FRAMEWORK & POLICY ON THE PROTECTION OF PERSONAL INFORMTION ACT 04 OF 2013
FOUNTAIN CIRCLE MEDICAL SUPPLIERS (PTY) LTD., is a incorporate medical service provider (The Practice)
The Protection of Personal Information Act 4 of 2013, (“POPIA/The Act”) and the Regulations promulgated thereunder give effect to the right to privacy provided by section 14 of the Bill of Rights of the Constitution of the Republic of South Africa 1996. The Act and Regulations require the Information Officer of the responsible person as defined under the Act to develop, implement, monitor, and maintain a compliance framework, (Regulation 4 of Regulations published under GG number 42110 dated 14 December 2018). The Practice has developed this policy to comply with the aforesaid requirements and to further demonstrate commitment to the spirit of the Act in respecting the rights of Data Subjects to have their Personal Information protected as set out in the Act.
Forms1, 2 and 4 of the POPI Regulations are attached to this Policy.
This policy applies to all employees of The Practice and anyone who may process Personal Information for and on behalf of The Practice. This policy applies to all situations and business processes where Personal Information is processed, more importantly where such information may be made accessible to third parties.
3.1. “Applicable Legislation” means all legislation applicable to The Practice’ practice including the Act, the:
Medicines and Related Substances Act 101 of 1965; the National Health Act 61 of 2003; The Health
Professions Act ; National Archiving Act, Income Tax Act 58 of 1962; Value Added Tax Act 89 of 1991;
Labour Relations Act 66 of 1995; Basic Conditions of Employment Act 75 of 1997; Employment Equity Act
55 of 1998; Skills Development Levies Act 9 of 1999; Unemployment Insurance Act 63 of 2001; Electronic
Communications and Transactions Act 25 of 2002; Telecommunications Act 103 of 1996; Electronic
Communications Act 36 of 2005; Consumer Protection Act 68 of 2008; National Credit Act 34 of 2005; and
3.2. “Data subject” means the person to whom personal information relates as defined under the Act.
3.3. “Employee” means, for the purposes of this policy, any person employed permanently (full- or part-time), temporary, or on a fixed-term contract, and include contractors that may come into contract with, use, process or otherwise deal with Personal Information.
3.4. “Office-bearer” means the members of the Board of Trustees, the Principal Officer, members of Committees of the Scheme, governance secretaries and persons in similar positions.
3.5. “Operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
3.6. “Personal information” shall mean, for purposes of this policy and as defined under the Act, information about an identifiable, natural person, and in so far as it is applicable, an identifiable, juristic person, including, but not limited to:
3.6.1. information relating to the race, gender, sex, pregnancy, marital status, national,
3.6.2. ethnic or social origin, colour, sexual orientation, age, physical or mental,
3.6.3. well-being, disability, religion, conscience, belief, culture, language and birth of the person.
3.6.4. information relating to the education or the medical, criminal or employment history of the person or information relating to financial transactions in which the person has been involved.
3.6.5. any identifying number, symbol or other particular assigned to the person.
3.6.6. the address, fingerprints or blood type of the person.
3.6.7. the personal opinions, views or preferences of the person, except where they are about another individual or about a proposal for a grant, an award of a prize to be made to another individual.
3.6.8. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
3.6.9. the views or opinions of another individual about the person.
3.6.10.the views or opinions of another individual about a proposal for a grant, an award or a prize to be made to the person, but excluding the name of the other individual where it appears with the views or opinions of the other individual; and
3.6.11.the name of the person where it appears with other personal information relating to the person or where the disclosure of the name itself would reveal information about the person.
3.6.12.but excludes information about a natural person who has been dead, or a juristic person that has ceased to exist, for more than 20 years.
3.7. “Policy” means this policy developed in terms of the Act and Regulations thereto.
3.8. “Processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:
3.8.1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use.
3.8.2. dissemination by means of transmission, distribution or making available in any other form;
3.8.3. merging, linking, as well as restriction, degradation, erasure, or destruction of information.
3.9. “Purpose” means The Practice’s purpose to processing of Personal Information as set out herein
3.10. “Responsible Party” means, for purposes of this policy, all persons to whom this policy applies, whom, whether alone or in conjunction with others determines the purpose and means of processing Personal Information.
3.11. “Special Personal Information” means information relating to a person’s (a) religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or (b) criminal behavior, as defined under the Act.
- THE PRACTICE REQUIREMENTS FOR PROCESSING PERSONAL INFORMATION
4.1. All Processing of Personal Information must be done after a written and signed consent in a form developed and approved form by The Practice, has been received from the Data Subject.
4.2. Where there is a legal requirement to disclose Personal Information to authorities, and consent is not required by law, the Data Subject must still be notified of such disclosure, unless the Applicable Law provides otherwise.
5.1. The Practice will inform all persons whose information is being processed, of that fact.
5.2. This is done via the Practice’s Terms and Conditions, on specific consents to disclosure, and, where bulkmailers or communications are sent out, with a statement relating to the rights of the Data Subject, attached thereto.
5.3. The rights of Data Subjects are as follows:
5.3.1. Notification when personal information is being collected, the type of information collected, for what purpose, whether the information is to be supplied voluntarily or is collected mandatory, and whether the information would be transferred to a third country and the protections afforded there.
5.3.2. Notified if there has been unlawful access or acquisition of his/her/its personal information.
5.3.3.Request a record of your Personal Information.
5.3.4. Request the correction, deletion and/or destruction of your Personal Information.
5.3.5.Object to the processing of your Personal Information.
5.3.6.Exercise the right to withdraw the consent to processing, if voluntarily given.
5.3.7.Not be subjected to unsolicited electronic communication, unless you are our customer and we have sold goods or services to you, or where you have consented to the communication, and you had and have the opportunity to object to the communication.
5.3.8.Not to be subjected to automated decision-making based on the personal information in contravention of section 71, POPI Act.
5.3.9. Submit a complaint to the Information Regulator at http://www.justice.gov.za/inforeg/index.html; and
5.3.10. Institute civil proceedings regarding an alleged interference with his/her/its personal information in terms of section 99, POPI Act.
- CONDITIONS OF LAWFUL PROCESSING OF PERSONAL INFORMATION
Section 4(1) of the Act requires that all Processing of Personal Information be done in a lawful manner. Anyone who Processes Personal Information for and on behalf The Practice must do so in terms of the below conditions to ensure compliance with the Act:
6.1. Ensure that all the conditions and measures giving effect to conditions of the lawful processing of Personal Information as set out in the Act and this policy are complied with at the time of the determination of the purpose and means of the Processing and during the Processing.
6.2. Personal Information must only be processed with the consent of the Data Subject, for a specific, explicit and lawfully defined purpose, related to the functions and activities of The Practice, or if under a statutory obligation, with a notification to the person of the specific statutory mandate (quote Act, section and/or Regulation and number thereof).
6.3. All consents to processing and/or notifications of processing will be reviewed by responsible employees or office bearers to ensure that it is specific. In cases of uncertainty, the Information Officer or one of his/her deputies will be contacted for support. Where standard consents or notifications have bene developed, employees and office-bearers are obligated to use those.
6.4. In the event of a requirement to use Personal Information outside the consented purpose, (“further processing”), then a further consent for the further processing must be obtained from the Data Subject prior to such further processing.
6.5. Personal Information must be collected directly from the Data Subject, should there be a need to collect the information from another source, the consent of the Data Subject must be obtained prior thereto. Where databases are bought or provided by a third party, a warranty must be included in the contract that such database have been compiled and is sold in compliance with POPIA.
6.6. Only up to date and correct Personal Information can be processed, and Data Subjects must request the correction of their Personal Information on Form 2 as set out in Regulations published under GG number 42110 dated 14 December 2018. All consents, notifications and contracts must include a hyperlink or attach Form 2.
6.7. The Responsible Persons must ensure that the security measures put in place by The Practice, as set out in The Practice for every database and type/category of personal information processed, to protect against:
6.7.1. Unauthorized access, which means that access privileges must be stipulated, and where applicable, indicated in documents, minutes, etc. as follows (just add applicable row or rows in a header or footer of a document):
Public/Administrative staff authorized to work with such structure(s)
Committee & administrative staff authorized to work with such structure(s)
All Practice stakeholders
Top management & administrative staff authorized to work with such
6.7.2. Loss and/or damage of personal information, through measures taken, e.g., back-ups off-site, remote wiping of computers and devices stolen/lost, marking practice property (such as devices, books, etc. that could contain personal information as “confidential, property of FOUNTAIN CIRCLE MEDICAL SUPPLIERS, if found please return, IT protections against file corruption, version control systems,
6.7.3. Archiving and Destruction will only take place in accordance with the Practice Document Retention and Destruction policy and guide, and all archiving and destruction will be documented in the registers kept in the practice.
6.8. No Practice database, list, personal information of any person in it, or any staff member or office bearer’s possession may be used, made known and/or distributed without the concerned Data Subjects’ consent. In case of doubt, the advice of the Information Officer or his/her Deputy will be sought. Even casual provision of contact details to a third party could constitute a breach of the POPI Act.
6.9. Only relevant Personal Information required for the specified purpose should be collected – nothing more than that. The data fields (see definition of “personal information” and “special information”) in all existing and new databases and types of information (e.g., contracts, financial information, marketing lists, etc.) will be evaluated as to whether that specific data field is:
6.9.1. Necessary, given the specific purpose for which the personal information will be used.
6.9.2. Relevant for that purpose. Red flag data fields are titles (relevant for communication, but not necessarily for the allocation of benefits), family relation (relevant for membership, but not for communication, etc.), information on race, gender, ethnicity (unless required by the B-BBEE Act, EEA, SDA or other law), physical address, views / opinions of persons, contact details (only was person consented to and what is relevant for that database should be kept), etc. The physical address of a trustee is necessary, but the address of a payments clerk at a customer or vendor is not required.
6.10. All communications of a marketing or general communications nature must be subject to an “opt out” functionality, which must be adhered to strictly by The Practice or anyone processing Personal Information for and on behalf of The Practice. The Data Subject’s consent must be obtained on Form 4 as set out in the Regulations published under GG number 42110 dated 14 December 2018. Information related to changes to practice policies, etc. or any right or legitimate expectation of a staff member or a supplier / vendor cannot opt out of. Neither can they opt out of statements and similar information directly related to their contractual or other legal relationship with the Company.
6.11. All requests for Personal Information and other information from any person or entity whatsoever shall be dealt with in accordance with the provisions hereof.
6.12. The Data Subject must be provided access to their Personal Information related upon written request and other request for access to personal and other information from any person or entity must be dealt with in line with this policy.
6.13. All processing of Personal Information must immediately cease, if the Data Subject withdraws its consent to the processing or objects to the processing of Personal Information in the manner prescribed by law, except where The Practice is by law obliged to continue with such processing. Such requests must be made to the scheme on Form 1 of the POPI Regulations.
6.14. Personal Information must be corrected or deleted upon request contained in Form 2 by the Data Subject to do so.
- SECURITY AND ACCESS
The Practice uses the following security measures to secure Personal Information in her possession:
7.1. Electronic information is secured by firewalls, anti-virus and password secured access.
7.2. Electronic information on shared drives operates on access control and permissions, accidental access must be reported to the Information Officer and IT immediately.
7.3. No information, including personal information, may be downloaded from shared drives onto device hard drives or any external device.
7.4. Physical records are kept at the office and protected by locking cabinets:
7.4.1. Information stored includes title, name, identification number, date of birth, address, telephone number, email address, medical aid information, next of kin, medical information. This is stored in locked built-in cabinets in the practice.
7.5. The office has 2 locks on the door, one needing a key and another needing a pin code.
7.6. The office building is accessed through a sign-in system with security personnel and boom gate, which is locked at night. The security company act as an Operator and an Operator agreement is in place, ensuring that no personal information provided is stored for longer than necessary and are permanently destroyed after its use.
7.7. Regular verification that the safeguards in place are effectively implemented and continually updated in response to any new risks or deficiencies.
7.8. Notification in writing to the affected Data Subjects and reporting to the Information Regulator, should the Personal Information relating to the Data Subject be compromised or should there be a suspicion that the Personal Information is compromised. Notification may have to be made to the Information Regulator. All security and access breaches or suspected or potential breaches of personal information must be reported to the Information Regulator or hi/her designated Deputy immediately after such breach or potential; breach becomes known.
- STORAGE AND DESTRUCTION
8.1. All Personal Information in the possession of The Practice must be stored, retained, and destroyed in accordance with the legislation applicable to the specific information and according to the Practice Document Retention and Destruction Policy.
8.2. Personal Information shall not be retained longer than required to fulfil the purpose for the Processing or longer than required by Applicable Legislation.
8.3. Once the purpose for Processing or the retention period provided under Applicable Legislation expires, the Personal Information must be destructed and/or deleted and/or returned to the Data Subject as may be required by the Applicable Law and in a manner that complies with such Applicable Law.
8.4. Retention periods, and the destruction of personal information, must be specified in consents and notifications.
- COLLECTION OF PERSONAL INFORMATION
9.1. The Practice collects Personal Information from various Data Subjects for varying purposes, but mainly from patients, e.g. for patient treatment, submission of claims to medical schemes, etc. Such information must be collected in accordance with the provisions of the Act and this policy.
9.2. Personal information is also collected from staff for employment purposes, such as payroll, tax, and deductions, leave administration, etc. Information on staff interviews and applications are also kept until no longer needed.
9.3. Personal information from the representatives, staff, agents or contractors of vendors and suppliers are also processed for purposes of facilitating the goods and services to be rendered. The information of persons responsible for accounts/finances, repair persons, key account managers and the likes are processed by the practice for legitimate business purposes.
- PURPOSE AND USE OF PERSONAL INFORMATION
When Processing Personal Information as part of any activity, the Responsible Party must:
10.1. Identify the nature and extent to which one will deal with (a) Personal Information and (b) Special Personal Information (i.e., measure the data fields through which information it is collecting to assess whether it is relevant, necessary, and not excessive), and then amend its processing accordingly.
10.2. Identify the types of processing that will take place (e.g., collection, dissemination and destruction, or collection, recording and storage, etc.).
10.3. Identify the purpose for which the specific processing is undertaken, clearly indicating whether such purpose is permitted by a law (e.g., invoicing requiring a VAT number).
10.4. Confirm that consent has been obtained from Data Subjects, which consent shall constitute a contract between The Practice and the Data Subject and shall describe:
10.4.1 the purpose of the Processing or further processing of the Personal Information.
10.4.2 the type of Processing of the Personal Information.
10.4.3 timelines related to the Processing.
10.4.4 the destruction or storage of the personal information; and
10.4.5 the security assurances and measures undertaken by The Practice to protect the data and Personal Information.
10.5 If processing is mandated by law, describe in a notification what that specific law says, and how processing will take place.
11.1 Personal Information about children and special personal information.
11.1.1 . The Practice may hold the personal information of children (persons up till the age of 18).
11.1.2 . The Practice also have information of “child-dependents” older than 18, but who are still dependent on their parents – such persons are handled, for POPIA purposes, the same as any adult dependent on the scheme.
11.1.3 . The information of children under the age of 12, or 12 and under 18 years of age, must be processed in terms of the Children’s Act, 2005, the HPCSA Ethical Rules and the Medicines and Related Substances Act,1965.
11.1.4 . The Practice will take all reasonable measures to protect the confidentiality of adult dependents and children who has the right to confidentiality but acknowledge the limitations of a medical schemes system that obligates, under regulation 5 to the Medical Schemes Act, the inclusion of ICD10 (diagnostic) codes on accounts to medical schemes, and hence on statements issued by the scheme to the main member.
11.2 Information shared by managed care organizations or pursuant to a managed care arrangement. The practice does not have any contracts with any managed care organizations. Reports related to managed care of a patient is provided on request after consent to disclose information has been obtained from patient.
11.3 Information shared by The Practice.
The Practice will only share information with third parties:
11.3.1 upon the specific consent of the data Subject in terms of the Act and on written declaration that such third parties comply with the Act and related data legislation and regulations, or
11.3.2 if otherwise required to do so by any Applicable Law.
12 REVIEW AND AMENDMENT
This policy shall be reviewed every two years or more frequently as may be required and may be amended from time to time as may be required by law, for corrections of material errors, as the case may be.
13 TRAINING AND COMMUNICATION
All existing Employees, contractors, vendors, Committee members and any person who may Process Personal Information for and on behalf of The Practice (i.e., Operators), shall be trained on an annual basis on this policy and underlying legal sources on which it is based. The training will also form part of new employee induction.
14.1 The Information Officer of the Practice is: Jaco Stockenstrom, 0123626009
14.2 The Deputy Information Officer(s) is (are): Zelda Stockenstrom, 0123626009
14.3 The Information Officer shall maintain a report in relation to POPI regarding steps and remedial steps taken in instances of non-compliance, including but not limited to:
14.3.1 Rewording of consents, standard clauses, and notifications.
14.3.2 Reporting loss, breach and/or unauthorized access of Personal Information to relevant authorities, recommending disciplinary action, etc.
14.3.3 The destruction of personal information.
14.3.4 The de-identification of personal information.
14.3.5 The implementation of specific security measures.
14.3.6 The implementation of (additional or new) access control measures.
14.3.7 The implementation of consents or notifications ab initio.
14.3.8 Research and verification of legislative mandates.
14.3.9 Addenda to contracts and service level agreements within business activities and/or with third parties and contractors.
14.3.10 Amendments to contract templates.
14.3.11 Disciplinary action against employees violating this policy.
14.3.12 Action against office bearers violating this policy, in conjunction with the Board of Trustees.
14.3.13 Requirements on the submission of (regular) progress reports.
14.3.14 Obtaining expert assistance, where required.
14.3.15 Undergoing additional or further training on POPI.
15 INFORMATION OFFICE
15.1 This office houses the Information Officer and his/her deputies: Sr. Sylvia Wilders
15.2 The following may be directed to the Information Officer. firstname.lastname@example.org
Any complaints by any person including members and beneficiaries, employees, office-bearers, third parties or any regulator, on any allegation or actual violation of this policy or data privacy, may be directed to the Information Officer [or a designated Deputy], who will handle the complaint in line with the principles of natural justice, and apply this policy, as well as the applicable laws and related policies of the Companies, when doing so. The Information Office may constitute a committee to investigate the matter, and to make findings on the complaint, and recommend action by the relevant departments, units, or structures of the Scheme.
17 POPI ACT: OBJECTIONS, WITHDRAWALS, AMENDMENTS AND DELETIONS
17.1 Any person can object to processing of Personal Information, withdraw a consent to processing, requests amend or deletion of personal Information.
17.2 The forms to object, consent to marketing, change or request destruction of personal information must use the forms attached to the Policy, as prescribed by the Regulations to the POPI Act published under GG number 42110 dated 14 December 2018, which forms shall be made available at The Practice’ offices and website at www.pretoriaphysician.co.za.
Signed on this ___________ day of ___________________ 2021 by:
OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11 (3) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018[Regulation 2.]Note:
- Affidavits or other documentary evidence as applicable in support of the objection may be attached.
- If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign
- Complete as is applicable.
A DETAILS OF DATA SUBJECT
Name(s) and surname/ registered name of data subject:
Unique Identifier/ Identity Number
Residential, postal, or business address:
Code ( )
Fax number / E-mail address:
B DETAILS OF RESPONSIBLE PARTY
Name(s) and surname/Registered name of responsible
Residential, postal or business address:
Code ( )
Fax number/ E-mail address:
REASONS FOR OBJECTION IN TERMS OF
SECTION 11 (1) (d) to (f) (Please provide detailed
reasons for the objection)
Signed at on this day of 20 .
Signature of data subject/designated person
REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24 (1) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013(ACT NO. 4 OF 2013)REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018[Regulation 3.]
Correction or deletion of the personal information about the data subject which is in possession or under the control of the responsible party.
Destroying or deletion of a record of personal information about the data subject which is in possession or under the control of the responsible party and who is no longer authorised to retain the record of information.
A DETAILS OF THE DATA SUBJECT
Name(s) and surname/ registered
name of data subject:
Unique identifier/ Identity Number:
Residential, postal or business
Code ( )
Fax number/E-mail address:
B DETAILS OF RESPONSIBLE PARTY
Name(s) and surname / registered
name of responsible party:
Residential, postal or business
Code ( )
Fax number/ E-mail address:
INFORMATION TO BE CORRECTED/DELETED/ DESTRUCTED/ DESTROYED
REASONS FOR *CORRECTION OR DELETION OF THE PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24 (1) (a) WHICH IS IN POSSESSION OR UNDER THE CONTROL OF THE RESPONSIBLE PARTY; and orREASONS FOR *DESTRUCTION OR DELETION OF A RECORD OF PERSONAL INFORMATION ABOUT THE DATA SUBJECT IN TERMS OF SECTION 24 (1) (b) WHICH THE RESPONSIBLE PARTY IS NO LONGER AUTHORISED TO RETAIN (Please provide detailed reasons for the request)
Signed at on this day of 20_______ .
Signature of data subject/designated person
APPLICATION FOR THE CONSENT OF A DATA SUBJECT FOR THE PROCESSING OF PERSONAL INFORMATION FOR THE PURPOSE OF DIRECT MARKETING IN TERMS OF SECTION 69 (2) OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)REGULATIONS RELATING TO THE PROTECTION OF PERSONAL INFORMATION, 2018[Regulation 6.]
(Name of data subject)
(Name, address and contact details of responsible
Full names and designation of person signing on behalf of responsible party:
Signature of designated person
(full names of data subject) hereby:
Give my consent.
To receive direct marketing of goods or services to be marketed by means of electronic
SPECIFY GOODS or SERVICES:
SPECIFY METHOD OF COMMUNICATION:
E – MAIL:
OTHERS – SPECIFY:
Signed at _________________________ on this __________ day of _______________________ 20___ .
________________________________________________________________________________ Signature of data subject/designated person