Purpose of Non-Disclosure Agreements
Non-Disclosure agreements are agreements regarding confidential information received by 21st Century from time to time when consulting work is going to be procured from a client. These agreements bind 21st Century and the client in terms of what confidential information can/cannot be disclosed, the security of confidential information and what happens to the confidential information after the consulting work has been rendered. An NDA may also be specific to prohibiting disclosure of the specific project work with the client.
POPI is the Protection of Personal Information Act 4 of 2013. POPI has been assented to by the President which means the President has passed it as a law however it is not effective unless the President proclaims sections or the whole of POPI into operation. This means that at different times the President will publish in the Government Gazette that from this date forward these sections will be in force to be complied with. The more personal information a business processes the more POPI will apply.
Exclusions refers to when POPI does not apply. POPI does not apply to
- Sending holiday cards.
- Processing any personal information that has been de-identified (that has been deleted and cannot be identified anymore).
- The SAPS investigating crime.
- Journalists, authors and artists freely expressing themselves.
- Processing of information by Cabinet, its Committees, Executive Council of a province, judicial functions of a court.
In terms of POPI, personal information applies to both natural and juristic persons (companies/organisations/entities). Examples of personal information are:
- Identity and/or passport number
- Date of birth and age
- Phone number/s (including mobile phone number)
- Email address/es
- Online/Instant messaging identifiers
- Physical address
- Gender, Race and Ethnic origin
- Photos, voice recordings, video footage (also CCTV), biometric data
- Marital/Relationship status and Family relations
- Criminal record
- Private correspondence
- Religious or philosophical beliefs including personal and political opinions
- Employment history and salary information
- Financial information
- Education information
- Physical and mental health information including medical history, blood type, details on your sex life
- Membership to organisations/unions
Processing of personal information
Processing means operation or activity or a set of operations whether or not by automatic means and includes:
- collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, alteration, consultation, use
- dissemination by means of transmission, distribution, available in any other form
- merging, linking, restricting, degradation, erasure, destruction of information
21st Century only provides processed information to clients and under no circumstances will client data be shared with any third party.
Eight Principles of POPI – How it applies to 21st Century
- Accountability: Demonstrate that 21st Century is complying with the conditions for the lawful processing of information. 21st Century ensures the quality of its data via a stringent validation process with every client and an annual data audit process conducted by our current external auditor. All employee data is de-identified so that the employee cannot be traced. In addition to this 21st Century only hosts results on the Reward Online website. No employee data is stored on the website and no data (only processed results) will be shared with any third party
- Processing limitations: Process information in a reasonable manner which does not infringe on the right to privacy of the natural person. All data is de-identified to ensure that the data is not traceable back to the data subject. 21st Century deliberately does not ask for our clients’ employees’ ID numbers, contact details etc as these details are beyond the requirements of the analysis that we perform.
- Purpose specification: Collect information for an explicit and specific purpose which relates to the function or activity to what 21st Century does. 21st Century will only request data that is relevant to the project for which 21st Century has been contracted. This data may be added to the 21st Century database for research purposes and 21st Century complies with all requirements for using data for research purposes.
- Further processing limitation: if 21st Century requires that the data is further processed, the further processing must comply with the original purpose for which the information was collected. Should additional data be requested for this work then 21st Century will request the appropriate data that is fit for purpose.
- Information quality: 21st Century ensures that the information collected is complete, accurate and updated, where necessary. 21st Century has a multi-layered validation which starts upon data receipt and continues throughout the project until its completion. Any data that appears to be incorrect is queried with the client and corrected before it can be considered fit for purpose. 21st Century has its data externally audited on an annual basis by our current external auditor.
- Openness: 21st Century must maintain all the processing operations under its control in line with the standards as contained the Promotion of Access to Information Act, No 2 of 2000. 21st Century’s methodology and the auditing thereof is contained within the audit letter provided by our current external auditor.
- Security safeguards: 21st Century must implement appropriate security measures which will maintain the integrity and confidentiality of personal information (Full detail contained within the IT security policy). This is done throughout the organisation at various levels. All data is secured within our servers which are hosted by a reputable service provider who applies the appropriate security protocols to the server and hence data. The Reward Online website has SSL security certification and contains only processed results and not individual’s data.
- Participation: a natural person, who provides adequate proof of identity, is entitled to request that 21st Century confirm whether they hold any personal information of the natural person. The natural person is further entitled to request that 21st Century provide
a record of the personal information held and information regarding the identity of any third parties who have had access to such a record.
Collecting and Recording Personal Information
When personal information is collected from a data subject 21st Century:
- may only collect personal information directly from the data subject (the owner, in this case the employer).
- must inform data subject when they are about to collect personal information and obtain your consent.
- must have a good enough reason for collecting this information, i.e. it must be something they need in order to fulfil their obligations and/or deliver a service to you.
- must provide adequate disclosure (transparency) on the purpose and intended use of this information.
- may only share this information with authorised parties (also applies to colleagues).
Access to Personal Information
Companies have a right to ask 21st Century if we hold any personal information about them and 21st Century must confirm or deny this, free of charge. 21st Century upon request from companies will need to provide companies with a record or description of personal information held by 21st Century including information of third parties that may have access to the requesting companies’ personal information. 21st century must provide this information:
- within a reasonable time;
- at a prescribed fee (if any);
- in a reasonable manner and format; and
- in a form that is generally understandable.
Ensuring Quality Information
To ensure quality information, 21st Century must maintain our records; take reasonable practical steps that the information is complete, accurate, not misleading and updated. Our systems must be updated to record information captured when it was last updated and when it was confirmed by the owner. 21st Century’s data audit process and all associated controls that have been built in, ensure that our data is of the highest possible quality.
POPI does not prevent marketing to new customers or marketing new products to existing customers or direct marketing; however, consent from the owner of personal information and involving them is key. The following rules apply when using direct marketing:
- You must identify yourself, or the person on whose behalf the communication is being made, as well as provide contact details on where the person may request that your communication be stopped.
- You may not contact someone unless they have first consented to being contacted via electronic communication.
- You may contact someone only once to obtain their consent, as long as they have not previously withheld their consent.
- Only for the purpose of direct marketing of the responsible party’s own similar products or services.
- Providing customers with a reasonable opportunity to object to the communication in a manner that is free of unnecessary formality (easy) and also free of charge.
Disclosure and Notification
When securing clients’ information has failed and there has been a security breach or the information has been disclosed one way or another when it should not have been disclosed then this should be communicated to the owner of personal information as follows:
- a letter mailed to the last known physical or postal address
- an e-mail sent to their last known e-mail address
- communication placed in a prominent position on the website of the responsible party
- published in the news media, or
- as may be directed by the Regulator
A complaints process is useful when clients accuse 21st Century of disclosing personal information when it should not have been disclosed or not safeguarding/ securing personal information. It would be in our interests to prepare and maintain the following documentation which would nevertheless be required by the Regulator if the accusation by the client is being investigated:
- an information register that acts as a single point of reference to all client’s personal information including access permissions that may apply
- systems architecture document (including software applications used, associated permissions, etc.)
- policies and procedures relating to personal information as well as how we enforce them (this should e.g. address the use of “USB memory sticks”, username/password rules, remote access, protection of data copied onto laptops or phones, security updates, backups, etc.)
- security events register (indicating dates and times of security threats and breaches on e.g. the firewall, events of theft of laptops/PC’s, tablets and mobile phones including data that was on it, etc.)
- an easy to understand audit trail indicating access to and changes to personal information
21st Century is expected to “identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control”. This casts the net very wide in terms of identifying risks. This includes actions of staff and foreseeable events like theft. 21st Century must therefore ensure data is safeguarded in the following areas:
- Process (Operations)
- Software as a service and service providers of software
- Public and Private Cloud
As detailed within the IT security policy, all reasonable steps have been taken to safeguard information collected by 21st Century. The Data Committee continually scans the horizon for any foreseeable risks and recommends action if a risk is identified.
Retention and Restriction of Records
In terms of POPI personal information should not be retained longer than it is necessary for achieving the purpose for which the information was processed. POPI however will not supersede other legislation requiring the personal information to be kept longer such as our employee’s tax information. 21st Century removes data from its research database as soon as it is no longer relevant for the research being conducted.
The information contained in this document illustrates 21st Century’s commitment to the protection of its client as well as its commitment to complying with the POPI Act as set out by the Information Regulator.
Submitted on behalf of 21st Century
Executive Director (Information Officer)
Chief Executive Officer