Giving More Policy
Paia & Popi Policy (“The Policy”)
This is the (Giving More) policy in terms of the Protection of Personal Information Act, No. 4 of 2013 (“POPIA”) and the Promotion of Access to Information Act, No. 2 of 2000 ("PAIA") (“the Policy”)
This Policy applies to the business of Giving More as it is conducted on the internet, it applies to its Partners, Clients and consultants conduct
A: PAIA Policy
1. PAIA is an act that was passed to give effect to the constitutional right, held by everyone in South African, of access to information which is held by the State or by another person (including Giving More) and which is required for the exercise or protection of any right. Where a request is made in terms of PAIA, the body to which the request is made is obliged to give access to the requested information, except where the Act expressly provides that the information may or must not be released. It is important to note that PAIA recognises certain limitations to the right of access to information, including, but not exclusively, limitations aimed at the reasonable protection of privacy, commercial confidentiality, and effective, efficient, and good governance and in a manner which balances that right with any other rights, including such rights contained in the Bill of Rights in the Constitution.
2. One of the main requirements specified in PAIA is the compilation of an information manual that provides information on both the types and categories of records held by a private body. This Policy serves as the Giving More Information Manual. This Policy is compiled in accordance with Section 51 of PAIA and the Schedule to POPIA. It is intended to give a description of the records held by and on behalf of Giving More, to outline the procedure to be followed on access to any of these records in the exercise of the right of access to information, with a view of enabling requesters to obtain records which they are entitled to in a quick, easy, and accessible manner. This Policy is available for public inspection on www.givingmore.co.za.
3. Giving More only keeps the Personal Information of its partners and clients as defined in the POPIA Policy below. Partners and clients shall at all times have access to such data and retrieve it in full via www.givingmore.co.za
Note: POPIA compliance is still in its infancy. The procedures and guidelines in this Policy are drafted using the best available guidance from the Information Regulator as of 1 July, 2021 and hence this Policy is Version 1.0. Giving More notes that it will amend this document should practices and procedures change in due course.
1. POPIA is intended to balance two competing interests. These are:
(a) our individual constitutional rights to privacy (which requires our Personal Information to be protected); and
(b) the needs of our society to have access to and to process (work with) our Personal Information for legitimate purposes, including the purpose of doing business.
2. This Policy sets out the framework for Giving More compliance with POPIA. Where reference is made to the “processing” of Personal Information, this will include any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.
3. The purpose of this policy is to enable Giving More to:
(a) comply with the law in respect of the data it holds about partners and clients (known as Data Subjects in the POPIA);
(b) follow good reasonable commercial practice; &
(c) protect the Giving More consultants and other individuals.
Giving More Undertakings
4. Giving More will always:
(a) comply with both the law and good practice;
(b) respect individuals’ rights;
(c) be open and honest with individuals whose data is held; &
(d) provide training and support for consultants who handle personal data, so that they can act confidently and consistently with regards to PAIA and POPIA.
5. POPIA aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are considered. In addition to being open and transparent, Giving More will seek to keep individuals up to date as much as is possible and reasonable over what data is held and how it is used via its web site.
6. Giving More undertakes to follow POPIA at all relevant times and to process Personal Information lawfully and reasonably, so as not to infringe unnecessarily on the privacy of our partners and clients and Giving More recognises that its first priority under the POPIA is to avoid causing harm to individuals. In the main this means:
(a) Giving More undertakes to process information only for the purpose for which it is intended, to enable us to do our work, as agreed with our partners and clients;
(b) keeping information securely in the right hands;
(c) retention of good quality information;
(d) accepts that partners and clients have given tacit consent to process Personal Information by virtue of that fact;
(e) Giving More will be following a legal obligation placed upon us to protect a legitimate interest that requires protection;
(f) Giving More shall stop processing Personal Information if consent is specifically formally withdrawn, or if a legitimate objection is raised;
(g) Giving More shall retain records of the Personal Information collected for the minimum period as required by law unless the partner and client has furnished their consent or instructed us to retain the records for a longer period;
(h) Giving More shall delete records as soon as reasonably possible after the time period for which Giving More uses said data
(i) Giving More undertakes to ensure that the Personal Information which Giving More collects and processes is complete, accurate and not misleading and up to date;
(j) Giving More undertakes to retain the electronic data related to the processing of the Personal Information; &
(k) Giving More undertakes to take special care with partner and client details and Giving More is not entitled to disclose or procure the disclosure of such details to any third party
7. Giving More shall collect Personal Information directly from partners and client whose information is required, unless:
(a) the information is of public record;
(b) the partner and client have consented to the collection of their Personal Information from another source;
(c) the collection of the information from another source does not prejudice the partner and client;
(d) the information to be collected is necessary for the maintenance of law and order or national security;
(e) the information is being collected to comply with a legal obligation, including an obligation to SARS;
(f) the information collected is required for the conduct of proceedings in any court or tribunal, where these proceedings have commenced or are reasonably contemplated;
(g) the information is required to maintain our legitimate interests; or
(h) where requesting consent is not reasonably practical in the circumstances.
8. Giving More shall restrict the processing of Personal Information:
(a) where the accuracy of the information is contested, for a period sufficient to enable us to verify the accuracy of the information;
(b) where the purpose for which the Personal Information was collected has been achieved and where the Personal Information is being retained only for the purposes of proof; or
(c) where the partner and client requests that the Personal Information be transmitted to another automated data processing system.
9. According to POPIA ‘‘Personal Information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The POPIA, which has more specific examples if you need them, can be found at the following link: https://popia.co.za/section-1-definitions/
Giving More collects any and all information to promote and market the partner and client for mutual benefit
10. Giving More may automatically collect non-Personal Information about a partner and client to assist in providing an effective service
11. Giving More has identified the following potential key risks, which this Policy is designed to address:
(a) breach of confidentiality (information being given out inappropriately);
(b) insufficient clarity about the range of uses to which data will be put — leading to Data Subjects (our partners and clients ) being insufficiently informed;
(c) failure to offer choice about data use when appropriate;
(d) breach of security by allowing unauthorised access;
(e) harm to individuals if personal data is not up to date; &
(f) third party data operator contracts.
Partner & Clients Rights
12. The Partner and client hold the following specific rights:
(a) the partner and client may withdraw consent to the use of personal information
(b) in cases where Giving More processes Personal Information without consent to protect a legitimate interest, to comply with the law or to pursue or protect our legitimate interests, the partner and client have the right to object to such processing; &
(c) all partners and clients are entitled to lodge a complaint regarding our application of POPIA with the
13. In order to secure the integrity and confidentiality of the Personal Information in our possession, and to protect it against loss or damage or unauthorised access, Giving More must continue to implement the following security safeguards:
(a) our business premises where records are kept must remain protected
(b) archived files must be electronically stored and access control to these storage facilities must be implemented;
(c) all the user terminals on our internal computer network and our servers / PC’s / laptops must be protected by passwords. This also applies to all external data storage;
(d) our email infrastructure must comply with industry standard security safeguards
(e) if necessary, vulnerability assessments shall be carried out on our digital infrastructure to identify weaknesses in our systems and to ensure Giving More has adequate security in place;
(f) Giving More must use an internationally recognised firewall to protect the data on its servers, and must run antivirus protection continually to ensure its systems are kept updated;
(g) Giving More consultants must be trained to carry out their duties in compliance with POPIA, and this training must be ongoing;
(h) it must be an understanding with every consultant that they must maintain full confidentiality in respect of all of our partners and clients’s affairs, including our partners and clients personal Information;
(i) consultants whose duty it is to process a partner and client Personal Information, must include an obligation: (1) to maintain the Giving More’s security measures, and (2) to notify their manager/supervisor immediately if there are reasonable grounds to believe that the Personal Information of a partner and client has been accessed or acquired by any unauthorised person;
(j) the processing of the Personal Information of our consultants must take place in accordance with the rules contained in the relevant labour legislation; &
(k) the digital work profiles and privileges of consultants who have left our employ must be properly terminated.
These security safeguards must be verified on a regular basis to ensure effective implementation, and these safeguards must be continually updated in response to new risks or deficiencies.
14. Should it appear that the Personal Information of a partner and client has been accessed or acquired by an unauthorised person, Giving More must notify the Information Regulator and the relevant partner and client unless Giving More is no longer able to identify the partner and client. This notification must take place as soon as reasonably possible.
15. Such notification must be given to the Information Regulator first as it is possible that they, or another public body, might require the notification to the partner and client be delayed.
16. The notification to the partner and client must be communicated in writing in one of the following ways, with a view to ensuring that the notification reaches the partner and client:
(a) by email to the partner and client’s last known email address;
(b) by publication on the Giving More website, or in the news media; or
(c) as directed by the Information Regulator
17. This notification to the partner and client must give sufficient information to enable the partner and client to protect themselves against the potential consequences of the security breach, and must include:
(a) a description of the possible consequences of the breach;
(b) details of the measures that Giving More intends to take or have taken to address the breach;
(c) the recommendation of what the partner and client could do to mitigate the adverse effects of the breach; &
(d) if known, the identity of the person who may have accessed, or acquired the Personal Information.
Correction of Personal Information
18. A partner and client is entitled to require Giving More to correct or delete Personal Information that Giving More has, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.
19. A partner and client is also entitled to require Giving More to destroy or delete records of Personal Information about the partner and client that Giving More is no longer authorised to retain.
20. Upon receipt of such a lawful request, Giving More must comply as soon as reasonably practicable:
(a) in the event that a dispute arises regarding the partner and client’s rights to have information corrected, and in the event that the partner and client so requires, Giving More must attach to the information, in a way that it will always be read with the information, an indication that the correction of the information has been requested but has not been made; &
(b) Giving More must notify the partner and client who has made a request for their Personal Information to be corrected or deleted what action Giving More has taken as a result of such a request.
Special Personal Information
21. Special rules apply to the collection and use of information relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.
22. Giving More shall not process any of this special Personal Information without the partner and client’s consent, or where this is necessary for the establishment, exercise or defense of a right or an obligation in law.
23. Having regard to the nature of Giving More’s work, it is unlikely that Giving More will ever have to process special Personal Information, but should it be necessary the guidance of the Information Officer must be sought.
24. Giving More may only process the Personal Information of a minor if Giving More has the consent of the child’s parent or legal guardian.
25. Our Information Officer is our General Manager or is in a senior management position nominated and authorised by said General Manager in writing. Our Information Officer’s responsibilities include:
(a) encourage and ensure overall compliance with POPIA;
(b) encourage compliance with conditions for the lawful processing of Personal Information;
(c) deal with requests made by the Information Regulator or data subjects (individuals);
(d) work with the Regulator in relation to investigations conducted in accordance with the relevant provisions of POPIA;
(e) develop, implement and monitor a compliance framework;
(f) ensure that a personal information impact/risk assessment is performed to guarantee that adequate measures and standards exist within the entity;
(g) develop, monitor, maintain and make available a PAIA manual;
(h) develop internal measures and adequate systems to process requests for access to information; &
(i) ensure that internal awareness sessions are conducted regarding the provisions of POPI, the regulations and any codes of conduct or information obtained from the Regulator.
26. Our Information Officer will take up his duties with immediate effect
27. In carrying out their duties, our Information Officer must ensure that:
(a) this Policy is implemented;
(b) that this Policy is developed, monitored, maintained, and made available;
(c) that internal measures are developed together with adequate systems to process requests for information or access to information;
(d) that internal awareness sessions are conducted regarding the provisions of POPIA, the Regulations, codes of conduct or information obtained from the Information Regulator; &
(e) that copies of this Policy are provided to persons at their request, (hard copies to be provided upon payment of a fee).
28. Guidance notes on Information Officers have been published by the Information Regulator and our Information Officer must familiarise himself / herself with the content of these notes.
29. Partners and clients can rest assured that unless Giving More is legally obliged to share their Personal Information, Giving More will only share so much of a partner and client’s Personal Information as is needed by the authority that requires it, and we will only do so when it is necessary for Giving More to do its work for the partner and client. In addition, all of our consultants are bound by confidential undertakings.
30. Should a partner and client have any concerns with the way in which Giving More is processing their Personal Information, the partner and client is entitled to lodge a complaint with the Information Regulator, whose contact details are:
33 Hoofd Street
Forum III, 3rd Floor, Braampark
P.O Box 31533
Braamfontein, Johannesburg, 2017
Complaints email: complaints.IR@justice.gov.za
General enquiries email: firstname.lastname@example.org
Staff Training & Acceptance of Responsibilities
31. Giving More’ Information Officer will ensure that all consultants who have access to any kind of Personal Information will have their responsibilities outlined during their induction procedures. Continuing training will provide opportunities for consultants to explore POPIA issues through training, team meetings, and supervision. Procedure for consultants signifying acceptance of policy will ensure that all consultants accept this Policy once they have had a chance to understand the Policy and their responsibilities in terms of the policy and the POPIA.
32. Giving More may only carry out direct marketing (using any form of electronic communication) to partners and clients if:
(a) they have been given an opportunity to object to receiving direct marketing material by electronic communication at the time that their Personal Information was collected; &
(b) they did not object then or at any time after receiving any such direct marketing communications from Giving More.
33. Giving More may only approach partners and clients using their Personal Information if Giving More has obtained their Personal Information in the context of providing services associated with our business to them and Giving More may then only market Giving More services to them.
34. Giving More may approach a person to ask for their consent to receive direct marketing material and Giving More may not do so if they have previously refused their consent.
35. All direct marketing communications must disclose a partner and client’s identity and must contain an address or opt-out functionality, to which the partner and client may send a request that the communications cease.
Transborder Information Flows
36. Giving More may not transfer a partner and client’s Personal Information to a third party in a foreign country, unless:
(a) the partner and client consents to this, or requests it;
(b) such third party is subject to a law, binding corporate rules or a binding agreement which protects the Personal Information in a manner similar to POPIA, and such third party is governed by similar rules which prohibit the onward transfer of the Personal Information to a third party in another country;
(c) the transfer of the Personal Information is required for the performance of the contract between ourselves and the partner and client;
(d) the transfer is necessary for the conclusion or performance of a contract for the benefit of the partner and client entered into between Giving More and the third party; or
(e) the transfer of the Personal Information is for the benefit of the partner and client and it is not reasonably possible to obtain their consent and that if it is possible the partner and client would be likely to give such consent.
Offences & Penalties
37. POPIA provides for serious penalties for the contravention of its terms. For minor offences, a guilty party can receive a fine or be imprisoned for up to 12 months. For serious offences, the period of imprisonment rises to a maximum of 10 years. Administrative fines for Giving More can reach a maximum of R10 million.
38. Breaches of this Policy will also be viewed as a serious disciplinary offence by consultants.
39. It is therefore imperative that Giving More complies strictly with the terms of this Policy and protects our partners and clients Personal Information to international standard.
40. This Policy shall be governed by and construed in accordance with the laws of South Africa.