Privacy and personal information protection policy

The Protection of Personal Information Act

The Protection of Personal Information Act, 2013 (POPIA) is one of the most significant pieces of legislation affecting the way that Cloud on Demand carries out its information processing activities. Significant fines, and possible imprisonment, are applicable if a breach is deemed to have occurred under POPIA, which is designed to protect the personal information of citizens of South Africa. It is Cloud on Demand’s policy to ensure that our compliance with the POPI Act and other relevant legislation is clear and demonstrable at all times.


Definitions

There are a total of 33 definitions listed within Chapter 1 Section 1 – Definitions, and it is not appropriate to reproduce them all here. However, the most fundamental definitions with respect to this policy are as follows:

Information Officer “of, or in relation to, a—
(a) public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
(b) private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act.”

Operator means: “a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.”

Person means: “a natural person or a juristic person.”

Processing means: “any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including—
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information.”

Personal information means: “information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—
(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
(b) information relating to the education or the medical, financial, criminal or employment history of the person;
(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
(d) the biometric information of the person;
(e) the personal opinions, views or preferences of the person;
(f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
(g) the views or opinions of another individual about the person; and
(h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.”

Regulator means: “means the Information Regulator established in terms of section 39.”

Responsible party means: “a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information”


Basic principles relating to processing of personal information

All employees and persons acting on behalf of Cloud on Demand will at all times be subject to, and act in accordance with, the following guiding principles:


Principle 1: Accountability

Failing to comply with POPIA could potentially damage Cloud on Demand’s reputation or expose Cloud on Demand to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.

Cloud on Demand will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, Cloud on Demand will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.

Cloud on Demand has appointed an Information Officer who will be responsible for ensuring that the information protection principles within POPIA, and the controls that are in place to enforce them, are complied with.

Cloud on Demand takes reasonable steps to ensure that personal information obtained from data subjects is stored safely and securely.


Principle 2: Processing Limitation

Cloud on Demand will ensure that personal information under its control is processed:

  • In a fair, lawful, and non-excessive manner.
  • Only for a specifically defined purpose.

Cloud on Demand will under no circumstances distribute or share personal information between separate legal entities, associated organisations (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.


Principle 3: Purpose Specification

All of Cloud on Demand’s business units and operations must be informed by the principle of transparency.

Personal Information must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Cloud on Demand will process personal information only for specific, explicitly defined, and legitimate reasons.


Principle 4: Further Processing Limitation

Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose.  Therefore, where Cloud on Demand seeks to process personal information that it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, Cloud on Demand will first obtain additional consent from the data subject.


Principle 5: Information Quality

Personal Information must be accurate and, where necessary, kept up to date.

Cloud on Demand will take reasonable steps to ensure that all personal information collected is complete, accurate and not misleading.

The more important it is that the personal information be accurate (for example, the beneficiary details of a life insurance policy are of the utmost importance), the greater the effort Cloud on Demand will put into ensuring its accuracy.


Principle 6: Openness

Cloud on Demand will take reasonable steps to notify data subjects that their personal information is being collected including the purpose for which it is being collected and processed.

Cloud on Demand has established, and maintains a “contact us” facility via the website, for data subjects who want to:

  • Enquire whether Cloud on Demand holds related personal information, or
  • Request access to related personal information, or
  • Request Cloud on Demand to update or correct related personal information, or
  • Make a complaint concerning the processing of personal information.

The access mechanism will be further detailed in the Data Subject Access Request Procedure.


Principle 7: Security Safeguards

Cloud on Demand will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification, or destruction.

Security measures are applied in a context-sensitive manner. For example, the more sensitive the personal information, such as medical information or credit card details, the greater the security required.

Cloud on Demand continuously reviews its security controls which includes regular testing of protocols and measures put in place to combat cyber-attacks on Cloud on Demand’s IT network.

Cloud on Demand securely stores all paper and electronic records comprising personal information, which is accessible only to authorised individuals.

All new employees are required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses are also be included to reduce the risk of unauthorised disclosures of personal information for which Cloud on Demand is responsible.

All existing employees are, after the required consultation process has been followed, required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.

Cloud on Demand’s operators and third-party service providers are required to enter into service level agreements with Cloud on Demand where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.


Principle 8: Data Subject Participation

A data subject may request the correction or deletion of his, her or its personal information held by Cloud on Demand.

Cloud on Demand will ensure that it provides a facility for data subjects who want to request the correction or deletion of their personal information, by means of email address: DSR@Cloudondemand.co.za.  The access mechanism will be further detailed in the Data Subject Access Request Procedure.

Cloud on Demand has included a link to unsubscribe from any of its electronic newsletters or related marketing activities.

When Cloud on Demand is acting as a Responsible Party, the Information Officer must take necessary actions (including technical measures) to inform the third parties who use or process that Personal Information to comply with the request.

In addition, the controller shall be responsible for, and be able to demonstrate compliance with all of these principles (‘accountability’).

Cloud on Demand must ensure that it complies with all these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems. The operation of an information security management system (ISMS) that conforms to the ISO/IEC 27001 international standard is a key part of that commitment.  


Fair processing guidelines

Personal Information must only be processed when explicitly authorised by the Information Officer.

The Company must decide whether to perform the Data Protection Impact Assessment for each data processing activity according to the Data Protection Impact Assessment Guidelines.


Rights of the individual

The data subject also has rights under POPIA. These consist of:

  • The right to be informed if Cloud on Demand is collecting personal information.
  • The right to request access to personal information.
  • The right to request correction of personal information.
  • The right to request erasure of personal information.
  • The right to request restriction of processing of personal information.
  • The right to request the transfer of personal information.
  • The right to object to processing of personal information.
  • The right to withdraw consent where Cloud on Demand is relying on consent to process the data subject’s information.
  • Rights in relation to automated decision making and profiling.

Each of these rights must be supported by appropriate procedures within Cloud on Demand that allow the required action to be taken within the below defined timeframes.

The agreed timeframes for Cloud on Demand are shown in Table 1.


DATA SUBJECT REQUEST

TIMESCALE

The right to be informed

When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)

The right to request access

One month

The right to request correction

One month

The right to request erasure

Without undue delay

The right to request restriction of processing

Without undue delay

The right to request transfer

One month

The right to object

On receipt of objection

The right to withdraw consent

On receipt of request

Rights in relation to automated decision making and profiling.

Not specified

Table 1: Timeframes for data subject requests


Notices to data subjects

At the time of collection or before collecting Personal Information for any kind of processing activities including but not limited to selling products, services, or marketing activities, Compliance Officer together with Deputy Information Officer are responsible to properly inform Data Subjects of the following:

  • The types of Personal Information collected.
  • The purposes of the processing.
  • Processing methods.
  • The Data Subjects’ rights with respect to their Personal Information.
  • The retention period.
  • Potential international data transfers.
  • If data will be shared with third parties; and
  • The Company’s security measures to protect Personal Information.
  • This information is provided through the Privacy Notice.

If the Company has multiple data processing activities, it will need to develop different notices which will differ depending on the processing activity and the categories of Personal Information

Where personal information is being shared with a third party, Compliance Officer together with Deputy Information Officer must ensure that data subjects have been notified of this through a Privacy Notice.

Where personal information is being transferred to a third country according to Cross Border Data Transfer Policy, the Privacy Notice should reflect this and clearly state to where, and to which entity personal information is being transferred. 

Where sensitive personal information is being collected, the Information Officer must make sure that the Privacy Notice explicitly states the purpose for which this sensitive personal information is being collected.


Obtaining consent

Whenever Personal Information processing is based on the Data Subject’s consent (Data Subject Consent Form), or other lawful grounds, Compliance Officer together with Deputy Information Officer are responsible for retaining a record of such consent. 

Information Officer is responsible for providing transparent information about our usage of the Data Subject’s personal information to them at the time that consent is obtained, and their rights regarding their data explained, such as the right to withdraw consent.  This information must be provided in an accessible form, written in clear language and free of charge.

If the personal information is not obtained directly from the Data Subject, then this information must be provided within a reasonable period after the information is obtained and definitely within one month.


Requests to Correct, Amend or Destroy Personal Information Records

Compliance Officer together with Deputy Information Officer must ensure that these requests are handled within a reasonable time frame in accordance with the Data Subject Access Request Procedure. Compliance Officer must also record the requests and keep a relevant log.


Additional Purpose

Personal Information must only be processed for the purpose for which they were originally collected. In the event that the Company wants to process collected Personal Information for another purpose, the Company must seek the consent of its Data Subjects in clear and concise writing. Any such request should include the original purpose for which data was collected, and also the new, or additional, purpose(s). The request must also include the reason for the change in purpose(s). The Information Officer is responsible for complying with the rules in this paragraph.

Now and in the future, the Information Officer must ensure that collection methods are compliant with relevant law, good practices, and industry standards.


Register

The Information Officer is responsible for creating and maintaining a Register of the Privacy Notices.


Privacy by design

Cloud on Demand has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect, or process personal information will be subject to due consideration of privacy issues, including the completion of one or more privacy (also known as data protection) impact assessments.

The privacy impact assessment will include:

  • Consideration of how personal information will be processed and for what purposes
  • Assessment of whether the proposed processing of personal information is both necessary and proportionate to the purpose(s)
  • Assessment of the risks to individuals in processing the personal information
  • What controls are necessary to address the identified risks and demonstrate compliance with legislation

Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate.


Transfer of personal information

POPIA allows Personal Information transfers to a third country only if a set of conditions are fulfilled. These include also the conditions for onward transfer (transferring Personal Information from an Operator outside of the Republic of South Africa to another sub-operator based outside of the Republic of South Africa.

POPIA allows for Personal Information transfers to countries whose legal regime is deemed by the Regulator to provide for an “adequate” level of Personal Information protection.


Information Officer

The Information Officer is responsible for ensuring Cloud on Demand’s compliance with POPIA.

Where no Information Officer is appointed, the head of the Company will be responsible for performing the Information Officer’s duties.

Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties.

Deputy Information Officers can also be appointed to assist the Information Officer.


Breach notification

When the Company learns of a suspected or actual Personal Information breach, Data Breach Response Team must perform an internal investigation and take appropriate remedial measures in a timely manner, according to the Data Breach Response and Notification Policy.

Where there is any risk to the rights and freedoms of Data Subjects, the Company must notify the relevant Regulator without undue delay and, when possible, within 72 hours.  This will be managed in accordance with our Information Security Incident Response Procedure which sets out the overall process of handling information security incidents.


Addressing compliance to POPIA

The following actions are undertaken to ensure that Cloud on Demand complies at all times with the accountability principle of POPIA:

  • The legal basis for processing personal information is clear and unambiguous.
  • An Information Officer is appointed with specific responsibility for information protection in the organisation.
  • All staff involved in handling personal information understand their responsibilities for following good information protection practices.
  • Training in information protection has been provided to all staff.
  • Rules regarding consent are followed.
  • Routes are available to data subjects wishing to exercise their rights regarding personal information and such enquiries are handled effectively.
  • Regular reviews of procedures involving personal information are carried out.
  • Privacy by design is adopted for all new or changed systems and processes.
  • The following documentation of processing activities is recorded:
    • Cloud on Demand and relevant details.
    • Purposes of the personal information processing.
    • Categories of individuals and personal information processed.
    • Categories of personal information recipients.
    • Agreements and mechanisms for transfers of personal information to non-South African countries, including details of controls in place.
    • Personal data retention schedules.
    • Relevant technical and organisational controls in place.

These actions will be reviewed on a regular basis as part of the management review process of the information security management system.


POPIA review

The Company’s Information Officer will schedule periodic POPIA Reviews.

The purpose of the POPIA Review is to:

  • Identify the processes used to collect, record, store, disseminate and destroy personal information.
  • Determine the flow of personal information throughout the Company. For instance, the Company’s various business units, divisions, branches, and other associated organisations.
  • Redefine the purpose for gathering and processing personal information.
  • Ensure that the processing parameters are still adequately limited.
  • Ensure that new data subjects are made aware of the processing of their personal information.
  • Re-establish the rationale for any further processing where information is received via a third party.
  • Verify the quality and security of personal information.
  • Monitor the extent of compliance with POPIA and this policy.
  • Monitor the effectiveness of internal controls established to manage the Company’s POPIA related compliance risk as per the Policy Validity clause contained in this policy.

In performing the POPIA Review, Information Officers will liaise with line managers in order to identify areas within the Company’s operations that are most vulnerable or susceptible to the unlawful processing of personal information.

Information Officers are permitted direct access to and have demonstrable support from line managers and the Company’s governing body in performing their duties.


Obligations as a cloud service provider

In addition to holding personal information on our own account, Cloud on Demand also stores and processes the personal information of our cloud customers. In doing so, there are a number of additional obligations that must be fulfilled to allow our customers to stay within the law. Our policy in this area is informed by ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors which, as well as recommending specific enhancements to ISO/IEC 27001 controls, also provides the following policy guidance:

  • We must provide our customers with the facilities to meet their obligations under law in activities such as accessing, amending and erasing individuals’ PII
  • We must only use the cloud customer’s PII for their purposes, not our own
  • The customer must be informed if we are required by law to disclose any of their data, unless we are prohibited from doing so
  • Details of disclosures must be recorded
  • We must tell our customers if we use sub-contractors to process their PII
  • We must tell our customers if their PII is subject to unauthorized access
  • It must be clear in which country or countries the customer’s PII is stored