PROTECTION OF PERSONAL INFORMATION POLICY AND PROCEDURE
Document Title | POPI Act Policy and Procedure | ||
Document Number | QMS | Reviewed by | S Fuhr |
Page Number | Page 01 of 03 | Designation | Quality Assurer |
Date Compiled | June 2021 | Signature | S. Fuhr |
Version Control No | Approved by QMS Manager | Approved | |
Access | Controlled | Next Revision Date | June 2024 |
POLICY:
Beauty Therapy Institute Students and Staff are entitled to have all of their personal information to be stored privately without exposure to any external perusal. Due to Beauty Therapy Institute colleges “processing” (collecting, using, managing, storing, sharing, destroying and the like) any personal information relating to a “data subject” (customers, members, employees and so on), we are a “responsible party” in the process.
PROCEDURE:
1. Information Officer: Identify an “Information Officer” who will be responsible and liable for all compliance duties, working with the Regulator, establishing procedures, and training your team in awareness and compliance. The Principal or Franchisee is automatically your business’ Information Officer. Agreement needs to be had between the Franchisee and appointed Principal if this structure exists in your business. The Franchisee could be any partner in a partnership of the franchise, or in respect of a “juristic person” such as a company the CEO, MD or “equivalent officer” You, your partnership or your company can “duly authorise” another person in the business (management level or above) to act as Information Officer and you can designate one or more employees (again management level or above) as “Deputy Information Officers”. You will need to register both Information Officers and Deputy Information Officers with the Regulator. Download the manual Registration Form here.
2. Assess what personal information you hold, how you hold it, and why: To collect and “process” such information lawfully you need to be able to show that you are acting lawfully and reasonably, in a manner that doesn’t infringe the data subject’s privacy, and safely.
You must show that given the purpose for which it is processed, it is adequate, relevant and not excessive. Data can only be collected for a specific purpose related to your business activities and can only be retained so long as you legitimately need to or are allowed to keep it. You may not collect or hold personal information without good and lawful cause.
3. Check security measures, know what to do about breaches: You must secure the integrity and confidentiality of personal information in your possession or under your control by taking appropriate, reasonable, technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information. Should a breach occur, you may have big problems from a risk that is reasonably foreseeable, unless you can prove that you took steps to establish and maintain appropriate safeguards against those risks.
Caution against cyber-attacks with applicable software security systems as this tends to be the highest risk. However, there are other risks out there. Your team needs to ensure that all possible vulnerable areas need to be considered and fixed. Any actual or suspected breaches (called “security compromises” in POPIA) must be reported as soon as reasonably possible to both the Information Regulator and the data subject/s involved.
If third parties (operators) hold or process any personal information for you, they must act with your authority, treat the information as confidential, and have in place all the appropriate security measures.
4. Check if you do any direct marketing: Most businesses don’t think of themselves as doing any “direct marketing”, but the definition is wide and includes “any approach” to a data subject “for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject. For example, just emailing or WhatsApping
our students about a new product or a special offer will put us into the direct marketing arena.
If your approach is by means of “any form of electronic communication, including automatic calling machines, SMS’s or e-mails”, you must observe strict limits. Whilst you can, as a general proposition, market existing students or clients in respect of “similar products or services” there are limits. Recipients must be able to “opt-out” at any stage. New potential students and clients can only be marketed with their consent, ie. you need to have an “opt-in” facility.
5. Ensure procedures and training of them are undertaken: Ensure you follow the filing system document issued and stored in the Franchisee Operations Manual (FOM) in the Filing System folder. Make sure all employees know what is involved with security and storage of students’ personal information. Cover how you will collect the data from the student, process it, store it, for how long, for what purpose/s. Ensure client cards are stored safely away from other students or clients. Ensure consent forms are completed and stored away from free access.
Implement the POPI Act as a matter of course. Make sure that no functions fall between two people. Clearly assign individual compliance tasks to named staff members and make sure everyone understands who is to do what.
BEAUTY THERAPY INSTITUTE STORAGE AND ACCESS POLICY
- Storeroom: A lockable cupboard/storeroom/filing cabinet is available on the premises which provides storage for files and paperwork which has students information.
- Learners may not be permitted entry into the cupboard/storeroom/filing cabinet unless under supervision of a staff member and with explicit permissions.
- Confidentiality: No learner is entitled to access of the files of another learner. This is as laid out in the Confidentiality Policy.
- Computer: The computer is used for record keeping. It has to be password controlled.
- Staff members are informed of the password.
- Each computer has a different password.
- Should you have free wifi access for students and clients, ensure there is no college open network free on this wifi access.
- No learners may have access to any passwords.
- Computers are switched off at night, with no access by any learners.
- During the day, screensavers come on within seconds so as to hide any work that is currently being worked on.
- All data is backed up either to the cloud, back up drive or an electronic storage system.
- All systems are password controlled eg: BTITeams, OneDrive and ITSI.
- Learners are not permitted entry into the administration offices/lecturers office unless a staff member is present.
- Lecturers’ office and Admin office needs to be locked when not inhabited.
- Exam papers and students’ private information may no lie on a desk for all to freely see.
- Principal’s office: All printed exam papers are stored in a lockable cupboard/storeroom/cabinet, which is unmarked.
- If it was discovered that exam papers had been leaked, the exam would be rescheduled and a new exam paper would be set up.
- If rescheduling is impossible, a new exam will have to be set up expediently, so as to enable the students to write the same day.
- All written answer sheets are stored confidentially in the office.
- Beauty Therapy Institute keeps alternative exam papers on file on password protected computers, which would enable quick turn-around time for new papers.
- The appropriate learner or staff member that is responsible for the leaking information will be dealt with according to the Rules and Regulations for Transgressions.
- Access to the building is permitted by registered learners at the college once the college is unlocked by a responsible employee.
- Each learner enters the building under restrictions of the building/when employees give them access.
- All learners sign in on an attendance and COVID register to prove attendance at the
college. © Sandy Roy Beauty Therapy Institute (pty) Ltd - All learners accumulate hours of attendance on course planners.
- All records of data keeping are kept in the lockable storage space for a period of 10 years and form the archives.
- All documents disposed of are required to be shredded to protect the student/employee from the use of their personal information.
- POPI refers to anything with a persons’ name or their company details on it. Eg: certificates, exam papers, suppliers, accounts, students, franchisees, etc information.
- Minutes, board meetings, agreements, databases, exam marks, academic records, Learner agreements, new business development docs, cellphone registration documents, email registration documents. Anything which shows race, sex, gender, etc will be protected according to POPI.
- All staff information will be stored confidentially, away from external view, Eg: CV, certificates, employment contracts, salary slips, banking information, etc.
- By means of all agreements between franchisee and franchisor, all franchisees and employees hereby agree and commit to the Sandy Roy Beauty Therapy Institute (Pty) Ltd franchisor to adhere to the general POPI practices in terms of safeguarding all information.
- In return, the Sandy Roy Beauty Therapy Institute (Pty) Ltd commits to protecting all ofthe personal information of staff, employees, franchisees, students, suppliers and all private information gained from this role.
- See POPI powerpoint document issued to all franchisees to inform them of the protocol.