PROTECTION OF PERSONAL DATA POLICY

PROTECTION OF PERSONAL DATA POLICY

  1. OBJECTIVE AND SCOPE OF POLICY

This Policy seeks to ensure that MPV:

  • Complies with national legal standards and best practices for the receipt, importing, processing, handling, storing, sharing and disposal of personal information belonging to individuals and legal entities (“data subjects”), which data subjects include without detracting from the generality thereof, employees, service providers, clients, and third parties;
  • Protects the privacy rights of all data subjects with whom it engages;
  • Is transparent in relation to the processing of personal data, especially in relation to what personal information it collects, the reasons for such collection and how it collects, handles, shares, stores and destroys such personal data; and
  • Is aware of the risks in relation to the personal information including data breaches, unlawful access to personal data protection controls in order to manage data risks. Importantly this Policy establishes uniform and suitable data protection procedures and standards for MPV for the processing of personal data.

In line with the above this Policy sets out:

  • MPV’s responsibilities under the data protection laws in South Africa, and how it will comply with these laws;
  • How MPV processes personal data which is owned, applies to and/or relates to identifiable or identified individuals and legal entities, including employees, service providers, and other third parties, known as data subjects; and
  • The instruction of MVP employees or representatives when handling personal data.
  • APPLICABLE LAWS

The Protection of Personal Information Act, 14 of 2013 (“POPIA”), which applies to both natural and legal persons, defines ‘‘personal information’’ as information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person.  

The term “data privacy” is used in this policy as an umbrella term to encompass concepts of autonomy, privacy, protection of personal information or data protection, security and responsible personal information or data management.

The term “personal data” and “personal information” is used interchangeably in this Policy to describe any information relating to an identified or identifiable natural person (“data subject”), consistent with the provisions of POPIA in relation to personal information.

  • PERSONAL DATA OBTAINED AND STORED

MPV collects and process personal data mainly to contact data subjects in order to understand the requirements of the data subject, and to deliver services accordingly.  For this purpose, MPV will collect contact details and other relevant personal information of the data subject.

MPV collects information directly from data subjects, where personal details are provided by the data subject.  Where possible, MPV will inform the data subject what information is required to provide to MPV and what information is optional.

MPV’s website usage information may be collected using “cookies” which allows MPV to collect standard internet visitor usage information.

  • SECURITY AND PROTECTION OF PERSONAL DATA

The personal information that MPV, its directors, employees and representatives collect and process must be secured by appropriate technical and organisational measures which guard against accidental loss, destruction or damage, and against unauthorised or unlawful processing.

MPV has developed, implemented and maintains appropriate technical and organisational measures for the processing of personal information taking into account the nature, scope, context and purposes for such processing, the volume of personal information processed and the likelihood and severity of the risks of such processing for the rights of data subjects and has procedures in place to ensure that it regularly evaluates and tests the effectiveness of such measures to ensure that they are adequate and effective.

Directors, employees and others processing personal information on behalf of the Company must ensure that they:

  • Observe and comply with all MPV’s information security policies, especially those pertaining to personal information security at all times;
  • Do not attempt to circumvent any administrative, physical or technical measures that MPV has implemented as doing so may result in disciplinary action and in certain circumstances, may constitute a criminal offence, give rise to civil liability or administrative penalties;
  • Ensure that the confidentiality and security of personal information is maintained at all times;
  • Ensure that they only store personal information on MPV servers which are protected by approved security software, and one or more firewalls under the direction of the applicable service provided and where transferred or uploaded to cloud computing services from computers, devices and applications, that these services have been approved by their applicable service provider;
  • Ensure that prescribed security measures and controls are implemented, or where instructed, followed to prevent all and any unauthorised access to personal information, the accidental deletion of personal information or the exposure of personal information to malicious hacking attempts;
  • Ensure that all devices where personal information is stored, are password protected and that passwords are not written down or shared, which passwords must be strong passwords which are changed regularly. If a password is forgotten, it must be reset using the applicable method;
  • Ensure that all hard copies of personal data, along with any electronic copies stored on physical or removable media is stored securely in a locked box, drawer, cabinet, or similar, and that such data is not removed from MPV’s premises unless with prior approval from the data subject’s departmental head and when so removed, that such data is encrypted if it is on a removable media device.
  • Ensure that all personal information stored electronically is regularly backed up using MPV’s provided systems and applications and in accordance with backup protocols. Such backups will be tested regularly in line with MPV’s standard backup procedures and protocols under the direction of their applicable service provider.
  • Ensure that where personal information is stored on paper, that it is not left in places where persons can view the data, e.g. on a printer, but instead is kept in a secure place where an unauthorised person annot access or see it, such as in a locked drawer, safe or cabinet and that when no longer required, that same is shredded;
  • Ensure that when any personal information is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
  • Ensure that all device screens, when not in use, are always locked especially when left unattended;
  • Ensure that all personal information transferred within the MPV’s network and infrastructure is only transmitted over secure networks, including wireless and wired networks;
  • Ensure that personal information is not transferred or sent to any entity not authorised directly to receive it;
  • Ensure that personal information is not being kept in a form that identifies a data subject for longer than is necessary in relation to the purposes for which it was collected (except in order to comply with any legal, accounting or reporting requirements);
  • Ensure that generally all personal information is handled with care at all times, kept confidential, and that it is not left unattended or on view to unauthorised employees; and
  • Ensure that all software (including, but not limited to, applications and operating systems) used in connection with MPV are installed on MPV owned computers or devices and which have been installed by and with the prior approval of the IT department, which software must at all times be kept up-to-date.
  • RECORD KEEPING

MPV undertakes to keep full and accurate records of all its processing activities in accordance with the data processing laws and related requirements.

  • REPORTING PERSONAL INFORMATION BREACHES

In the event of a personal information breach, MPV has a duty to give notice of such breach to the Information Regulator in in South Africa, and to the affected data subjects.

PAIA MANUAL

1.          INTRODUCTION

Mpumalanga Property Valuers Pty Ltd (Registration Number: 2002/021718/07) is a private company registered in the Republic of South Africa.  The company renders valuation services of immovable property.

2.          PURPOSE OF PAIA MANUAL

This PAIA Manual is useful for, to-

  • check the categories of records held by Mpumalanga Property Valuers Pty Ltd which are available without a person having to submit a formal PAIA request,
  • have a sufficient understanding of how to make a request for access to a record of Mpumalanga Property Valuers Pty Ltd, by providing a description of the subjects on which Mpumalanga Property Valuers Pty Ltd holds records and the categories of records held on each subject,
  • know the description of the records of Mpumalanga Property Valuers Pty Ltd which are available in accordance with any other legislation,
  • access all the relevant contact details of the Information Officer who will assist the public with the records they intend to access,
  • know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it,
  • know if Mpumalanga Property Valuers Pty Ltd will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto,
  • know the description of the categories of data subjects and of the information or categories of information relating thereto,
  • know the recipients or categories of recipients to whom the personal information may be supplied,
  • know if Mpumalanga Property Valuers Pty Ltd has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied, and
  • know whether Mpumalanga Property Valuers Pty Ltd has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.

3.        KEY CONTACT DETAILS FOR ACCESS TO INFORMATION OF THE MPUMALANGA PROPERTY VALUERS PTY LTD

  • Chief Information Officer

Name:                                           Carina van der Merwe

Tel:                                                013 745 7235

Email:                                            carina@mpupropval.co.za

Fax number:                                013 745 7237

  • Access to information general contacts

Email:                                            carina@mpupropval.co.za

  • Head Office

Postal Address:                           PO Box 12214, Nelspruit, 1200         

Physical Address:                        Unit 206, 29@Marloth, 11 Venter street, Nelspruit

Telephone:                                   013 745 7235

Email:                                          carina@mpupropval.co.za

Website:                                       www.mpupropval.co.za

4.          GUIDE ON HOW TO USE PAIA AND HOW TO OBTAIN ACCESS TO THE GUIDE

  • The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised Guideon how to use PAIA (“Guide”), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.
  • The guide is available in English only.
  • The aforesaid Guide contains the description of-
  • the objects of PAIA and POPIA,
  • the postal and street address, phone and fax number and, if available, electronic mail address of-
  • the Information Officer of every public body, and
    • every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA[1] and section 56 of POPIA[2];
  • the manner and form of a request for-
  • access to a record of a public body contemplated in section 11[3]; and
    • access to a record of a private body contemplated in section 50[4];
  • the assistance available from the IO of a public body in terms of PAIA and POPIA,
  • the assistance available from the Regulator in terms of PAIA and POPIA,
  • all remedies in law available regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA, including the manner of lodging-
  • an internal appeal,
  • a complaint to the Regulator; and
  • an application with a court against a decision by the information officer of a public body, a decision on internal appeal or a decision by the Regulator or a decision of the head of a private body,
  • the provisions of sections 14[5] and 51[6] requiring a public body and private body, respectively, to compile a manual, and how to obtain access to a manual,
  • the provisions of sections 15[7] and 52[8] providing for the voluntary disclosure of categories of records by a public body and private body, respectively,
  • the notices issued in terms of sections 22[9] and 54[10] regarding fees to be paid in relation to requests for access; and
  • the regulations made in terms of section 92[11].
  • Members of the public can inspect or make copies of the Guide from the offices of the public and private bodies, including the office of the Regulator, during normal working hours.
  • The Guide can also be obtained
  •  upon request to the Information Officer,
  • A copy of the Guide is also available in English for public inspection during normal office hours

5. CATEGORIES OF RECORDS OF MPUMALANGA PROPERTY VALUERS PTY LTD WHICH ARE AVAILABLE WITHOUT A PERSON HAVING TO REQUEST ACCESS

5.1          Voluntary disclosure

                   5.1.1       Company Profile                  –               Available on website

                   5.1.2       BBBEE certificate                  –               Available on website

5.2       Records available in terms of other legislation (Information is available in terms of the following legislation to the persons or entities specified in such legislation, as well as the specific protections offered by such laws. As legislation changes from time to time, and new laws may stipulate new manners and extend the scope of access by persons specified in such entities, this list should be read as not being a final and complete list)

                5.2.1          Business legisation (including all regulations issued in terms of such legislation)

The Companies Act 71 of 2008; Income Tax Act 58 of 1962; Value Added Tax Act 89 of 1991; Labour Relations Act 66 of 1995; Basic Conditions of Employment Act 75 of 1997; Employment Equity Act 55 of 1998; Skills Development Levies Act 9 of 1999; Unemployment Insurance Act 63 of 2001; Electronic Communications and Transactions Act 25 of 2002; Telecommunications Act 103 of 1996; Electronic Communications Act 36 of 2005; Consumer Protection Act 68 of 2008; Broad-based Black Economic Empowerment Act 53 of 2003; National Credit Act 34 of 2005; Long-term Insurance Act 52 of 1998; etc.

  • The Property Valuers Profession Act, 2000 (Act No. 47 of 2000) – this legislation is of extreme relevance in the industry in which Mpumalanga Property Valuers Pty Ltd operate

6. CATEGORIES OF RECORDS HOLD BY MPUMALANGA PROPERTY VALUERS PTY LTD

We hold records in the categories listed below. The fact that we list a record type here does not necessarily mean that we will disclose such records, and all access is subject to the evaluation processes outlined herein, which will be exercised in accordance with the requirements of the Act.

6.1         Internal records relating to the business, which includes our business’s founding and other documents, minutes and policies; annual and other reports; financial records; operational records, policies and procedures; contracts; licences, intellectual property; production, marketing records; other internal policies and procedures; internal

correspondence; statutory records; insurance policies and records; etc.

6.2       Personnel records, which includes records relating to temporary employees, fixed term

employees, part-time employees, permanent employees, contractors, directors, executive directors, non-executive directors. It includes personal files and similar records, records a third parties have provided to us about their personnel; employment contracts, conditions of employment; workplace policies; disciplinary records; termination records; minutes of staff meetings; performance management records and systems and all employment-related records and correspondence.

6.3       Client records which include contact details and physical addresses

6.4         Supplier and service provider records, which includes supplier registrations; contracts;

confidentiality agreements and non-disclosure agreements, communications; logs; delivery records; commissioned work; and similar information, some of which might be provided to us by such suppliers and providers under service- and other contacts.  Technical records, which includes manuals, logs, electronic and cached information, product registrations, etc

6.5         Third party information, which may be in our possession but which would be subject to the conditions set in relation to such possession and use or purpose limitations.

6.6       Environment and market information, which include information bought, publicly available information and commissioned information which pertains to the specific sector and market of our business and factors that affect the business.

7.     PROCESSING OF PERSONAL INFORMATION

  • Purpose of Processing Personal Information
  • To render the service of valuation of immovable property for our clients
  • The eight conditions for lawful processing of personal information in terms of the Popy Act

7.2.1       Accountability

 As a Responsible Party, everything reasonably within a Responsible Party’s power must be performed, to ensure that the conditions imposed by the Government have been properly complied with by employees and business partners.

7.2.2       Processing Limitation

Information must be processed within the tenets of the law, and only that which is necessary to fulfil the Responsible Party’s business practices may be used. A Responsible Party must abide by the rule of consent and have measures in place to properly action any objections it might face, from data subjects.

7.2.3       Purpose specification

Information is only collected and used for carefully defined purposes and care should be taken to specify these purposes at points of collection. Information held by the Responsible Party should be held for minimal periods, ensuring that data is never retained for longer than is necessary to fulfil business practices or obligations to the law.

7.2.4       Further processing limitation:

Information that is retained, is only reused if this usage aligns with the purpose for which the Information was collected. Consent must be revisited at all instances where change is necessary.

7.2.5       Information quality:

Information usage must be guided by ‘quality over quantity’ and therefore a Responsible Party needs to ensure that the Information it manages is complete, accurate, not misleading in nature and updated wherever necessary.

7.2.6       Openness

A Responsible Party should be fully compliant with complementary laws such as the Promotion of Access to Information Act (2002), having comprehensive processes in place to provide access to Information for those requiring it. The Responsible Party should further ensure that no Information is collected unless the data subject fully understands and appreciates the implications of sharing their Information, and whom to contact if they are dissatisfied with their commitment to Information security.

7.2.7       Security safeguards

Responsible parties should conform to industry standards related to securing the Information which they hold, and be committed to contracting with other responsible parties who do the same. Every Responsible Party should ensure that its security systems and contingency plans are in place for breaches of security, and these should be tested at regular intervals.

7.2.8       Data subject participation

Parties have a right to know when their Information is being retained and what exactly is being retained. A Responsible Party should therefore have measures in place to answer any questions which their data subjects may have about their Information and the data subjects should be empowered to make corrections or request removals where necessary.

  • Description of the categories of Data Subjects and of the information or categories of information relating thereto
  • Customers / Clients              –              name, physical address, contact details
    • Service Providers                  –              name, registration numbers, VAT numbers, address

and contact details

7.3.3       Employees / Contractors    –               names, identification numbers, address and contact

details, gender, race, qualifications and criminal information

  • The recipients or categories of recipients to whom the personal information may be supplied
  • Identity number and name for criminal checks – South African Policy Services
    • Qualifications for qualification verification – South African Qualifications Authority
    • Credit and payment history for credit and bankruptcy information – Credit Bureaus            
  • Planned transborder flows of personal information

Transborder flow of personal information is not applicable to Mpumalanga Property Valuers Pty Ltd

  • General description of Information Security Measures to be implemented by the responsible party to ensure the confidentiality, integrity and availability of the information
  • Operating in a paperless environment
    • Internet Service Provider installs firewalls
    • Anti-virus and Anti-malware software installed on computers / tablets
    • All computers are username and password protected
    • All email information has two-way authentication
    • Inhouse management system are username – and password protected and date-stamped
  • A copy of the Manual is available-
  • on the website of Mpumalanga Property Valuers Pty Ltd (www.mpupropval.co.za),
    • head office Mpumalanga Property Valuers Pty Ltd for public inspection during normal business hours,
    • to any person upon request and upon the payment of a reasonable prescribed fee; and
    • to the Information Regulator upon request.
  • A fee for a copy of the Manual, as contemplated in annexure B of the Regulations, shall be payable per each A4-size photocopy made.

The head of Mpumalanga Property Valuers Pty Ltd will on a regular basis update this manual.

[1] Section 17(1) of PAIA- For the purposes of PAIA, each public body must, subject to legislation governing the employment of personnel of the public body concerned, designate such number of persons as deputy information officers as are necessary to render the public body as accessible as reasonably possible for requesters of its records.

[2] Section 56(a) of POPIA- Each public and private body must make provision, in the manner prescribed in section 17 of the Promotion of Access to Information Act, with the necessary changes, for the designation of such a number of persons, if any, as deputy information officers as is necessary to perform the duties and responsibilities as set out in section 55(1) of POPIA.

[3] Section 11(1) of PAIA- A requester must be given access to a record of a public body if that requester complies with all the procedural requirements in PAIA relating to a request for access to that record; and access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.

[4] Section 50(1) of PAIA- A requester must be given access to any record of a private body if-

  1. that record is required for the exercise or protection of any rights;
  2. that person complies with the procedural requirements in PAIA relating to a request for access to that record; and
  3. access to that record is not refused in terms of any ground for refusal contemplated in Chapter 4 of this Part.

[5] Section 14(1) of PAIA- The information officer of a public body must, in at least three official languages, make available a manual containing information listed in paragraph 4 above.

[6] Section 51(1) of PAIA- The head of a private body must make available a manual containing the description of the information listed in paragraph 4 above.

[7] Section 15(1) of PAIA- The information officer of a public body, must make available in the prescribed manner a description of the categories of records of the public body that are automatically available without a person having to request access

[8] Section 52(1) of PAIA- The head of a private body may, on a voluntary basis, make available in the prescribed manner a description of the categories of records of the private body that are automatically available without a person having to request access

[9] Section 22(1) of PAIA- The information officer of a public body to whom a request for access is made, must by notice require the requester to pay the prescribed request fee (if any), before further processing the request.

[10] Section 54(1) of PAIA- The head of a private body to whom a request for access is made must by notice require the requester to pay the prescribed request fee (if any), before further processing the request.

[11] Section 92(1) of PAIA provides that –“The Minister may, by notice in the Gazette, make regulations regarding-

(a) any matter which is required or permitted by this Act to be prescribed;

(b) any matter relating to the fees contemplated in sections 22 and 54;

(c) any notice required by this Act;

(d) uniform criteria to be applied by the information officer of a public body when deciding which categories of records are to be made available in terms of section 15; and

(e) any administrative or procedural matter necessary to give effect to the provisions of this Act.”