fb

PROTECTION OF PERSONAL INFORMATION

1. POLICY STATEMENT

1.1. The AA processes personal information of its employees, members, clients and other data subjects from time to time. As such, it is obliged to comply with the Protection of Personal Information Act No. 4 of 2013 (“POPI”) as well as the Promotion of Access to Information Act No. 2 of 2000 (“PAIA”).

1.2. In line with this, the AA is committed to protecting its members’/clients’/supplier’s/employees’ and other data subjects’ privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.

1.3. This Policy sets out the manner in which the AA deals with such personal information and provides clarity on the general purpose for which the information is used, as well as how data subjects can participate in this process in relation to their personal information.

1.4. In addition to this policy, the company has also developed a manual and made it available as prescribed under the PAIA Act. Where parties/requesters submit requests for information disclosure in terms of this manual, internal measures have been developed together with adequate systems to process requests for information or access thereto.

 
 

2. OBJECTIVES

2.1. To ensure legislative compliance (POPI and PAIA Acts) in respect of all personal information that the AA collects and processes.

2.2. To inform employees and clients as to how their personal information is used, disclosed and destroyed.

2.3. To ensure that personal information is only used for the purpose for which it was collected.

2.4. To prevent unauthorised access and use of personal information.


3. DEFINITIONS

3.1. “Biometric information” means the physical, physiological or behavioural identification, including finger printing, amongst others.

3.2. “Processing” means:

3.2.1. The collection, receipt, recording organisation, collation, storage, updating, modification, retrieval, alteration, consultation or use;

3.2.2. Dissemination by means of transmission, distribution or making available in any form;

3.2.3. Merging, linking, erasure or destruction of information.

3.3. “PAIA” means the Promotion of Access to Information Act No. 2 of 2000

3.4. “POPI’ means the Protection of Personal Information Act No 4 of 2013

3.5. “Regulator” means the Information Regulator established in terms of the POPI Act.


4. COLLECTION OF PERSONAL INFORMATION

4.1. The AA collects and processes various information pertaining to its employees, members, clients and suppliers. The information collected is based on need and it will be processed for that need/purpose only. Whenever possible, the AA will inform the relevant party of the information required (mandatory) and which information is deemed optional.

4.2. The employee, member or client will be informed of the consequence/s of failing to provide such personal information and any prejudice which may be incurred due to non-disclosure. For example, the AA may not be able to employ an individual without certain personal information relating to that individual or the organisation may not be in a position to render services to a client in the absence of certain information which is required.

4.3. The AA will process information in a manner that is lawful and reasonable (i.e., will not infringe the privacy of the individual or company).

4.4. Where consent is required for the processing of information, such consent will be obtained.

4.5. Information will be processed under the following circumstances:

4.5.1. When carrying out actions for the conclusion or performance of a contract

4.5.2. When complying with an obligation imposed by law on the company

4.5.3. For the protection of a legitimate interest of the data subject

4.5.4. Where necessary, for pursuing the legitimate interests of the company or of an authorised third party to whom the information is supplied.

4.6. Examples of the personal information the AA collects includes, but is not limited to:

4.6.1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of an employee.

4.6.2. Information relating to the education or the medical, financial, criminal or employment history (this includes disciplinary action) of an employee.

4.6.3. Banking and account information.

4.6.4. Contact information.

4.6.5. Trade union membership and political persuasion.

4.6.6. Any identifying number, symbol, email address, telephone number, location information, online identifier or other particular assignment to the employee, member or client

4.6.7. The biometric information of the employee, member, client or data subject

4.6.8. The personal opinions, views or preferences of an employee (also performance appraisals or correspondence) and the views or opinions of another individual about the person

4.7. The AA shall not process special personal information without complying with the specific provisions of the POPI Act. Special information includes personal information concerning:

4.7.1. the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, sex life or biometric information of a data subject; or

4.7.2. the criminal behaviour of a data subject, where such information relates to the alleged commission by a data subject of any offence committed or the disposal of such proceedings.

4.8. Collection of employee information:

4.8.1. For the purposes of this Policy, employees include potential, past and existing employees of the AA. Independent contractors are treated on the same basis where the collection of information is concerned.

4.8.2. When appointing new employees/contractors, the AA requires information, including, but not limited to that listed above, from prospective employees/contractors, in order to process the information on the system/s. Such information is reasonably necessary for the Company’s record purposes, as well as to ascertain if the prospective employee/contractor meets the requirements, for the position which he is being appointed/contracted, and is suitable for appointment.

4.8.3. The AA will use and process such employee information, as set out below for including, but not limited to, its employment records and to make lawful decisions in respect of that employee and its business.

4.8.4. Use of employee information: Employees’ personal information will only be used for the purpose for which it was collected and intended. This includes, but is not limited to:

4.8.4.1. Submissions to the Department of Labour

4.8.4.2. Submissions to the Receiver of Revenue

4.8.4.3. For audit and recordkeeping purposes

4.8.4.4. In connection with legal proceedings

4.8.4.5. In connection with and to comply with legal and regulatory requirements

4.8.4.6. In connection with any administrative functions of the Company

4.8.4.7. Disciplinary action or any other action to address the employee’s conduct or capacity.

4.8.4.8. In respect of any employment benefits that the employee is entitled to

4.8.4.9. Pre- and post-employment checks and screening

4.8.4.10. Any other relevant purpose to which the employee has been notified.

4.8.5. Should information be processed for any other reason; the employee will be informed accordingly.

4.9. Collection of Member / Client/Supplier information:

4.9.1. For purposes of this Policy, clients include potential, past and existing members and clients. Suppliers include all vendors which contract with the AA, whether once off or recurring, in respect of products and services.

4.9.2. The AA collects and processes its members’, clients’ and suppliers’ personal information, such as that mentioned hereunder. The type of information will depend on the need for which it is collected and will be processed for that purpose only. Further examples of personal information collected from clients include, but is not limited to:

4.9.2.1. The member/client/supplier’s identity number, name, surname, address, postal code

4.9.2.2. The member/client/supplier’s residential and postal address

4.9.2.3. Contact information

4.9.2.4. Banking details

4.9.2.5. Company registration number

4.9.2.6. Full name of the legal entity

4.9.2.7. Tax and/or VAT number

4.9.2.8. Details of the person responsible for the client’s/supplier’s account

4.9.3. The AA also collects and processes member/clients personal information for marketing purposes in order to ensure that its products and services remain relevant to our clients and potential clients.

4.9.4. Use of member/client/supplier information:

4.9.4.1. The member/client/supplier’s personal information will only be used for the purpose for which it was collected and as agreed. This may include, but not be limited to:

4.9.4.2. Providing products or services to members/clients

4.9.4.3. In connection with sending accounts and communication to a member/client in respect of services rendered.

4.9.4.4. Payment of suppliers and communication in respect of services rendered.

4.9.4.5. Referral to other service providers

4.9.4.6. Confirming, verifying and updating member/client/supplier details

4.9.4.7. Conducting market or customer satisfaction research

4.9.4.8. For audit and record keeping purposes

4.9.4.9. In connection with legal proceedings

4.9.4.10. In connection with and to comply with legal and regulatory requirements or when it is otherwise allowed by law.

4.10. Disclosure of personal information

4.10.1. The AA may share employees’ and member/clients/suppliers’ personal information with authorised third parties as well as obtain information from such third parties for reasons set out above.

4.10.2. The AA may also disclose employees’ or member/clients/suppliers’ information where there is a duty or a right to disclose in terms of applicable legislation, the law or where it may be necessary to protect the rights of the organisation or it is in the interests of the data subject.


5. SAFEGUARDING OF PERSONAL INFORMATION AND CONSENT

5.1. The AA shall review its security controls and processes on a regular basis to ensure that personal information is secure.

5.2. It will take appropriate, reasonable technical and organisational measures to prevent loss or damage or unauthorised destruction of personal information, and unlawful access to or processing of personal information. This will be achieved by –

5.2.1. Identifying internal and external risks

5.2.2. Establishing and maintaining appropriate safeguards

5.2.3. Regularly verifying these safeguards and their implementation

5.2.4. Updating the safeguards

5.2.5. Implementing generally accepted information security practices and procedures.

5.3. The AA shall appoint an Information Officer and Deputy Information Officer who is/are responsible for compliance with the conditions of the lawful processing of personal information and other provisions of POPI.

5.3.1. Information Officer details

5.3.2. Name: Nichola Wainwright, Executive: Corporate Affairs

5.3.3. Telephone number: 011 799 1709

5.3.4. Postal address: P O Box 596, Johannesburg, 2000

5.3.5. Physical address: 4 Hyperion Road, Denis Paxton House, Barbeque Downs, Kyalami

5.3.6. Email address: nwainwright@aasa.co.za

5.3.7. Deputy Information Officer

5.3.8. Name: Nico Crous, Chief Financial Executive

5.3.9. Telephone number: 011 799 1025

5.3.10. Postal address: P O Box 596, Johannesburg, 2000

5.3.11. Physical address: 4 Hyperion Road, Denis Paxton House, Barbeque Downs, Kyalami

5.3.12. Email address: ncrous@aasa.co.za

5.4. The specific responsibilities of the Information Officer and his/her Deputy include –

5.4.1. The development, implementation, monitoring and maintenance of a compliance framework.

5.4.2. The undertaking of a personal information impact assessment to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information.

5.4.3. The development, monitoring and maintenance of a manual, as well as the making available thereof, as prescribed in section 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

5.4.4. The development of internal measures, together with adequate systems to process requests for information or access thereto; and

5.4.5. To ensure that company staff awareness sessions are conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.

5.5. Employment contracts/addendums thereto, containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPI are signed by every employee.

5.6. On an ongoing basis, all suppliers, insurers and other third-party service providers are required to sign a service level agreement guaranteeing their commitment to the Protection of Personal Information.

5.7. Consent to process client/member/supplier information is obtained from clients/members/suppliers (or a person who has been given authorisation from the client/member to provide the member/client’s personal information) and suppliers at sign on/appointment/contracting.


6. DIRECT MARKETING

6.1. The company shall ensure that:

6.1.1. It does not process any personal information for the purpose of direct marketing (by means of any form of electronic communication, including automatic calling machines, SMS’s or e-mail) unless the data subject has given his, her or its consent to the processing or is an existing customer.

6.1.2. It will only approach data subjects, whose consent is required and who have not previously withheld such consent, once in order to request the consent. This will be done in the prescribed manner and form.

6.1.3. The data subjects will only be approached for the purpose of direct marketing of the AA’s own similar products or services. In all instances, the data subject shall be given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details at the time when the information is collected.

6.1.4. Any communication for the purpose of direct marketing will contain details of the identity of the sender or the person on whose behalf the communication has been sent and an address or other contact details to which the recipient may send a request that such communications cease.


7. TRANSFER OF INFORMATION OUTSIDE OF SOUTH AFRICA

7.1. The AA will not transfer personal information about a data subject to a third party who is in a foreign country unless one or more of the following apply:

7.1.1. the third party is subject to a law, binding corporate rules or a binding agreement which provides an adequate level of protection of personal information and effectively upholds principles for reasonable processing of the information.

7.1.2. the data subject consents to the transfer

7.1.3. the transfer is necessary for the performance of a contract between the data subject and the company

7.1.4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the company and a third party; or

7.1.5. the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to that transfer and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.


8. SURVEILLANCE SYSTEMS

8.1. Video footage and/or voice/telephone calls that have been recorded, processed and stored via CCTV camera or other surveillance systems constitute personal information. As such the AA will make all employees, members, clients or data subjects aware as to the use of CCTV/other surveillance on the premises.


9. SECURITY BREACHES

9.1. Should the AA detect a security breach on any of its systems that contain personal information, it shall take the required steps to assess the nature and extent of the breach in order to ascertain if any information has been compromised.

9.2. The AA shall notify the affected parties should it have reason to believe that their information has been compromised. Such notification shall only be made where the organisation can identify the data subject to which the information relates. Where it is not possible it may be necessary to consider website publication and whatever else the Information Regulator prescribes.

9.3. Notification will be provided in writing by means of either:

9.3.1. email

9.3.2. registered mail

9.3.3. the organisation’s website

9.4. The notification shall provide the following information where possible:

9.4.1. Description of possible consequences of the breach

9.4.2. Measures taken to address the breach

9.4.3. Recommendations to be taken by the data subject to mitigate adverse effects.

9.4.4. The identity of the party responsible for the breach

9.5. In addition to the above, the AA shall notify the Regulator of any breach and/or compromise to personal information in its possession and work closely with and comply with any recommendations issued by the Regulator.

9.6. The following will apply in this regard:

9.6.1. The Information Officer will be responsible for overseeing the investigation.

9.6.2. The Information Officer will be responsible for reporting to the Information Regulator within 3 working days of a breach/ compromise to personal information.

9.6.3. The Information Officer will be responsible for reporting to the Data Subject(s) within 3 working days, as far as is reasonable and practicable, of a breach/ compromise to personal information.

9.6.4. The timeframes above are guidelines and depending on the merits of the situation may require earlier or later reporting.


10. ACCESS AND CORRECTION OF PERSONAL INFORMATION

10.1. Employees and members/clients have the right to request access to any personal information that the AA holds about them.

10.2. Employees and members/clients have the right to request the AA to update, correct or delete their personal information on reasonable grounds. Such requests must be made to the Information Officer (see details above) or to the AA’s head office (see details below).

10.3. Where an employee or member/client objects to the processing of their personal information, the AA may no longer process said personal information. The consequences of the failure to give consent to process the personal information must be set out before the employee or client confirms his/her objection.

10.4. The member/client or employee must provide reasons for the objection to the processing of his/her personal information.

10.4.1. Head office details

10.4.2. Name: The Automobile Association of South Africa NPC

10.4.3. Telephone number: 011 799 1000

10.4.4. Postal address: Box 596, Johannesburg, 2000

10.4.5. Physical address: 4 Hyperion Road, Barbeque Downs, Kyalami

10.4.6. Email address: aasa@aasa.co.za


11. WILL WE DISCLOSE THE INFORMATION WE COLLECT TO THIRD PARTIES?

11.1. The AA Site/Webpages will disclose personal information when required by law or in the good-faith belief that such action is necessary to:

11.1.1. conform to the edicts of the law or comply with a legal process served on the AA;

11.1.2. protect and defend the rights or property of the AA or visitors to AA Webpages;

11.1.3. identify persons who may be violating the law, the legal notice, or the rights of third parties;

11.1.4. co-operate with the investigations of purported unlawful activities;

11.1.5. for the purpose of carrying out credit checks on potential buyers

11.2. We may share your personal information with our affiliates and business partners in order to improve the products, services and offers provided to you as well as our affiliates and business partners. Where this occurs, we require our business partners and affiliates to honour this privacy policy and the provisions of PoPIA generally. Our business partners include but are not limited to Sawubona CI Proprietary Limited, who help us secure, enrich and analyse our data. For more information about Sawubona, visit their website: http://www.sawubona.co.za.

11.3. We maintain a strict “No-Spam” policy. We will also not sell or rent your email address to a third-party.


12. RETENTION OF RECORDS

12.1. The AA is obligated to retain certain information, as prescribed by law. This includes but is not limited to the following:

12.1.1. With regard to the Companies Act, No. 71 of 2008 and the Companies Amendment Act No 3 of 2011, hard copies of the documents mentioned below must be retained for 7 years:

12.1.2. Any documents, accounts, books, writing, records or other information that a company is required to keep in terms of the Act.

12.1.3. Notice and minutes of all meetings, including resolutions adopted.

12.1.4. Copies of reports presented at the annual general meeting.

12.1.5. Copies of annual financial statements required by the Act and copies of accounting records as required by the Act.

12.2. The Basic Conditions of Employment No. 75 of 1997, as amended, requires the organisation to retain records relating to its staff for a period of no less than 3 years.


13. AMENDMENTS TO THIS POLICY

13.1. Amendments to this Policy will take place from time to time subject to the discretion of the AA and pursuant to any changes in the law. Such changes will be brought to the attention of employee’s, members and clients where it affects them.


14. REQUESTS FOR INFORMATION

14.1. In terms of requests to be processed under POPI, the following forms shall be used –

14.1.1. Objection to the processing of personal information – A data subject who wishes to object to the processing of personal information in terms of section 11(3)(a) of the Act, must submit the objection to the responsible party on Form 1. Download Form 1 here

14.1.2. Request for correction or deletion of personal information or destruction or deletion of record of personal information – A data subject who wishes to request a correction or deletion of personal information or the destruction or deletion of a record of personal information in terms of section 24(1) of the Act, must submit a request to the responsible party on Form 2. Download Form 2 here

14.1.3. Request for data subject’s consent to process personal information – A responsible party who wishes to process personal information of a data subject for the purpose of direct marketing by electronic communication must submit a request for written consent to that data subject, on Form 4. Download Form 4 here

14.1.4. Submission of complaint – Any person who wishes to submit a complaint contemplated in section 74(1) of the Act must submit such a complaint to the Regulator on Part I of Form 5. A responsible party or a data subject who wishes to submit a complaint contemplated in section 74(2) of the Act must submit such a complaint to the Regulator on Part II of Form 5. Download Form 5 here

14.2. In terms of requests for information under PAIA, the provisions of the PAIA Sec 51 Manual must be complied with and Form C completed. Download From C here.

14.3. Any requests and/ or advice can be directed to the Information Officer set out in this policy and in the Sec 51 PAIA manual.