Purpose
To assist the company to comply with the Protection Of Personal Information Act 4 2013 (POPIA)
Scope
This Policy will apply to all employees of NGK Spark Plugs (South Africa) (Pty) Ltd and no exception to this Policy will be made.
Responsibility and authority
Managing Director.
Terms and definitions
“Company” shall mean NGK Spark Plugs (South Africa) (Pty) Ltd.
References
Principles to the policy
Introduction
In its everyday business, NGK Spark Plugs SA (Pty) Ltd makes use of a variety of data related to identifiable individuals, including data about:
- Current, past and prospective employees
- Players
- Beneficiary Partners
- Other stakeholders
In collecting and using this data, NGK Spark Plugs SA (Pty) Ltd is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it.
The purpose of this policy is to set out the relevant legislation and to describe the steps that NGK Spark Plugs SA (PTY) Ltd is taking to ensure that it complies with it.
This applies to all systems, people and processes that incorporates NGK Spark Plugs SA (Pty) Ltd information systems, including directors, employees, suppliers and other third parties.
The Protection of Personal Information Act 4 of 2013 (POPIA)
POPIA is the privacy legislation that provides for the protection and safeguarding of personal information of data subjects either natural or juristic. Fines and sanctions imposed in the event that a responsible party or operator contravenes the stipulated requirements.
POPIA Fundamental Concepts
The most important concepts from POPIA that are consistent with NGK Spark Plugs SA (Pty) Ltd and apply for this policy are the following:
- Biometrics – a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, finger printing, DNA analysis, retinal scanning and voice recognition
- Child – a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him/herself
- Competent person – any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child
- Consent – voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information
- Data Subject – the person to whom personal information relates
- De-identify – in relation to personal information of a data subject, means to delete any information that –
- Child – a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him/herself
- Identifies the data subject
- Can be used or manipulated by a reasonably foreseeable method to identify the data subject
- Can be linked by a reasonably foreseeable method to other information that identifies the data subject
- Information officer – in relation to
- Private body means the head of a private body
- Personal information – information relating to an identifiable, living, natural person and where applicable, an identifiable existing juristic person including, but not limited to
- Information related to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well being, disability, religion, conscience, belief, culture, language and birth of the person
- Information relating to the education or the medical, financial, criminal or employment history of the person
- Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person
- Biometric information of person
- Personal opinions, views or preferences of the person
- Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence
- Views or opinions of another individual about the person
- Name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person
- Re-identify – in relation to personal information of a data subject, means to resurrect any information that has been de-identified that
- Identifies the data subject
- Can be used or manipulated by a reasonably foreseeable method to identify the data subject
- Can be linked by a reasonably foreseeable method to other information that identifies the data subject
- Responsible party – a private or public body or any other person which alone or in conjunction with others determines the purpose of and means for processing personal information
- Unique identifier – any identifier that is assigned to a data subject and is used by a responsible party for the purpose of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party
- Responsible party – a private or public body or any other person which alone or in conjunction with others determines the purpose of and means for processing personal information
Responsibility
Any staff member of NGK Spark Plugs SA (Pty) Ltd who is involved in the collection, storage or processing of personal data has responsibilities under the legislation.
Any staff member involved in the processing/storing of personal data should make sure;
- To obtain and process personal data fairly.
- To keep such data only for explicit and lawful purposes.
- To disclose such data only in ways compatible with these purposes
- To keep such data safe and secure.
- To keep such data accurate, complete and up-to-date.
- To ensure that such data is adequate, relevant and not excessive.
- To retain such data for no longer than is necessary for the explicit purpose.
- To keep such data only for explicit and lawful purposes.
Any data access requests received should be forwarded immediately to the Information and Deputy Information Officer
Rights of the Individual
The data subject also has rights under POPIA. These consist of:
- The right to be informed
- The right of access
- The right to rectification
- The right to delete
- The right to object
- Rights in relation to automated decision making and profiling.
- The right of access
Consent
Unless it is necessary for a reason allowable in POPIA, explicit consent must be obtained from a data subject to collect and process their data. In case of children below the age of 18 the legal guardian or parental consent must be obtained. Transparent information about our usage of their personal data must be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.
Data protection impact assessments.
The data protection impact assessment will include:
- Consideration of how personal data will be processed and for what purposes
- Assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s)
- Assessment of the risks to individuals in processing the personal data
- What controls are necessary to address the identified risks and demonstrate compliance with legislation
Transfer of Personal Data
Transfers of personal data outside South Africa must be carefully reviewed prior to the transfer taking place to ensure that the data is transferred in a safe and responsible manner. Countries that have existing privacy law must be adhered to. Countries where no privacy law exists, POPIA requirements must be adhered to.
Information Officer
A defined role of the Information Officer (IO) is required under POPIA whether an organization is a public or private body. The IO is required to have an appropriate level of knowledge of both POPIA and PAIA. The IO’s role can be delegated to a Deputy who is duly appointed in writing as per the Guidelines for Information Officers Registration.
NGK Spark Plugs SA (PTY) have appointed the MD as the IO.
Breach Notification
It is NGK Spark Plugs SA (Pty) Ltd policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. Where a breach is known to have occurred which is likely to result in a risk to the rights of data subjects, the Information Regulator must be informed as soon as possible. This will be managed in accordance with the Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.
Addressing Compliance to the POPIA
The following actions are undertaken to ensure that NGK Spark Plugs SA (Pty) Ltd complies at all times with the conditions of POPIA:
- The legal basis for processing personal data is clear and unambiguous
- An Information Officer is appointed with specific responsibility for data protection in the organization
- All staff involved in handling personal data understand their responsibilities for following good data protection practice
- Training in data protection has been provided to all staff
- Rules regarding consent are followed
- Routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively
- Regular reviews of procedures involving personal data are carried out
- Privacy by design is adopted for all new or changed systems and processes
- The following documentation of processing activities is recorded:
- Organization name and relevant details
- Purposes of the personal data processing
- Categories of individuals and personal data processed
- Categories of personal data recipients
- Agreements and mechanisms for transfers of personal data outside South Africa
- Personal data retention schedules
- Relevant technical and organisational controls in place
These actions are reviewed on a regular basis as part of the management review process.