Protection of Information Policy

PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (“POPI”)

1. Introduction
   This document is the policy on the protection of personal inf ormation of CityKidz Pre & Primary School, as approved by the school directors and management. The policy has been draf ted in accordance with the Constitution of the Republic of South Af rica, 1996; the Protection of Personal Inf ormation Act 4 of 2013 (POPIA), the Promotion of Access to Inf ormation Act 2 of 2000, the South African Schools Act 84 of 1996, and other applicable legislation on school education.

   As an independent school, schools have to comply with POPIA. The act requires public bodies to inform data subjects of the manner in which their personal inf ormation is used, disclosed and destroyed.
   CityKidz Pre & Primary School is committed to protecting the privacy of all data subjects, and ensuring that their personal inf ormation is used appropriately, transparently, securely and in accordance with applicable laws.
   This policy sets out the manner in which CityKidz Pre & Primary School deals with personal inf ormation and stipulates the purpose f or which said inf ormation is used. 
   In technical terms, it is a "general inf ormation protection statute" designed to prevent the negligent disclosure of personal inf ormation. This means that an organisation or "responsible party" can only capture, use and store personal inf ormation with express consent. This is applicable to personal inf ormation of individuals as well as personal inf ormation relating to ‘juristic persons’ , e.g. companies or organisations.

2. The purpose of the Act is to:
   1. safeguard personal inf ormation in line with the constitutional right to privacy in line with international standards f or data protection;
   2. regulate the manner in which personal inf ormation is processed;
   3. provide rights and remedies to protect personal Inf ormation;
   4. establish an Information Protection Regulator.
3. Personal information
   1. Personal information is any information that can be used to reveal a person’s identity. Personal inf ormation relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as the School), including, but not limited to inf ormation concerning:
      1. inf ormation relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief , culture, language and birth of the person;
      2. inf ormation relating to the education or the medical, f inancial, criminal or employment history of the person;
      3. any identif ying number, symbol, e-mail address, physical address, telephone number, location inf ormation, online identif ier or other particular assignment to the person;
      4. the biometric inf ormation of the person;
      5. the personal opinions, views or pref erences of the person;
      6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or f urther correspondence that would reveal the contents of the original correspondence;
      7. the views or opinions of another individual about the person; and
      8. the name of a person if it appears with other personal inf ormation relating to the person or if the disclosure of the name itself would reveal inf ormation about the person.
   2. The Act only protects private information and any information shared publicly will automatically fall outside of the protection of the POPI Act. If , for example, an e-mail address or telephone number is listed on a person’s Facebook page and that inf ormation is publicly available, then it's free for companies to collect and use. Protection under POPI cannot then be claimed if this inf ormation gets used.
4. Collection of Personal Information
   We collect and process your Personal Inf ormation mainly to provide you with access to our services and products, to help us improve our of f erings to you, to support our contractual relationship with you and f or certain other purposes explained below. The type of information we collect will depend on the purpose f or which it is collected and used. We will only collect inf ormation that we need f or that purpose.
   We collect inf ormation directly f rom you where you provide us with your personal details, for example when you purchase or supp ly a product or services to or f rom us or when you submit enquiries to us or contact us. Where possible, we will inf orm you what inf ormation you are required to provide to us and what inf ormation is optional.
   Examples of information we collect from you are:
   1. name
   2. address
   3. email address
   4. telephone/cell number
   5. user-generated content, posts and other content you submit to our web site

      With your consent, we may also supplement the information that you provide to us with inf ormation we receive f rom other companies in our industry in order to of f er you a more consistent and personalized experience in your interactions with. CityKidz Pre & Primary School.

5. How we use your information
   We may use the inf ormation we collect from you when you register, sign up for our newsletter, respond to a survey or marketing communication, surf the website, or use certain other site features. We will use your inf ormation only for the purposes f or which it was collected or agreed with you, for example:
   1. Analyse the effectiveness of our advertisements, competitions, promotions and surveys.
   2. For audit and record keeping purposes
   3. For monitoring and auditing site usage
   4. Personalise your website experience, as well as to evaluate (anonymously and in the aggregate) statistics on website activity, such as what time you visited it, whether you’ve visited it before and what site referred you to it
   5. To carry out our obligations arising from any contracts entered into between you and us 
   6. To conduct market or customer satisf action research or for statistical analysis
   7. To confirm and verify your identity or to verify that you are an authorised customer for security purposes
   8. To notify you about changes to our service
   9. To respond to your queries or comments

      We will also use your Personal Information to comply with legal and regulatory requirements or industry codes to which we subscribe or which apply to us, or when it is otherwise allowed by law.
      Where we collect Personal Inf ormation f or a specif ic purpose, we will not keep it f or longer than is necessary to f ulf il that purpose, unless we have to keep it f or legitimate business or legal reasons. Once personal inf ormation has served its purpose, it should be destroyed, except where there are legal requirements f or keeping records or if the necessary consent has been obtained. In order to protect inf ormation f rom accidental or malicious destruction, when we delete inf ormation f rom our services we may not immediately delete residual copies f rom our servers or remove inf ormation f rom our backup systems.

6. Employees and other persons acting on behalf of the school
   1. Employees and other persons acting on behalf of the School will, during the course of the perf ormance of their services, gain access to and become acquainted with the personal inf ormation of certain clients, suppliers and other employees.
   2. Employees and other persons acting on behalf of the School are required to treat personal inf ormation as a conf idential business asset and to respect the privacy of data subjects.
   3. Employees and other persons acting on behalf of the School may not directly or indirectly, utilise, disclose or make public in any manner to any pers on or third party, either within the School or externally, any personal inf ormation, unless such information is already publicly known or the disclosure is necessary in order f or the employee or person to perf orm his or her duties.
   4. Employees and other persons acting on behalf of the School must request assistance f rom the Inf ormation Of f icer if they are unsure about any aspect related to the protection of a data subject’s personal inf ormation.
   5. Employees and other persons acting on behalf of the School will only process personal inf ormation where:
      1. The data subject, or a competent person where the data subject is a child, consents to the processing; or
      2. The processing is necessary to carry out actions f or the conclusion or perf ormance of a contract to which the data subject is a party; or
      3. The processing complies with an obligation imposed by law on the responsible party; or
      4. The processing protects a legitimate interest of the data subject; or 
      5. The processing is necessary f or pursuing the legitimate interests of the School or of a third party to whom the inf ormation is supplied.
   6. Furthermore, personal inf ormation will only be processed where the data subject:
      1. Clearly understands why and f or what purpose his, her or its personal inf o rmation is being collected; and
      2. Has granted the School with explicit written or verbally recorded consent to process his, her or its personal inf ormation.
   7. Employees and other persons acting on behalf of the School will consequently, prior to processing any personal inf ormation, obtain a specif ic and inf ormed expression of will from the data subject, in terms of which permission is given f or the processing of personal information.
   8. Informed consent is when the data subject clearly understands for what purpose his, her or its personal inf ormation is needed and who it will be shared with.
   9. Consent can be obtained in written f orm which includes any appropriate electronic medium that is accurately and readily reducible to printed f orm. Alternatively, the School will keep a voice recording of the data subject’s consent in instances where transactions are concluded telephonically or via electronic video feed.
   10. Consent to process a data subject’s personal inf ormation will be obtained directly from the data subject, except where:
       1. the personal inf ormation has been made public, or
       2. where valid consent has been given to a third party, or
       3. the inf ormation is necessary f or ef f ective law enf orcement
   11. Employees and other persons acting on behalf of the School will under no circumstances:
       1. Process or have access to personal inf ormation where such processing or access is not a requirement to perf orm their respective work-related tasks or duties.
       2. Save copies of personal inf ormation directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal inf ormation must be accessed and updated f rom the School’s central database or a dedicated server.
       3. Share personal inf ormation inf ormally. In particular, personal inf ormation should never be sent by email, as this f orm of communication is not secure. Where access to personal inf ormation is required, this may be requested from the Information Off icer.
       4. Transf er personal inf ormation outside of South Af rica without the express permission from the Information Off icer.
   12. Employees and other persons acting on behalf of the School are responsible for:
       1. Keeping all personal inf ormation that they come into contact with secure, by taking sensible precautions and f ollowing the guidelines outlined within this policy.
       2. Ensuring that personal inf ormation is held in as f ew places as is necessary. No unnecessary additional records, f iling systems and data sets should theref ore be created.
       3. Ensuring that personal inf ormation is encrypted prior to sending or sharing the inf ormation electronically.
          The IT Liaison Official/Manager will assist employees and where required, other persons acting on behalf of the School, with the sending or sharing of personal inf ormation to or with authorised external persons.
       4. Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal inf ormation are password protected and never left unattended. Passwords may not be shared with unauthorised persons. 
       5. Ensuring that their computer screens and other devices are switched of for locked when not in use orwhen away f rom their desks.
       6. Ensuring that where personal inf ormation is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.
       7. Ensuring that where personal inf ormation is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.
       8. Ensuring that where personal inf ormation has been printed out, that the paper printouts are not lef t unattended where unauthorised individuals could see or copy them. For instance, close to the printer.
       9. Taking reasonable steps to ensure that personal inf ormation is kept accurate and up to date. For instance, conf irming a data subject’s contact details when the client or customer phones or communicates via email. Where a data subject’s inf ormation is found to be out of date, authorisation must f irst be obtained f rom the Inf ormation Of f icer to update the inf ormation accordingly.
       10. Taking reasonable steps to ensure that personal inf ormation is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal inf ormation is no longer required, authorisation must first be obtained from the Inf ormation Officer to delete or dispose of the personal information in the appropriate manner.
       11. Undergoing POPI Awareness training from time to time.
   13. Where an employee, or a person acting on behalf of the School, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal inf ormation, he or she must immediately report this event or suspicion to the Inf ormation Officer or the Deputy Information Officer.
7. Request to access personal information procedure
   1. Data subjects have the right to:
      1. Request what personal inf ormation the School holds about them and why.
      2. Request access to their personal inf ormation.
      3. Be inf ormed how to keep their personal inf ormation up to date.
   2. Access to information requests shall be made in writing, including by email, addressed to the Inf ormation Of f icer, and directed to the School’s Administration Manager
   3. Once the written request has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the School’s POPIA Policy
   4. The Information Officer will process all requests within a reasonable time. 
8. Right to object
   In terms of the POPI Act (POPIA) section 18. (h) (iv) you have the right to object to the processing of personal inf ormation as ref erred to in section 11(3) of the POPIA.
9. Right to lodge a compliant
   In terms of the POPI Act (POPIA) section 18. (h) (v) you have the right to lodge a complaint to the Inf ormation Regulator (South Af rica) (IRSA). The IRSA contact details are:
   https://www.justice.gov.za/inf oreg/contact.html
   33 Hoofd Street
   Forum III, 3rd Floor Braampark
   P.O Box 31533
   Braamf ontein, Johannesburg, 2017
   Mr Marks Thibela
   Chief Executive Officer
   Tel No. +27 (0) 10 023 5207, Cell No. +27 (0) 82 746 4173
   Email inf oreg@justice.gov.za
10. Policy amendments
    The school directors may amend, supplement, modify or alter this policy from time to time.
11. How to Contact us
    If you have any queries about this policy or believe we have not adhered to it, or need further information about our privacy practices or wish to give or withdraw consent, exercise preferences or access or correct your personal information, please contact us at info@citykidz.co.za