation or of a third party to whom

the information is supplied.

The data subject or competent person may withdraw his, her or its consent, at any time: provided that the

lawfulness of the processing of personal information before such withdrawal or the processing of personal

information will not be affected.

A data subject may object, at any time, to the processing of personal information in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing. If a data subject has objected to the processing of personal information, the organisation no longer processes the personal information and the relationship between the organisation and the data subject may be terminated.

2.6 Collection of Personal Information

The organisation collects personal information from the data subject directly, except as otherwise provided for below.

The organiaston collects personal information from other sources other than the data subject directly if:

• the information is contained in or derived from a public record or has deliberately been made public by the

data subject.

• the data subject, or a competent person where the data subject is incapable of consenting themselves, has consented to the collectionof the information from another source.

• collection of the information from another source would not prejudice a legitimate interest of the data

subject.

• collection of the information from another source is necessary:

– to avoid prejudice to the maintenance of the law by the organisation, including the prevention, detection,

investigation, prosecution and punishment of offences.

– to comply with an obligation imposed by law or to enforce legislation.

– for the conduct of proceedings in any court or tribunal that have commenced or are reasonably

contemplated.

– in the interests of national security.

– to maintain the legitimate interests of the organisation or of a third party to whom the information is

supplied.

• compliance would prejudice a lawful purpose of the collection.

• compliance is not reasonably practicable in the circumstances of the particular case.

2.7 Specific Purpose

The organisation collects personal information for a specific, explicitly defined and lawful purpose related to a function or activity of the organisation. The organisation takes steps to ensure that the data subject is aware of the purpose of the collection of the information.

2.8 Retention & Restriction of Records

The organisation does not retain records of personal information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

• retention of the record is required or authorised by law.

• the organisation reasonably requires the record for lawful purposes related to its functions or activities.

• retention of the record is required by a contract between the parties thereto.

• the data subject, or a competent person where the data subject is incapable of consenting themselves, has consented to the retention of the record.

The organisation restricts processing of personal information if:

• its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy

of the information.

• the organisation no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof.

2.9 Further Processing

Further processing of personal information is done in accordance or compatible with the purpose for which it was collected initially.

2.10 Quality Information

The organisation takes reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which personal information is collected or further processed.

2.11 Security & Integrity

The organisation aims and strives to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:

• loss of, damage to or unauthorised destruction of personal information; and

• unlawful access to or processing of personal information.

It is the objective of the organisation to take reasonable measures to:

• identify all reasonably foreseeable internal and external risks to personal information in its possession or

under its control.

• establish and maintain appropriate safeguards against the risks identified.

• regularly verify that the safeguards are effectively implemented; and

• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously

implemented safeguards.

Anyone processing personal information on behalf of the organisation:

• processes such information only with the knowledge or authorisation of the organisation.

• treats personal information which comes to their knowledge as confidential and must not disclose it, unless

required by law or in the course of the proper performance of their duties.

• The organisation ensures, by way of written contracts between the organisation and an operator, that the operator which processes personal information for the organisation, establishes and maintains the sufficient and proper security measures as required by the Act.

2.12 Special Personal Information

The organisation processes special personal information when:

• processing is carried out with the consent of a data subject.

• processing is necessary for the establishment, exercise or defense of a right or obligation in law.

• processing is necessary to comply with an obligation of international public law.

• processing is for historical, statistical or research purposes to the extent that the purpose serves a public

interest and the processing is necessary for the purpose concerned; or it appears to be impossible or would

involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure

that the processing does not adversely affect the individual privacy of the data subject to a disproportionate

extent.

• Information has deliberately been made public by the data subject.

The organisation, subject to the non-compliance points below, does not process special personal information concerning:

• the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion,

health or sex life or biometric information of a data subject; or

• the criminal behaviour of a data subject to the extent that such information relates to the alleged

commission by a data subject of any offence; or any proceedings in respect of any offence allegedly

committed by a data subject or the disposal of such proceedings.

2.13 Personal Information of Individuals incapable of Consenting Themselves

The organisatioon processes personal information of individuals incapable of consenting themselves:

• with the prior consent of a competent person.

• where it is necessary for the establishment, exercise or defence of a right or obligation in law.

• where it is necessary to comply with an obligation of international public law.

• where it is necessary for historical, statistical or research purposes to the extent that the purpose serves a

public interest and the processing is necessary for the purpose concerned; or it appears to be impossible

or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to

ensure that the processing does not adversely affect the individual privacy of the individual to a disproportionate

extent.

• which has deliberately been made public by the individual with the consent of a competent person.

2.14 Transfers of Personal Information outside the Republic

The organisation does not transfer personal information about a data subject to a third party who is in a foreign country unless:

• the third party who is the recipient of the information is subject to a law, binding corporate rules or binding

agreement which provide an adequate level of protection that effectively upholds principles for reasonable

processing of the information that are substantially similar to the conditions for the lawful processing of

personal information relating to a data subject who is a natural person and, where applicable, a juristic

person; and includes provisions, that are substantially similar to this section, relating to the further transfer

of personal information from the recipient to third parties who are in a foreign country;

• the data subject consents to the transfer.

• the transfer is necessary for the performance of a contract between the data subject and the organisation, or for

the implementation of pre-contractual measures taken in response to the data subject’s request.

• the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the

data subject between the organisation and a third party.

• the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent

of the data subject to that transfer; and if it were reasonably practicable to obtain such consent, the data

subject would be likely to give it.

2.15 Non-Compliance with this Policy

Failure to apply and explain the principles within this policy to processing of personal information may render the organisation or the individuals, involved with processing, non-compliant with South African privacy-related legislation.

This non-compliance may lead to fines and claims against the organisation and/or the individuals involved under South African legislation. Non-compliance may further expose the organisation to significant reputational harm and data subjects to unnecessary risk and harm. Based on the nature of the non-compliance, the organisation may execute its information breach procedures:

• the organisation may take disciplinary action against staff, residents, donors, partners, and stakeholders, for non-compliance with this policy.

• the organisation may take action, as allowed by contractual agreement or relevant legislation, against members of institutional statutory bodies and third-party suppliers and vendors for non-compliance with this policy.