POPI Policy
PROTECTION OF PERSONAL INFORMATION MANAGEMENT POLICY
1. Introduction:
This Policy is drafted in terms of the Protection of Personal Information Act of 2013 (POPI). POPI introduces a dedicated data protection legislation to South Africa and is a combination of Cyber, Legal and Security.
One Call Insurance Brokers (Pty) Ltd (“the Company”) is licensed with the Financial Sector Conduct Authority as a Financial Services Provider (“FSP”) with license number 13233. As an authorized FSP, the Company is obliged to comply with POPI. All employees of the Company who are involved in the business of the Company are obliged to conduct themselves in a professional manner and in line with this Policy.
2. Purpose of this Policy:
This Policy seeks to promote the protection of personal information that is processed by the Company and all employees of the Company who are involved in the business of the Company on a daily basis, to adopt and implement measures of providing clients to exercise their constitutional right to privacy, by safe guarding personal information when processed by the Company. Further, it seeks to set out the process, procedures and internal controls to facilitate compliance with the Policy as well as to highlight the consequences of non-compliance with the Policy by the Company’s employees and representatives.
3. Guideline:
This Policy does not prevent the Company from exercising or performing its duties and functions in terms of the law as far as such functions and duties relate to the processing of personal information. The Policy provides a guide as to what constitutes safeguarding and non-disclosure of personal information, the processes and procedures that are in place in order to facilitate compliance and, the consequences of non-compliance. The Policy is intended to assist employees in making the right decisions when confronted with potential risks of disclosing personal information to third parties.
4. Leadership:
The Company’s Board of Directors oversees the business of the Company including the compliance with all applicable legislation, and this Policy. Management plays a key role in the application of this Policy and are expected to demonstrate their personal commitment to this Policy and ensure the compliance by employees, accordingly. Management is obliged to maintain a workplace environment that nurtures and ensures
compliance with this Policy and is expected to report any actual or suspected failure to comply with the provisions of this Policy or the Protection of Personal Information regulations.
5. The Policy applies to:
All directors, officers, employees, representatives, associates, brokers and consultants of the Company are required to comply with this Policy. The Policy applies across the whole spectrum of the Company’s business.
An associate in terms of Section 1 of the General Code of authorized Financial Services Provider and Representatives, in relation to a juristic person- which is a company, means all subsidiaries and other juristic persons and group holding companies and group subsidiaries.
6. Definitions: 6.1 A record: A record is defined to include recorded information in any form or medium in the possession of/under the control of a responsible party whether or not it was created by a responsible party and regardless of when it came into existence.
6.2 A person:
Means a natural person(living) or a juristic person
6.3 Personal information: Is information relating to an identifiable, living, natural person and where it is applicable an identifiable, existing juristic person, including, but not limited to name, race, sex, pregnancy, marital status, ethnicity, colour, sexual orientation, age, health, religion, language, education, identifying number, email address, physical address, telephone number, location information etc. of a person.
The guiding principles of this Policy are that the Company and its representatives must, when rendering financial services, act honestly, fairly, with due care, skill and diligence. There must, at all times, be a due regard to the interest of the clients and the integrity of the Company as well as that of the financial service industry as a whole.
7. Application Provisions: 7.1 Exclusions: POPI does not affect the processing of personal information –
This policy applies to the processing and storing of personal information by One Call Insurance Brokers Pty Ltd (OCIB
During a purely personal or household activity
That has been deleted to the extent that it cannot be resurrected.
The action of removing the name and other identifiers from a record is call de-identification
By or for the state, if it involves national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defense, or public safety or the prevention of crime.
By cabinet, provincial executive councils and municipal councils.
It relates to the exercise of judicial functions.
If it has been specifically exempted and
In cases where other legislation regulates the processing of information
8. Eight Information Protection Principles 8.1 ACCOUNTABILITY: The responsible party must ensure that the principles set out in this policy are complied with. The operators of the responsible party must also comply with the principles.
8.2 PROCESSING LIMITATION: Personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject. Personal information may only be processed, if is adequate, relevant and not excessive. Subject to any other law, any immaterial financial interest (see the definition below), fees or remuneration for rendering of a service to a third party (such as a product supplier, another provider, or an associate of either of these), or a distribution channel (such as an arrangement between a product supplier or any of its associates and one or more providers and any of its associates) , which fees or remuneration are reasonably commensurate to the service being rendered;
8.3 PURPOSE SPECIFICATION: 8.3.1 Retention of the record is required or authorised by law;
8.3.2 The responsible party reasonably requires the record for lawful purposes;
One Call Insurance Brokers is responsible for processing personal information as the responsible party.
The individual or company whose information is being processed, for example client is the data subject
Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party. Identify the purpose for which the information will be used. Only collect information that is needed. Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed unless: –
Retention of the record is required by a contract between parties;
The data subject consented to the extended retention.
8.3.3 Personal records must be destroyed or deleted as soon as reasonably practicable and in a manner that prevents its reconstruction.
8.4 FURTHER PROCESSING LIMITATION: Further processing must be compatible with the purpose for which information was collected taking account of: 8.4.1 The nature of the information concerned;
8.4.2 Consequences of intended further processing for the data subject;
8.4.3 The way the information was collected and any contractual rights and obligations between the parties.
8.4.4 The further processing of personal information is not incompatible with the purpose of collection if the data subject has consented to the further processing of the information.
8.5 INFORMATION QUALITY: The Company takes reasonable practical steps to ensure that personal information is complete, accurate, not misleading and updated where necessary.
8.6 OPENNESS: The Company maintains the documentation of all processing operations under its responsibility as referred to in section 14 of 51 of the Promotion of Access to Information Act.
8.7 SECURITY SAFEGUARDS: The Company ensures the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent- 8.7.1 Loss, damage or unauthorised destruction of the personal information;
8.7.2 Unlawful access to, or processing of the personal information. The Company has the following measures in place to safeguard personal information of its clients and employees:
8.8 DATA SUBJECT PARTICIPATION: A client having provided adequate proof of identity has the right to- request confirmation, free of charge, the record or description of the personal information, including information about the identity of all third parties who have had access to the information. A client has the right to request the Company to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully or destroy or delete personal information that the Company is no longer authorised to retain.
PERSONAL INFORMATION | MEASURES IN PLACE |
MARKETING | One Call obtains consent from clients for marketing |
ITC CHECKS | One Call obtain consent from clients to conduct ITC checks before quoting |
CLIENT INFORMATION | Client information is recorded on One Call systems and via/through recordings which are password protected. Service Level Agreements are in place including confidentiality clauses |
DEALER INFORMATION | Dealer information is recorded on One Call systems for payments which are password protected. Service Level Agreements are in place including confidentiality Clause |
DISCARDING OF CONFIDENTIAL DOCUMENTATION | Outsource services are being used for shredding confidential documentation on a monthly basis. Service Level Agreements are in place including confidentiality clauses |
RECORD KEEPING | Records are being kept on One Call Systems which are password protected. Service Level Agreements are in place including confidentiality clause. |
EMPLOYEE INFORMATION | Employee Information is kept on a secure Server with limited access to only HR and selected Management |
COMPANY BANKING | Secure Online banking which requires two signatories’ authorisation |
EMPLOYEE LAPTOPS AND DESKTOPS | Laptops and Desktops are password protected, which needs to be changed on a regular basis. Internet virus protection is in place |
BACK UPS OF RECORDS ONSITE | All backups are done in the cloud |
BACK UPS OF RECORDS OFFSITE | No records are kept offsite |
9. Direct Marketing:
9.1 E-mail is prohibited unless the client has given his, her or its consent to the processing or, is a customer of the Company.
9.2 The Company only obtains the contact details of the client in the context of the sale of a product or service.
9.3 For the purpose of direct marketing of the Company’s own or similar products or services and if the client has been given reasonable opportunity to object, free of charge, at the time the information was collected or on the occasion of each communication for the purpose of marketing.
9.4 The Company will only approach a client whose consent is required, and who has not previously withheld such consent, only once in order to request the consent of the client.
10. Consequences of non-compliance with this Policy: A violation of this Policy is a serious matter that could cause harm to the Company and its clients.
Any employee, of the Company, who fails to comply with this Policy, will be subjected to the appropriate disciplinary proceedings in terms of the Company’s Disciplinary Code which could result in the termination of their employment with the Company.
11. Amendments to this Policy:
The Company reserves the right to determine how this Policy applies to any particular situation and to amend or modify this Policy as it, in its discretion deems appropriate. Without giving prior notice to or having been in consultation or reaching agreement with any provider / its representative. All amendments that the Company may make to this Policy shall be communicated to Company employees.
12. Complaints:
Complaints must be made in writing. On receipt of a complaint the regulator may conduct a pre-investigation into the matter and may:
- • Act as a conciliator in relation to the dispute
- • Decide to take no action
- • Conduct a full investigation
- • Refer the complaint to the enforcement
13. Publication and reporting:
This Policy is available on the Company’s website at www.onecall-sa.com.The Company’s annual Compliance Management report will include a report on accessibility, implementation, monitoring and compliance of this Policy.
14. Management of POPIA:
This Policy forms part of the risk management framework of the Company. The Risk and Compliance Department of the Company is responsible for the identification and management of any breach of the POPIA. All queries regarding this Policy can be directed to the Information Officer.
Brian van der Walt – brianw@onecall-sa.com