Last updated December 2020
AFA CONSULTANTS is committed to compliance with, and adheres to, the protection of personal information act (POPI) South Africa, and confirm that we comply with this legislation. Introduction
The POPI Act requires AFA Consultants to:
- Sufficiently inform candidates/applicants/work-seekers (data subjects), hereafter referred to as candidates, the purpose for which we will process their personal information;
- Protect AFA Consultants’ information from threats, whether internal or external, deliberate or accidental, to ensure business continuation, minimise business damage and maximise business opportunities.
This policy and compliance framework establishes measures and standards for the protection and lawful processing of personal information within our organisation and provides principles regarding the right of individuals to privacy and to reasonable safeguarding of their personal information.
1.Introduction and Purpose
- AFA Consultants is a company functioning within the recruitment services; payroll services; identity verifications and qualifications verifications space that is obligated to comply with The Protection of Personal Information Act 4 of 2013.
- POPIA requires AFA Consultants to inform the candidates/customers/consumers as to the manner in which their personal information is used, protected, disclosed and destroyed.
- AFA Consultants guarantees its commitment to protecting the consumer’s privacy and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
- This Policy sets out the manner in which AFA Consultants deals with the consumer’s personal information and stipulating the purpose for which said information is used.
- The Policy is available on the AFA Consultants website: afaconsulatnts.co.za and by requesting it from
the AFA Consultants’ offices.
The purpose of this policy is to inform consumers and candidates enable AFA Consultants to comply with;
- The laws in respect of personal information, it holds about data subjects;
- Follow good practice;
- Protect AFA Consultants’ reputation;
- Protect AFA Consultants from the consequences of a breach of its responsibilities;
- Protect the Consumer against loss or breach of their personal information.
The Information Officer is responsible for:
- Conducting a preliminary assessment;
- The development, implementation and monitoring of this policy and compliance framework;
- Ensuring that this policy is supported by appropriate documentation;
- Ensuring that documentation is relevant and kept up to date;
- Ensuring this policy and subsequent updates are communicated to relevant managers, representatives,
staff and associates, where applicable.
All employees, departments and individuals directly associated with AFA Consultants are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Officer. Any service provider that provides information technology services, including data storage facilities, to our organisation must adhere the requirements of the POPI Act to ensure adequate protection of personal information held by them on our behalf. Written confirmation to this effect must be obtained from relevant service providers.
The Protection of Personal Information Act 4 of 2013 is one of the high reputational risk legislation AFA Consultants has to comply with. The purpose of this legislation is to regulate the processing of personal information by public and private bodies. This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPIA Act).
Data subject means the person to whom personal information relates to (candidates /
3.1 Jobseekers and people seeking identity, qualifications and criminal verifications)
3.2 POPIA refers to the Protection of Personal Information Act 4 of 2013
3.3 Processing means any operation or activity or any set of operations, whether or not by automatic
means, concerning personal information, including:
- the collection of records, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.
3.4 Record means any recorded information-
a)regardless of form or medium, including any of the following;
- curriculum vitae;
- information produced, recorded or stored by means of any CV copies, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- cell phone numbers,
- finger prints,
- in the possession or under the control of a responsible party;
- whether or not it was created by a responsible party and
- regardless of when it came into existence.
- Responsible party means a public or private body or any other person, which, alone or in conjunction with others determines the purpose of and means for processing personal information.
- Personal Information means information relating to an identifiable, living, natural person, and where it
is applicable, an identifiable, existing juristic person, including, but not limited to-
- information relating to the race, gender, sex, marital status, national, ethnic or social origin, colour, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person.
- information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person and;
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
AFA Consultants guarantees its commitment to protecting the client and consumer/candidates privacy and ensuring their personal information is used appropriately, transparently, securely and in accordance with
applicable laws, as far as it applies to our specific industry.
5 Compliance with regard to Protection of Personal Information.
- AFA Consultants takes reasonable steps to ensure that personal information obtained from candidates is stored safely and securely.
- This includes CV’s, Resumes, References, Qualifications, Integrity Checks and any other personal information that may be obtained for the purpose of candidate representation
5.1 Data subjects has the following rights;
- Objection to the use of personal information.
- Notification if information is being used for something other than what was consented for.
- Establishing whether the responsible party holds information.
- Request that information can be corrected, destructed or deleted.
- Refuse processing for direct marketing by unsolicited electronic communications.
- Lodge a complaint with the Information Regulator.
- Institute civil proceedings.(Sec 99)
5.2 Conditions for lawful processing
The Responsible party must ensure that the conditions set out in the Act and all the measures that give effect to such conditions, are complied with at the time of the determination of the purpose and means of the processing and during the processing itself.
5.2.2 Processing Limitations
We will collect personal information directly from candidates or from social media platforms and websites. Once in our possession, we will only process or release candidate information with their consent, except where we are required to do so by law. In the latter case, we will always inform the candidate.
- Data subjects must consent
- Consent is necessary to the subject for the details of the third parties to be revealed.
- Processing compliance with an obligation imposed by law.
- Must process to protect the legitimate interest of data subject.
- For proper performance of public law duty by a public body.
- Pursue legitimate interest of other responsible party or third party to whom the information was supplied.
- Data subject may withdraw consent.
- Data subject may object on reasonable grounds.
5.2.3 Specific Purpose
Personal Information must be collected for a specific, explicitly defined and lawful purpose related to the function or activity of the responsible party. The data subject must be made aware of the purpose of the collection. AFA Consultants collect personal information from candidates to enable us to represent them to our clients for the purpose of recruitment/employment
Records must not be retained any longer than is necessary for achieving the purpose for which it was collected unless;
Data subject candidates: By Submitting your information and application, you hereby confirm:
- That you have read and understood our POPI Policy;
- That you have no objection to us retaining your personal information in our database for future matching;
- Should suitable opportunities arise we will contact you and request your consent to submit your CV to a specific client for a specific purpose;
- That the information you have provided to us is true, correct and up to date.
- retention is required by agreement between the parties(AFA Consultants and Jobseeker); the data subject consents to the further retention.
- Personal Information must be destroyed, deleted or de-identified as soon as is reasonably practical. Destruction or deletion must be done in a manner that prevents its reconstruction in an intelligible form.
- The information officer shall ensure that the information collected will not be used for any other purpose before obtaining the individual’s approval, unless the new purpose is required by law.;
The information officer shall ensure that a person collecting personal information will be able to explain to the individual why this is being done;
- The Information officer shall ensure that limited collection, limited use, disclosure, and retention principles are respected in identifying why personal information is to be collected.
5.2.4. Limiting collection and further processing
Must be in accordance or compatible with the purpose for which it was collected. Personal information may not be processed further in a way that is incompatible with the purpose for which the information was collected initially. We collect personal information for recruitment and verifications and the information will only be used for that purpose.
The Responsible Party shall ensure that personal information will not be collected indiscriminately, but by fair and lawful means, and be limited to what is necessary to fulfil the specific purpose for which the Personal Information is being collected.
Personal Information may only be processed if:
- the data subject consents to the processing;
- processing is necessary for recruitment or verifications to which the data subject is a party;
- there is a legal obligation to do the processing;
- processing protects the legitimate interests of the data subject;
- processing is necessary for the proper performance of a public law duty by a public body;
- processing is necessary for the pursuit of legitimate interests of the responsible party.
- A data subject may object, at any time, on reasonable grounds, to the processing of their PI. The responsible party may then no longer process the PI.
Personal Information can be collected directly from:
- the data subject/ candidate
- from recruitment databases
- the information is contained in a public record or has deliberately been made public by the data subject;
- the data subject has consented to the collection from another source;
- collection from another source would not prejudice a legitimate interest of the data subject;
- Collection from another source is necessary:
- to get a wide range of jobseekers from the public references
- reach as many candidates as possible
- Further processing must be compatible with the purpose for which it was collected, unless the data subject/candidate gives consent to the further processing
5.2.5. Information quality
Information must be complete, accurate, not misleading and updated where necessary. AFA Consultancy is responsible for ensuring that candidate information is complete, up to date and accurate before we use it. This means that it may be necessary to request candidates, from time to time, to update their information and confirm that it is still relevant. If we are unable to reach a candidate for this purpose their information will be deleted from our records
Candidates are entitled to know particulars of their personal information held by us, as well as the identity of any authorised employees of our agency that had access thereto. They are also entitled to correct any information held by AFA Consultants.
Where personal information is collected from a source other than directly from a candidate (EG Social media, portals) we are responsible for ensuring that the candidate is aware:
- That their information is being collected;
- Who is collecting their information by giving them our details;
- Of the specific reason that you are collecting their information.
AFA Consultants must take reasonably practicable steps to ensure the Data Subject is aware of:
- the information being collected;
- he name and address of the Responsible Party/Employer;
- the purpose for which the information is being collected;
- whether or not the supply of the information is voluntary;
- the right of access to and the right to rectify the information collected;
- the fact that, where applicable, the responsible party intends to transfer the information to a third country/international organisation and the level of protection afforded by that third country/organisation; and
- the right to object to the processing of the information
5.2.7. Security Safeguards
- Responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical organisational measures.
We will ensure technical and organisational measures to secure the integrity of personal information, and guard against the risk of loss, damage or destruction thereof. Personal information must also be protected against any unauthorised or unlawful access or processing. We are committed to ensuring that information is only used for legitimate purposes with candidate consent and only by authorised employees of our agency
Anyone processing candidates personal information on behalf of a responsible party/employer must:
- treat the information as confidential and not disclose it unless required by law;
- apply the same security measures as the responsible party;
- the processing must be governed by a written contract ensuring safeguards are in place; and
- if domiciled outside the Republic, comply with local protection of personal information laws.
The candidate or Data Subject may request responsible party to:
- correct or delete the personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully;
- delete or destroy personal information that the responsible party is no longer authorised to retain;
- The Officer shall ensure that all AFA Consultants employees know the importance of keeping personal information confidential;
- The Officer shall ensure that care is taken when personal information is disposed of or destroyed to prevent unauthorized parties from gaining access to it;
- Responsible party should notify data subject and Regulator of any breach of data.
5.3. Information Regulator
- It has jurisdiction throughout the Republic;
- Are independent and is subject only to the Constitution;
- Must exercise its powers and perform its functions in accordance with the Act and Promotion of Access to Information Act and;
- Are accountable to the National Assembly;
- Enforce Offences and Penalties;
- Minor Offences imposed by the Regulator can be a fine and/or imprisonment up to 12 months;
- Major Offences imposed by the Regulator can be a fine and/or imprisonment up to 10 years.
6. AFA Consultants Information Officer Responsibilities
The Core focus or duties under POPIA for the Information officer will be the following, but not limited to.
- Encourage compliance with the information protection conditions in terms of Section 55 of POPIA;
- Developing, publishing and maintaining a POPIA Policy which addresses all relevant provisions of the POPIA Act;
- Reviewing the POPIA Act and periodic updates as published;
- Ensuring that POPIA Act induction training takes place for all staff;
- Ensuring that periodic communication awareness on POPIA Act responsibilities takes place;
- Ensuring that Privacy Notices for internal and external purposes are developed and published;
- Handling data subject access requests;
- Approving unusual or controversial disclosures of personal data;
- Approving contracts with Data Operators;
- Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information;
- Ensuring that appropriate Security Safeguards in line with the POPIA Act for personal information are in place
- Consider requests made pursuant to POPIA;
- Work with the Regulator in relation to investigations conducted pursuant to Chapter 6 against us;
- Identify and govern all privacy related risks
- Map all activities performed concerning the collection and storage of personal information i.e. before and post enactment of POPIA
- Map all privacy laws and industry codes relevant to our recruitment and verifications activities.
- If applicable, know, understand, and ensure corporate compliance with all relevant laws of foreign jurisdictions in which we conduct business.
- Coordinate the development, implementation, and maintenance of corporate customer (external) and employee (internal) privacy policies.
- Ensure compliance with corporate privacy policies and procedures throughout the body.
- Liaise with Human Resources and Legal Departments to ensure standards of disciplinary action and sanction for non-compliance.
- Liaise with Public Relations and Marketing Departments to create public information communications and procedures on privacy efforts, related issues and breaches.
- Create standards or scripts for responding to customer or public enquiries.
- Create and implement procedures and standards to facilitate customer verification of captured and stored personal information files.
- Monitor and control the privacy requirements and responsibilities of information processing service providers or operators in terms of sections 20 and 21 of POPIA.
- Manage breach and incident investigation processes
- Create and implement our privacy breach management plan, privacy alerts, and other privacy related operational issues.
- Create standards and procedures to manage any compromise in the security of the stored personal information correctly and appropriately.
- Investigate, analyse and document all privacy related incidents and complaints
- Apply investigation findings to update standards, processes and systems as an on-going operational improvement routine.
- Safeguarding client and debtor information.
It is a requirement of POPIA to adequately protect the Personal Information we hold and to avoid unauthorized access and use of your Personal information. We will continuously review our security controls and processes to ensure that your Personal Information is secure.
The following procedures are in place in order to protect the consumer’s Personal Information:
- The AFA Consultants information officer is Fadzai Kamungozi whose details are available below and who is responsible for compliance with the conditions of the lawful processing of personal information and other provisions of POPIA;
- This Policy has been put in place throughout AFA Consultants and training on this policy and the POPIA Act have already taken place
- AFA Consultants did a risk assessment to determine where the risk to our candidates and clients lie
- We have identified the relevant role players and appointed the correct people to safeguard your personal information, we have mapped our activities , recorded how to process lawfully and have implemented the correct action items.
- We have identified and have implemented the following:
- Incident Response Policy.
- PAIA Manual. POPIA Policy. Awareness Training and risk assessment.
- We have limited access to unstructured data.
- We have implemented access control.
- We have proper Non-Disclosure agreements and Service Level Agreements in place.
- We have security in place with regard to Memory Sticks, USB Ports, Mobile Devices and Shredders of documents
- Each new employee will be required to sign an Employment Contract containing relevant clauses for the use and storage of employee information, or any other action so required, in terms of POPIA.
- Every employee currently employed within AFA Consultants will be required to sign an addendum to the Employment Contracts containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPIA.
- Our Clients and third party service providers will be required to sign a Service Level Agreement guaranteeing their commitment to the Protection of personal Information.
- AFA Consultants captures all files electronically for back up purposes.
- All electronic files or data are backed up by IT who is also responsible for system security which protects third party access and physical threats.
- AFA Consultants IT is responsible for Electronic Information Security.
- A Security Incident Management Register will be kept to log any security incidents and to report on and manage said incidents this register will be maintained by company directors
- Consent to process Candidates information is obtained from jobseekers
The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.
- The documentation for staff is contained in this policy document and other materials made available by the Information Officer. AFA Consultants Information Officer will ensure that all staff that has access to any kind of personal information will have their responsibilities outlined during their induction procedures.
- Continuing training will provide opportunities for staff to explore POPIA Act issues through training, team meetings, and supervisions.
- Procedure for staff signifying acceptance of this policy AFA Consultants will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPIA Act
- Policy review.
- AFA Consultants’ Information Officer is responsible for reviewing the this POPI policy
- The AFA Consultants Information Officer will ensure all the relevant stakeholders are consulted as part of the policy review process
- Details of Information officer are as follows:
INFORMATION OFFICER DETAILS
NAME: Fadzai Kamungozi
TELEPHONE NUMBER: (010) 023 2651
PHYSICAL ADRESS: 391 Main Avenue, Ferndale, Randburg, 2194
EMAIL ADRESS: email@example.com