Privacy Policy
PROMOTION OF ACCESS TO INFORMATION ACT, 2000
(PAIA) & PROTECTION OF PERSONAL INFORMATION ACT, 2013 (POPI) MANUAL
OF
THE INDUSTRIAL CLOTHING COMPANY (PTY) LTD
WITH REGISTRATION NUMBER: 1994/008893/07
Contents
- INTRODUCTION
- NATURE OF THE BUSINESS
- COMPANY & CONTACT DETAILS
- GUIDE OF THE SOUTH AFRICAN HUMAN RIGHTS COMMISSION
- LEGISLATION APPLICABLE TO THE COMPANY
- PROCESSING OF PERSONAL INFORMATION
- CATEGORIES OF RECIPIENTS FOR PROCESSING THE PERSONAL INFORMATION
- ACTUAL OR PLANNED TRANS-BORDER FLOWS OF PERSONAL INFORMATION
- GENERAL DESCRIPTION OF INFORMATION SECURITY MEASURES
- AUTOMATICALLY AVAILABLE RECORDS
- NOT AUTOMATICALLY AVAILABLE RECORDS
- OTHER TYPES OF RECORDS HELD BY THE COMPANY
- PROCESS OF REQUESTING INFORMATION NOT AUTOMATICALLY AVAILABLE
- GROUNDS FOR REFUSAL
- PRESCRIBED FEES
- INFORMATION OR RECORDS NOT FOUND
- DESTRUCTION OF PERSONAL INFORMATION
- RETENTION PERIODS
1. INTRODUCTION
This manual is prepared in accordance with Section 51 of PAIA and to address the requirements of the POPI Act.
2. NATURE OF THE BUSINESS
THE INDUSTRIAL CLOTHING COMPANY (PTY) LTD is part of the clothing stores industry and manufactures work wear and personal protective equipment for industrial, mining, agriculture, hospitality, logistics and corporate industries.
3. COMPANY & CONTACT DETAILS
| Full name | The Industrial Clothing Company (Pty) Ltd |
| Head of Company/Group: | Mark Gregory Barnes. |
| Physical address: | Unit J1, Route 24, 50 Herman Road, Meadowdale, Edenvale, 1400. |
| Postal address: | PO Box 275, Edenvale, 1610. |
| Landline number: | 011-974 8815. |
| Fax number: | 011-974 8816. |
4. GUIDE OF THE SOUTH AFRICAN HUMAN RIGHTS COMMISSION
PAIA grants a requestor access to records of a private body, if the record is required for the exercise or protection of any rights. If a public body lodges a request, the public body must be acting in the public interest.
Requests in terms of PAIA shall be made in accordance with the prescribed procedures, at the rates provided. The forms and tariff are dealt with in paragraphs 6 and 7 of the Act.
Requestors are referred to the Guide in terms of Section 10 which has been compiled by the South African Human Rights Commission, which will contain information for the purposes of exercising Constitutional Rights. The Guide is available from the SAHRC.
The contact details of the Commission are:
| Postal Address: | Private Bag 2700, Houghton, 2041 |
| Telephone Number: | +27-11-877 3600 |
| Fax Number: | +27-11-403 0625 |
| Website: | www.sahrc.org.za |
5. LEGISLATION APPLICABLE TO THE COMPANY
4.1 Companies Act No. 61 of 1973;
4.2 Employment Equity Act No. 98 of 1978;
4.3 Income Tax Act No. 95 of 1967;
4.4 Value Added Tax Act No. 89 of 1991;
4.5 Labour Relations Act No. 66 of 1995;
4.6 Basic Conditions of Employment Act No. 75 of 1997;
4.7 Electronic Communications and Transactions Act No. 25 of 2002;
4.8 Promotion of Access of Information Act No. 2 of 2000;
4.9 Unemployment Insurance Act No. 30 of 1996.
6. PROCESSING OF PERSONAL INFORMATION
Purpose of Processing
The Company/Group uses the Personal Information under its care in the following ways:
– Conducting credit- and criminal reference checks and assessments;
– Administration of agreements;
– Providing products and services to customers;
– Discounting and asset funding purposes;
– Detecting and prevention of fraud, crime, money laundering and other malpractice;
– Conducting market or customer satisfaction research;
– Marketing and sales;
– In connection with legal proceedings;
– Staff administration;
– Keeping of accounts and records;
– Complying with legal and regulatory requirements;
– Profiling data subjects for the purposes of direct marketing.
Categories of Data Subjects and their Personal Information
The Company/Group may possess records relating to suppliers, shareholders, contractors, service providers, staff and customers:
Entity Type Personal Information Processed (including, but not limited to):
-
Natural Persons as customers:
-Names;
-Contact details;
-Physical- and postal addresses;
-Date of birth;
-ID number;
-Tax related information;
-Nationality;
-Gender;
-Confidential correspondence.
-
Juristic Persons / -entities as customers:
-Names of contact persons;
-Name of legal entity;
-Physical- and postal address and contact details;
-Financial information;
-Registration number;
-Founding documents;
-Tax related information;
-Authorised signatories;
-Beneficiaries;
-Ultimate beneficial owners;
-Shareholding information;
-BBBEE information.
-
Contracted Service Providers:
-Names of contact persons;
-Name of legal entity;
-Physical- and postal address and contact details;
-Financial information;
-Registration number;
-Founding documents;
-Tax related information;
-Authorised signatories;
-Beneficiaries;
-Ultimate beneficial owners;
-Shareholding information;
-BBBEE information.
-
Employees and Directors:
-Gender;
-Pregnancy;
-Marital status;
-Nationality;
-Colour;
-Race;
-Age;
-Language;
-Education information;
-Financial information;
-Employment history;
-ID number;
-Physical- and postal address;
-Contact details;
-Opinions;
-Credit record;
-Criminal record;
-Employee benefits and wellness.
7. CATEGORIES OF RECIPIENTS FOR PROCESSING THE PERSONAL INFORMATION
The Company/Group may share the Personal Information with its agents, affiliates, and associated companies who may use this information to send the Data Subject information on products and services. The Company/Group may supply the Personal Information to any party to whom the Company/Group may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:
– Capturing and organising of data;
– Storing of data;
– Sending of emails and other correspondence to customers;
– Conducting due diligence checks;
– Administration of the Medical Aid and Pension Schemes;
– Rendering of outsourced services.
8. ACTUAL OR PLANNED TRANS-BORDER FLOWS OF PERSONAL INFORMATION
Personal Information may be transmitted trans-border to the Company’s/Group’s authorised dealers and its suppliers in other countries, and Personal Information may be stored in data servers hosted outside South Africa. Taking note that some countries may not have adequate data protection laws in place, the Company/Group is committed to, as far as reasonably possible, ensure that Personal Data is kept in designations with the necessary security measures in place.
9. GENERAL DESCRIPTION OF INFORMATION SECURITY MEASURES
The Company/Group is committed to ensure the sound integrity of security systems protecting Personal Information, inter alia the following:
– Firewalls;
– Virus protection software and update protocols;
– Logical- and physical access control;
– IT software and –hardware security measures;
– The Company/Group will ensure that outsourced service providers who process Personal Information on behalf of the Company/Group have the required security measures in place to protect any and all Data Subjects.
Security Safeguards
The Group shall ensure the integrity and confidentiality of all Personal Information in its possession, by taking reasonable steps to:
– Identify all reasonably foreseeable risks to information security;
– Establish and maintain appropriate safeguards against such risks;
Written records
– Personal Information records should be kept in locked cabinets, or safes;
– When in use Personal Information records should not be left unattended in areas where non-staff members may access them;
– The Group shall implement and maintain a “Clean Desk Policy” where all employees shall be required to clear their desks of all Personal Information when leaving their desks for any length of time and at the end of the day;
– Personal Information which is no longer required should be disposed of by shredding. Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer.
Electronic Records
– All electronically held Personal Information must be saved in a secure database;
– As far as reasonably practicable, no Personal Information should be saved on individual computers, laptops or hand-held devices;
– All computers, laptops and hand-held devices should be access protected with a password, fingerprint or retina scan, with the password being of reasonable complexity and changed frequently;
– The Group shall implement and maintain a “Clean Screen Policy” where all employees shall be required to lock their computers or laptops when leaving their desks for any length of time and to log off at the end of the day;
– Electronic Personal Information which is no longer required must be deleted from the individual laptop or computer and the relevant database. The employee must ensure that the information has been completely deleted and is not recoverable.
Any loss or theft of computers, laptops or other devices which may contain Personal Information must be immediately reported to the Information Officer, who shall notify the IT department, who shall take all necessary steps to remotely delete the information, if possible.
Should the Company/Group make use a third party, called an Operator, to process personal information, the Company/Group will ensure the Operator complies with all the prescriptions of the POPIA.
In the unlikely event that a data breach occurs, the Company/Group will follow its own policy and procedure in this regard and further inform the Information Regulator and, if known, the relevant data subjects as soon as possible, unless law enforcement officials instruct the Company/Group to delay doing so or to not do so at all.
10. AUTOMATICALLY AVAILABLE RECORDS
The following records are automatically available to all employees:
5.1 Personnel records are available to the employee whose file it is;
5.2 Records of disciplinary hearings and related matters are available to the employee concerned;
5.3 The company’s implemented policies and procedures.
11. NOT AUTOMATICALLY AVAILABLE RECORDS
The following records are not automatically available without a request in terms of the Act:
11.1. All statutory returns regarding:
11.1.1. VAT:
11.1.2. Workmen’s Compensation;
11.1.3. UIF;
11.1.4. Regional Service Levies;
11.1.5. Skills Development Levies;
11.1.6. documents concerning compliance by the company, insofar as it may be necessary, the Occupational Health and Safety Act No. 85 of 1993, and any other applicable environmental legislation.
12. OTHER TYPES OF RECORDS HELD BY THE COMPANY
These records are not automatically available without a request in terms of the Act. A request in terms of this section is subject to section 63(1) of the Act, which provides that the head of a company must refuse a request for access to a record of the company if the disclosure of the record would involve the unreasonable disclosure of personal information about a third party including a deceased individual.
12.1. HUMAN RESOURCES DEPARTMENT
12.1.1. Personnel information including personal information, employment history and health records that the company may hold from time to time.
12.1.2. Training and development information.
12.1.3. General files containing information on employee benefits and employee recruitment and selection information.
12.2. FINANCE/ACCOUNTS DEPARTMENT
12.2.1. Financial records;
12.2.2. A list of company’s creditors and debtors;
12.2.3. Salary information;
12.2.4. Bank account information;
12.2.5. Fixed assets register.
13. PROCESS OF REQUESTING INFORMATION NOT AUTOMATICALLY AVAILABLE
13.1. To facilitate the processing of your request, kindly:
13.1.1. Use the prescribed form available at www.sahrc.org.za;
13.1.2. Address your request to the Head of the Company;
13.1.3. Provide sufficient details to enable the company to identify:
13.1.3.1. The record/s requested;
13.1.3.2. The form of access required;
13.1.3.3. The postal address/ fax number of the requestor in RSA and if the requestor wishes to be informed of the decision in any manner (in addition to written);
13.1.3.4. The right which the requestor is seeking to exercise or protect with an explanation of the reason the record is required to exercise or protect the right.
14. GROUNDS FOR REFUSAL
The Company/Group may lawfully refuse to grant access to a requested record that falls within a certain category. Grounds on which the Company/Group may refuse access include, inter alia the following:
– Protecting personal information that the Company/Group holds about a third person (who is a natural- and/or juristic person), including a deceased person, from unreasonable disclosure;
– Protecting commercial information and or intellectual property that the Company/Group holds
about a third party or the Company/Group’s own confidential and/or privileged information, which
disclosure may have an adverse effect on the rights and interests of the parties concerned in any
way whatsoever, inter alia trade secrets, financial secrets, commercial information and client lists;
– If disclosure of the requested record would result in a breach of a duty of confidence and/or contract
owed to a third party in;
– If disclosure of the record would endanger the life and/or physical safety of an individual, the general
public and/or any other Data Subject, inter alia transport information, information regarding a
witness protection program and/or privileged information (if not duly waived) regarding pending
legal cases and/or –proceedings;
– The record is a computer programme;
– The record contains research information carried out by and/or on behalf of third party and/or the
Company/Group;
– Records that cannot be found or that is not in existence, which status/case will then be reported to
the relevant Data Subject as prescribed.
15. PRESCRIBED FEES
15.1. The fees for reproduction of a record as referred to in section 52(3) are as follows –
15.1.1. for every photocopy of an A4 size page or part thereof R1,10;
15.1.2. for every printed copy of an A4-size page or part thereof R0,75;
15.1.3. for a copy of a compact disc R70,00;
15.1.4. for a transcript of visual images for an A4 size page or part thereof R40,00;
15.1.5. for a copy of visual images R60,00;
15.1.6. for a transcript of an audio record, for an A4-size page or part thereof R20,00;
15.1.7. for a copy of an audio record R30,00;
15.2. The request fee payable by a requestor, other than a personal requestor is R50, 00.
15.3. If the head of the company or if the request liaison officer is of the opinion that six hours will be exceeded to search, reproduce and/or prepare the
information requested, a deposit is payable equal to one-third of an amount of R30 for each hour or part thereof, exceeding the six hours.
16. INFORMATION OR RECORDS NOT FOUND
16.1. If all reasonable steps have been taken to find a record, and such a record cannot be found or if the records do not exist, then the head of the company or management shall notify the requestor, by way of an affidavit or affirmation, that it is not possible to give access to the requested record.
16.2. The affidavit or affirmation shall provide a full account of all the steps taken to find the record or to determine the existence thereof, including details of all communications by the head of the company or the request liaison officer with every person who conducted the search.
16.3. The notice shall be regarded as a decision to refuse a request for access to the record concerned for the purposes of the Act.
16.4. If the record in question should later be found, the requestor shall be given access to the record in the manner stipulated by the requestor in the prescribed form unless access is refused by the head of the company or the request liaison officer.
16.5. The attention of the requestor is drawn to the provisions of Chapter 4 of Part 3 of the Act in terms of which the company may refuse, on certain specified grounds, to provide information to a requestor.
17. DESTRUCTION OF PERSONAL INFORMATION
Documents may be destroyed as indicated in this policy or on direction of the Company/Group by the relevant department and/or the Company/Group. Regular internal audits are done to determine which records are being retained that are eligible for destruction, bearing in mind that original document/s will be returned to its owners or the Company/Group for safe keeping purposes. Regarding Personal Information stored in document form, destruction of same by the Company/Group and/or appointed document disposal service provider to ensure that it cannot be re-identified. Regarding Personal Information stored in electronic records, destruction of same will be done by the Company/Group and/or appointed IT service provider to ensure that same cannot be re-identified.
18. RETENTION PERIODS
The Company is committed to only retain processed Personal Information for as long as it is required relating to the purposes for its collection, any contractual obligations, statutory required obligations and/or as prescribed by any relevant legislation of the Republic of South Africa, after which it will be destroyed in such a manner in which it will not be possible to re-identify same. Should there be any queries regarding the length of retention and/or different legislation that prescribes retention periods, all parties are motivated and required to contact the Information Officer in this regard.