Section 4(1) of the Act requires that all Processing of Personal Information be done in a lawful manner. Anyone who Processes Personal Information for and on behalf The Practice must do so in terms of the below conditions in order to ensure compliance with the Act:<\/p>\n
6.1. Ensure that all the conditions and measures giving effect to conditions of the lawful processing of Personal Information as set out in the Act and this policy are complied with at the time of the determination of the purpose and means of the Processing and during the Processing.<\/p>\n
6.2. Personal Information must only be processed with the consent of the Data Subject, for a specific, explicit and lawfully defined purpose, related to the functions and activities of The Practice, or if under a statutory obligation, with a notification to the person of the specific statutory mandate (quote Act, section and\/or Regulation and number thereof).<\/p>\n
6.3. All consents to processing and\/or notifications of processing will be reviewed by responsible employees or office bearers to ensure that it is specific. In cases of uncertainty, the Information Officer or one of his\/her deputies will be contacted for support. Where standard consents or notifications have bene developed, employees and office-bearers are obligated to use those.<\/p>\n
6.4. In the event of a requirement to use Personal Information outside the consented purpose, (\u201cfurther processing\u201d), then a further consent for the further processing must be obtained from the Data Subject prior to such further processing.<\/p>\n
6.5. Personal Information must be collected directly from the Data Subject, should there be a need to collect the information from another source, the consent of the Data Subject must be obtained prior thereto. Where databases are bought or provided by a third party, a warranty must be included in the contract that such database have been compiled and is sold in compliance with POPIA.<\/p>\n
6.6. Only up to date and correct Personal Information can be processed, and Data Subjects must request the correction of their Personal Information on Form 2 as set out in Regulations published under GG number 42110 dated 14 December 2018. All consents, notifications and contracts must include a hyperlink or attach Form 2.<\/p>\n
6.7. The Responsible Persons must ensure that the security measures put in place by The Practice, as set out in The Practice for every database and type \/ category of personal information processed, to protect against:<\/p>\n
6.7.1. Unauthorized access, which means that access privileges must be stipulated, and where applicable, indicated in documents, minutes, etc. as follows: All employees have personalized access control passwords:<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
| ACCESSIBLE BY:<\/th>\n | CONTACT<\/th>\n<\/tr>\n | |
|---|---|---|
| <\/td>\n | Board \/ \u2026 & administrative staff authorized to work with such structure(s)<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | Committee & administrative staff authorized to work with such structure(s)<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | All Practice \/ Facility stakeholders<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | Top management & administrative staff authorized to work with such structure(s)<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | Designated employees<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | All employees<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | Consultant \/ contractor \/ vendor \/ supplier<\/td>\n | <\/td>\n<\/tr>\n |
| <\/td>\n | Other: \u2026.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n \n \n \n \n 6.7.2. Loss and\/or damage of personal information, through back-ups off-site, remote wiping of computers and devices stolen \/ lost, marking scheme property (such as devices, books, etc. that could contain personal information as \u201cconfidential, property of AMS, if found please return to the IO: Dr Edna Retter [At 18 Eton road, Parktown, Johannesburg, 2193), IT protections against file corruption, version control systems, etc. are in place.<\/p>\n 6.7.3. Archiving and Destruction will only take place in accordance with the Practice Document Retention and Destruction policy and guide, and all archiving and destruction will be documented in the registers kept at the practice\u2019s filing office.<\/p>\n 6.8. No Practice database, list, personal information of any person in its, or any staff member or office bearer\u2019s possession may be used, made known and\/or distributed without the concerned Data Subjects\u2019 consent. In case of doubt, the advice of the Information Officer or his\/her Deputy will be sought. Even casual provision of contact details to a third party could constitute a breach of the POPI Act.<\/p>\n 6.9. Only relevant Personal Information required for the specified purpose should be collected \u2013 nothing in excess of that. The data fields (see definition of \u201cpersonal information\u201d and \u201cspecial information\u201d) in all existing and new databases and types of information (e.g. contracts, financial information, marketing lists, etc.) will be evaluated as to whether that specific data field is:<\/p>\n 6.9.1. Necessary, given the specific purpose for which the personal information will be used.<\/p>\n 6.9.2. Relevant for that purpose.<\/p>\n Red flag data fields are titles (relevant for communication, but not necessarily for the allocation of benefits), family relation (relevant for membership, but not for communication, etc.), information on race, gender, ethnicity (unless required by the B-BBEE Act, EEA, SDA or other law), physical address, views \/ opinions of persons, contact details (only was person consented to and what is relevant for that database should be kept), etc. The physical address of a trustee is necessary, but the address of a payments clerk at a customer or vendor is not required.<\/p>\n 6.10. All communications of a marketing or general communications nature must be subject to an \u201copt out\u201d functionality, which has to be adhered to strictly by The Practice or anyone processing Personal Information for and on behalf of The Practice. The Data Subject\u2019s consent must be obtained on Form 4 as set out in the Regulations published under GG number 42110 dated 14 December 2018. Information related to changes to practice policies, etc. or any right or legitimate expectation of a staff member or a supplier \/ vendor cannot opt out of. Neither can they opt out of statements and similar information directly related to their contractual or other legal relationship with the Company.<\/p>\n 6.11. All requests for Personal Information and other information from any person or entity whatsoever shall be dealt with in accordance with the provisions of The Practice PAIA Manual and in line with this policy.<\/p>\n 6.12. The Data Subject must be provided access to their Personal Information related upon written request and other request for access to personal and other information from any person or entity must be dealt with in terms of The Practice PAIA Manual and in line with this policy.<\/p>\n 6.13. All processing of Personal Information must immediately cease, in the event that the Data Subject withdraws its consent to the processing or objects to the processing of Personal Information in the manner prescribed by law, except where The Practice is by law obliged to continue with such processing. Such requests must be made to the scheme on Form 1 of the POPI Regulations.<\/p>\n 6.14. Personal Information must be corrected or deleted upon request contained in Form 2 by the Data Subject to do so.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n [\/vc_column_text][\/vc_tta_section][vc_tta_section title=”7. SECURITY AND ACCESS” tab_id=”1639015001070-0da44af9-7a7b”][vc_column_text]The Practice uses the following security measures to secure Personal Information in her possession:<\/p>\n 7.1. Electronic information is secured by firewalls, anti-virus and password secured access.<\/p>\n 7.2. Electronic information on shared drives operate on access control and permissions, accidental access must be reported to the Information Officer and IT immediately.<\/p>\n 7.3. No information, including personal information, may be downloaded from shared drives onto device hard drives or any external device.<\/p>\n 7.4. Physical records are kept at the office and protected by locking cabinets:<\/p>\n 7.4.1. Physical files held in the practice\u2019s filing office and protected by locking cabinets, digital access control and locked doors<\/p>\n 7.5. The office has a digital access control and two physical locked doors.<\/p>\n 7.6. There are security cameras in the office.<\/p>\n 7.7. There are security cameras, notices are put up to this effect and staff contracts include such surveillance as part of the conditions of employment. \u00a0\u00a0All such recordings are stored off-site and will only be accessed in cases of alleged breaches of processing, including unlawful access or destruction, of personal information.<\/p>\n 7.8. Office building is accessed through a sign-in system with security personnel and boom gate, which is locked at night with security personnel onsite at night. The security company act as an Operator and an Operator agreement is in place, ensuring that no personal information provided is stored for longer than necessary and are permanently destroyed after its use. Frequent visitor information is stored indefinitely at the security company in full compliance with the provisions of the POPI Act, or until a contract or assignment comes to an end. The instruction for destruction of such information to the security company is provided by information officer and his\/her deputy information officer.<\/p>\n 7.9. Regular verification that the safeguards in place are effectively implemented and continually updated in response to any new risks or deficiencies;<\/p>\n 7.10. Notification in writing to the affected Data Subjects and reporting to the Information Regulator, should the Personal Information relating to the Data Subject be compromised or should there be a suspicion that the Personal Information is compromised. Notification may have to be made to the Information Regulator. All security and access breaches or suspected or potential breaches of personal information must be reported to the Information Regulator or hi\/her \u00a0\u00a0designated Deputy immediately after such breach or potential; breach becomes known.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”8. STORAGE AND DESTRUCTION” tab_id=”1639015036114-070d79bd-e497″][vc_column_text]8.1. All Personal Information in the possession of The Practice must be stored, retained and destroyed in accordance with the legislation applicable to the specific information and according \u00a0\u00a0\u00a0\u00a0to the Practice Document Retention and Destruction Policy. No destruction of data will be done in this practice.<\/p>\n 8.2. Personal Information shall not be retained longer than required to fulfil the purpose for the Processing or longer than required by Applicable Legislation.<\/p>\n 8.3. Once the purpose for Processing or the retention period provided under Applicable Legislation expires, the Personal Information must be destructed and\/or deleted and\/or returned to \u00a0\u00a0\u00a0\u00a0the Data Subject as may be required by the Applicable Law and in a manner that complies with such Applicable Law.<\/p>\n 8.4. Retention periods, and the destruction of personal information, must be specified in consents and notifications.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”9. COLLECTION OF PERSONAL INFORMATION” tab_id=”1639015076192-fe688ae7-2037″][vc_column_text]9.1. The Practice collects Personal Information from various Data Subjects for varying purposes, but mainly from patients, e.g. for patient treatment, submission of claims to medical schemes, etc. Such information must be collected in accordance with the provisions of the Act and this policy.<\/p>\n 9.2. Personal information is also collected from staff for employment purposes, such as payroll, tax and deductions, leave administration, etc. Information on staff interviews and applications are also kept until no longer needed.<\/p>\n 9.3. Personal information from the representatives, staff, agents or contractors of vendors and suppliers are also processed for purposes of facilitating the goods and services to be rendered. The information of persons responsible for accounts \/ finances, repair persons, key account managers and the likes are processed by the practice for legitimate business purposes.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”10. PURPOSE AND USE OF PERSONAL INFORMATION” tab_id=”1639015107722-56ba5624-cba7″][vc_column_text]When Processing Personal Information as part of any activity, the Responsible Party must:<\/p>\n 10.1. Identify the nature and extent to which one will deal with (a) Personal Information and (b) Special Personal Information (i.e. measure the data fields through which information it is collecting to assess whether it is relevant, necessary and not excessive), and then amend its processing accordingly.<\/p>\n 10.2. Identify the types of processing that will take place (e.g. collection, dissemination and destruction, or collection, recording and storage, etc.).<\/p>\n 10.3. Identify the purpose for which the specific processing is undertaken, clearly indicating whether such purpose is permitted by a law (e.g. invoicing requiring a VAT number).<\/p>\n 10.4. Confirm that consent has been obtained from Data Subjects, which consent shall constitute a contract between The Practice and the Data Subject and shall describe:<\/p>\n 10.4.1. the purpose of the Processing or further processing of the Personal Information;<\/p>\n 10.4.2. the type of Processing of the Personal Information;<\/p>\n 10.4.3. timelines related to the Processing;<\/p>\n 10.4.4. the destruction or storage of the personal information; and<\/p>\n 10.4.5. the security assurances and measures undertaken by The Practice to protect the data and Personal Information.<\/p>\n 10.5. If processing is mandated by law, describe in a notification what that specific law says, and how processing will take place.<\/p>\n 10.6. Personal Information about children and special personal information<\/p>\n 10.6.1. The Practice do hold the personal information of children (persons up till the age of 18).<\/p>\n 10.6.2. The Practice also have information of \u201cchild-dependents\u201d older than 18, but who are still dependent on their parents \u2013 such persons are handled, for POPIA purposes, the same as \u00a0\u00a0any adult dependent on the scheme.<\/p>\n 10.6.3. The information of children under the age of 12, or 12 and under 18 years of age, must be processed in terms of the Children\u2019s Act, 2005, the HPCSA \/ SANC \/ SAPC Ethical Rules \u00a0\u00a0and the Medicines and Related Substances Act,1965.<\/p>\n 10.6.4. The Practice will take all reasonable measures to protect the confidentiality of adult dependents and children who has the right to confidentiality, but acknowledge the limitations of \u00a0\u00a0a medical schemes system that obligates, under regulation 5 to the Medical Schemes Act, the inclusion of ICD10 (diagnostic) codes on accounts to medical schemes, and hence on \u00a0\u00a0statements issued by the scheme to the main member.<\/p>\n 10.7. Information shared by managed care organizations or pursuant to a managed care arrangement<\/p>\n 10.8. Information shared by The Practice The Practice will only share information with third parties:<\/p>\n 10.8.1. Upon the specific consent of the Data Subject in terms of the Act and on written declaration that such third parties comply with the Act and related data legislation and regulations, or<\/p>\n 10.8.2. If otherwise required to do so by any Applicable Law.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”11. REVIEW AND AMENDMENT” tab_id=”1639015139569-b71a5007-840c”][vc_column_text]This policy shall be reviewed every two years or more frequently as may be required and may be amended from time to time as may be required by law, for corrections of material errors, as the case may be.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”12. TRAINING AND COMMUNICATION” tab_id=”1639015172078-e412c450-80d5″][vc_column_text]All existing Employees, contractors, vendors, Committee members and any person who may Process Personal Information for and on behalf of The Practice (i.e. Operators), shall be trained on an annual basis on this policy and underlying legal sources on which it is based. The training will also form part of new employee induction.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”13. COMPLIANCE” tab_id=”1639015209320-4b64f848-faea”][vc_column_text]<\/p>\n \n \n 13.1. The Information Officer of the Practice is: Dr. Edna Retter (083 458 6143)<\/p>\n 13.2. The Deputy Information Officer is: Mr. Thabo Nkuna (073 995 9555)<\/p>\n 13.3. The Information Officer shall maintain a report in relation to POPI and PAIA regarding steps and remedial steps taken in instances of non-compliance, including but not limited to:<\/p>\n 13.3.1. Rewording of consents, standard clauses and notifications.<\/p>\n 13.3.2. Reporting loss, breach and\/or unauthorized access of Personal Information to relevant authorities, recommending disciplinary action, etc.<\/p>\n 13.3.3. The destruction of personal information.<\/p>\n 13.3.4. The de-identification of personal information.<\/p>\n 13.3.5. The implementation of specific security measures.<\/p>\n 13.3.6. The implementation of (additional or new) access control measures.<\/p>\n 13.3.7. The implementation of consents or notifications ab initio.<\/p>\n 13.3.8. Research and verification of legislative mandates.<\/p>\n 13.3.9. Addenda to contracts and service level agreements within business activities and\/or with third parties and contractors.<\/p>\n 13.3.10. Amendments to contract templates.<\/p>\n 13.3.11. Disciplinary action against employees violating this policy.<\/p>\n 13.3.12. Action against office bearers violating this policy, in conjunction with the Board of Trustees.<\/p>\n 13.3.13. Requirements on the submission of (regular) progress reports.<\/p>\n 13.3.14. Obtaining expert assistance, where required.<\/p>\n 13.3.15. Undergoing additional or further training on POPI and PAIA.<\/p>\n<\/div>\n<\/div>\n [\/vc_column_text][\/vc_tta_section][vc_tta_section title=”14. INFORMATION OFFICE” tab_id=”1639015247657-27efbefd-0f92″][vc_column_text]14.1. This office houses the Information Officer and his\/her deputies: 14.2. The following may be directed to the Information Officer in writing to edna@eretter.co.za:[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”15. COMPLAINTS” tab_id=”1639015279231-c6697717-02f0″][vc_column_text]Any complaints by any person including members and beneficiaries, employees, office-bearers, third parties or any regulator, on any allegation or actual violation of this policy or data privacy, may be directed to the Information Officer [or a designated Deputy], who will handle the complaint in line with the principles of natural justice, and apply this policy, as well as the applicable laws and related policies of the Company, when doing so. The Information Office may constitute a Committee to investigate the matter, and to make findings on the complaint, and recommend action by the relevant departments, units or structures of the Scheme.[\/vc_column_text][\/vc_tta_section][vc_tta_section title=”16. POPI ACT: OBJECTIONS, WITHDRAWALS, AMENDMENTS AND DELETIONS” tab_id=”1639015337533-744f727a-86ff”][vc_column_text]16.1. Any person can object to processing of Personal Information, withdraw a consent to processing, requests amend or deletion of personal Information.<\/p>\n 16.2. The forms to object, consent to marketing, change or request destruction of personal information must use the forms attached to the Policy, as prescribed by the Regulations to the \u00a0\u00a0 \u00a0\u00a0POPI Act published under GG number 42110 dated 14 December 2018, which forms shall be made available at 18 Eton road, Parktown, Johannesburg, 2193.[\/vc_column_text][\/vc_tta_section][\/vc_tta_accordion][\/vc_column][\/vc_row]<\/p>\n","protected":false},"excerpt":{"rendered":" [vc_row][vc_column][vc_custom_heading text=”FRAMEWORK & POLICY ON THE PROTECTION OF PERSONAL INFORMTION ACT 04 OF 2013 (\u201cPOPI\u201d)” font_container=”tag:h1|font_size:34|text_align:left” google_fonts=”font_family:ABeeZee%3Aregular%2Citalic|font_style:400%20regular%3A400%3Anormal”][\/vc_column][\/vc_row][vc_row][vc_column][vc_tta_accordion active_section=”1″ collapsible_all=”true”][vc_tta_section title=”1. INTRODUCTION” tab_id=”1639014720767-7011e5d6-c50c”][vc_column_text]The Protection of Personal Information Act 4 of 2013, (\u201cPOPIA\/The Act\u201d) and the Regulations promulgated thereunder give effect to Continue Reading <\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=\/wp\/v2\/pages\/28"}],"collection":[{"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28"}],"version-history":[{"count":7,"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=\/wp\/v2\/pages\/28\/revisions"}],"predecessor-version":[{"id":503,"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=\/wp\/v2\/pages\/28\/revisions\/503"}],"wp:attachment":[{"href":"https:\/\/www.dgroc.co.za\/proposal\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} |