PROTECTION OF PERSONAL INFORMATION POLICY (St Monica’s)

PROTECTION OF PERSONAL INFORMATION POLICY1

This manual was prepared to address requirements of the Protection of Personal Information Act, 2013 (“POPIA”).

This manual applies to

ST MONICA’S DIOCESAN SCHOOL

Matatiele

June 2021 Revised (August 2023)

Registered office address:

44 Station Road, Matatiele, Eastern Cape, 4730

Board of Governors: Bishop T. Seleoane, Revd. Canon D. Lloyd–Jones (Chair), Miss B. Rooi, Rev. B. Lloyd-Jones, Mr L. Hlathuka, Mr N. Dlamini, Mr G. Roberts, Mr De Kock, (ex-officio), Mrs L. McIntyre - Bursar (ex-officio) 2023 EMIS: 200501569 - NPO. REG. NO. 148 – 970 - Accredited by UMALUSI – NO. 14SCH0100072

1 This Policy is based on the ISASA POPIA Guidelines available on the ISASA website https://www.isasa.org/

2 | P a g e

TABLE OF CONTENTS

  1. INTRODUCTION..................................................................................................................... 4
  2.  DEFINITIONS ......................................................................................................................... 5
  3. POLICY APPLICATION.............................................................................................................. 6
  4. THE PRINCIPLES OF LAWFUL PROCESSING OF PERSONAL INFORMATION ..................................... 8
  5. PROCESSING SPECIAL PERSONAL INFORMATION AND THE INFORMATION OF CHILDREN ............. 10
  6. DATA SUBJECT PARTICPATION .............................................................................................. 12
  7. SECURITY SAFEGUARDS........................................................................................................ 13
  8. SPECIFIC DUTIES AND RESPONSIBILITIES OF SCHOOL’S POPIA TEAM.......................................... 14
  9. POPIA AUDIT....................................................................................................................... 17
  10. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE ................................................... 17
  11. POPIA COMPLAINTS PROCEDURE .......................................................................................... 18
  12. DISCIPLINARY ACTION .......................................................................................................... 19
  13. CAUTION TO PARENTS/GUARDIANS/CAREGIVERS ................................................................... 19
  14. ANNEXURES ATTACHED:....................................................................................................... 19
  3 | P a g e

APPROVALS DESCRIPTION NAME TITLE SIGNATURE DATE Approval Graham Roberts Principal 30 June 2021

updated August 2023 REVISION RECORD REVISION DESCRIPTION DATE 1 Issued for Approval 1 August 2023  

4 | P a g e

1. INTRODUCTION 1.1 Background Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. This right to privacy includes the right to protection against the unlawful collection, retention, dissemination and use of personal information. The Protection of Personal Information Act, 2013 (“POPIA”) is South Africa’s data protection law.2

1.2 Purpose POPIA is intended to promote the protection of personal information processed by public and private bodies and establish minimum requirements for the processing of personal information in a context-sensitive manner. This Policy is intended to facilitate the responsible processing of personal information received by the School in accordance to the right to privacy of data subjects (pupils, parents, employees and other stakeholders).

1.3 Applicability

As an educational institution, St Monica’s Diocesan School (“the School”) is necessarily involved in the processing of the personal information of pupils, parents, employees and other stakeholdersfor administrative and other purposes. In accordance with the provisions of POPIA, the School is committed to effectively managing, collecting, handling, and disposing of personal information. 1.4 Details of the School

Street address of the School 44 Station Road, Matatiele, Eastern Cape,4730 Telephone number of the School 039 737 4053 E-mail Address of the School info@stmonicas.za.net/staging Information Officer at inception of Policy Contact in writing

Graham Roberts head@stmonicas.za.net/staging

Deputy Information Officers at inception of Policy Contact in writing

Lisa McIntyre bursar@stmonicas.za.net/staging

1.5 Objectives

1.5.1 To safeguard the personal information held by the School from threats, whether internally or externally, deliberate, or accidental and thus protecting the right of privacy of all data subjects.

1.5.2 Protecting the School’s records and information to ensure the continuation of the day to day running of the School.

1.5.3 Regulating the way personal information is processed by the School and stipulate the purpose for which information collected is used.

1.5.4 Appointing Information Officers to ensure respect for and to promote, enforce and fulfil the rights of data subjects.

1.5.5 To protect the School from the compliance risks associated with the protection of personal information which includes:

2 A copy of POPIA can be obtained here: https://popia.co.za/act/ 5 | P a g e a) breaches of confidentiality where the School could suffer a loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately; b) failing to offer a choice, including the choice where all data subjects should be free to decide how and for what purpose the School may use information relating to them; and c) any instances of any reputational damage where the School could suffer a decline in its reputation, or its good name is impugned through the actions of another party who disseminates or has gained unauthorised access to any personal information of the School’s data subjects.

2. DEFINITIONS The following definitions in the POPIA are key in determining what activities undertaken by education institutions will be affected by the Policy: Child Means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.

Consent Means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Data subject This refers to the natural or juristic person to whom personal information relates, such as individual pupils, parents, employees or a company that supplies the School with services, products or other goods.

De-Identify Means to delete any information that identifies a data subject, or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.

Direct Marketing Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:
  • promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
  • requesting the data subject to make a donation of any kind for any reason.

Filing System Means any structured set of personal information, whether centralized, decentralized or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

Identifier Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

Information Officer The Information Officer is responsible for ensuring the organization’s compliance with POPIA, but it is ultimately the Head of the School who is responsible for ensuring that the Information Officer’s duties are performed. Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties.

Operator An operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with the organization and whose service requires access to personal information of pupils, parents and employees. (When dealing with an operator, it is considered good practice for a responsible party to include an indemnity clause.)

Personal Information Personal information is any information that can be used to reveal a person’s

  6 | P a g e 3. POLICY APPLICATION Identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:
  •  race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;
  •  information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  •  the biometric information of the person;
  •  the personal opinions, views or preferences of the person;
  •  correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  •  the views or opinions of another individual about the person; or
  •  the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Private Body Means - a) a natural person who carries or has carried on any trade, business or profession, but only in such capacity; b) a partnership which carries or has carried on any trade, business, or profession; or c) any former or existing juristic person but excludes a public body. Processing The act of processing information includes any activity or any set of operations, whether by automatic means, concerning personal information and includes:
  • the collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use;
  •  dissemination by means of transmission, distribution or making available in any other form; or
  •  merging, linking, as well as any restriction, degradation, erasure, or destruction of information.
Record Means any recorded information, regardless of form or medium, including:
  • writing on any material;
  •  information produced, recorded or stored by means of any recording equipment, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
  • label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
  •  book, map, plan, graph, or drawing; or
  •  photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.

Re-Identify In relation to personal information of a data subject, means to resurrect any information that has been de-identified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable method to identify the data subject.

Responsible Party The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. The School is the responsible party.

  7 | P a g e

This policy and its guiding principles apply to all sections of St Monica’s Diocesan School.

a. Who is Responsible for Compliance?

i. The Head of School

a) The Head of School is automatically deemed to be the Information Officer in accordance with the provisions of POPIA but may delegate their duties to a Deputy Information Officer(s). Duties of the Information Officer are as follows:

(i) the encouragement of compliance by the School with the conditions for the lawful processing of personal information;

(ii) dealing with requests made to the School pursuant to POPIA;

(iii) working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA (Prior Authorisation) in relation to the School;

(iv) ensuring that a compliance framework is developed, implemented, monitored and maintained;

(v) monitoring and implementing Codes of Conduct issued by the Information Regulator; and

(vi) otherwise ensuring compliance by the School with the provisions of POPIA.

ii. All employees

a) Both permanent and temporary staff, staff working on a contract basis for the School, coaches, volunteers, and others who are authorised to access personal data held by the School.

b) All contractors, suppliers and other persons acting on behalf of the organisation.

8 | P a g e

b. Compliance with this Policy

i. The Information Officer, Deputy Information Officer(s), and staff are responsible for adhering to this Policy, including:

a) The development and upkeep of this policy;

b) Ensuring this policy is supported by appropriate documentation, such as procedural instructions.

c) Ensuring that documentation is relevant and kept up to date;

d) Ensuring this policy and subsequent updates are communicated to the Board of Governors, staff and parents where applicable;

e) Ensuring that the School’s Board of Governors, the School’s employees, volunteers, contractors, suppliers and any other persons acting on behalf of the School have familiarised themselves with this Policy’s requirements and undertake shall comply with the stated processes and procedures; and

f) Reporting any security breaches or incidents to the Information Officer.

c. Scope of Policy

This Policy applies to personal information collected by the School in connection with the services it offers. This includes information collected by the School, at its premises, offline through the School’s telephone lines, and online through the School’s websites, branded pages on third-party platforms and applications accessed or used through such websites or third-party platforms which are operated by or on behalf of the School. This policy is hereby incorporated into and forms part of the terms and conditions of use of the applicable School web sites and other social media platforms. The provisions of the Policy are applicable to both on and off-site processing of personal information. Non-compliance with this policy may result in disciplinary action and possible termination of employment or mandate, where applicable.

4. THE PRINCIPLES OF LAWFUL PROCESSING OF PERSONAL INFORMATION

a. The School undertakes to lawfully process personal information by ensuring compliance with the following eight guiding principles:

i. To assign responsibility to designated persons for lawful processing of information.

(a) The School must assign and register the Information Officer and Deputy Information Officers who will ensure that personal information is collected and processed in accordance with POPIA. These persons will oversee and manage the School’s compliance with POPIA and will furthermore handle all requests made by learners, parents, staff and all relevant stakeholders, for access to information.

(b) The designated persons will ensure that the School takes appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the responsibilities outlined in this policy.

9 | P a g e

ii. To only collect data needed for legitimate purposes Personal information must be collected for a specific, explicitly defined, and lawful purpose.3 Therefore, the School will always determine the purposes for which the personal information was collected.

iii. To ensure it has a legal basis for processing (Justification) Once the purpose for processing the personal information has been determined, the lawfulness of the processing activity must be assessed.4 All processing activities must have a legal basis. POPIA provides several justifications for processing activities:

a) Personal information may be processed to conclude or perform in terms of a contract;5

b) Personal information may be processed to comply with an obligation imposed by law;6

c) Personal information may be processed to protect a legitimate interest of the data subject;

d) Personal information may be processed to ensure proper performance of a public law duty by a public body;

e) Personal information may be processed to ensure the legitimate interest of the responsible party or of a third party;7

f) Personal information may be processed with the consent of the data subject or a competent person where the data subject is a child. Consent must be voluntary, specific, explicit, informed and the data subject has the right to withdraw consent at any time.

iv. To use the information in a way that matches the purpose of collection The processing must be necessary to fulfil the purpose of the collection and it must be the least invasive way to achieve that purpose. Any further processing of personal information (for a secondary purpose) by the School must be upon the consent obtained from the relevant data subject.

v. To ensure that the information is accurate and regularly updated The School must ensure that the personal information being processed is regularly updated. This means that the School must maintain the quality of the personal information and as such all personal information must be kept reliable, accurate, up-to-date and relevant to the purposes for which it was collected.8

3 Section 13(1) (Collection for specific purpose).

4 Section 11(1) (Justification).

5 For example, an employment contract or a parent contract.

6 For example, complying with reporting requirements imposed by the Department of Basic Education or labour legislation.

7 For example, enforcement of legal claims including debt collection or preventing fraud or misuse of services.

8 For example, residential addresses, contact details, service level agreements.

10 | P a g e

vi. To ensure that information is processed in a fair and transparent manner Schools are to ensure that data subjects are aware of the specific personal information held about them by the School and the purpose to which the information is being collected.

vii.Information Security9 The School must take reasonable security steps to protect the integrity of the information and safeguard personal information collected by it against:

a) Damage;

b) Loss;

c) Loss of access;

d) Unauthorised destruction;

e) Unauthorised access; and

f) Unauthorised use.

viii. Store the information only as long as required The retention of all personal information by the swill be guided by all relevant and applicable laws, regulations, and policies. Furthermore, all personal information may only be kept for as long as it is required to fulfil the purpose for which it was collected. The School will ensure that all personal information is destroyed, deleted or de-identified as soon as it is becomes irrelevant, outdated and/or upon the request of a data subject. This process shall render the data irretrievable.

ix. Uphold data subjects' rights by providing access and corrections to the information The School is to ensure that there are accessible processes in place to ensure that properly identified data subjects have the right to access related personal information and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated.

5. PROCESSING SPECIAL PERSONAL INFORMATION AND THE INFORMATION OF CHILDREN a. The School undertakes to lawfully process ‘special personal information’ i. Special personal information is information that relates to: a) Religious beliefs; b) Philosophical beliefs; c) Race; d) Ethnicity;

9 Section 19 (Security measures on integrity and confidentiality of personal information).

11 | P a g e

e) Trade union membership; f) Political persuasion; g) Health; h) Biometric information; or i) allegations of criminal behaviour or information that relates to criminal proceedings; or j) Personal information about children is also a special category of information. ii. For the processing of ‘special personal information’ to be lawful, the processing must be justified on one of the grounds discussed in part C, above, and a ground set out in this section below.

b. General justifications for the processing of special personal information: i. The establishment, exercise or defence of a right in law; ii. International public law; iii. Historical, statistical, or research purposes; iv. The information has deliberately been made public by the data subject; v. The data subject gave consent; and vi. The information may be processed for health reasons. c. Processing the information of children must be justified i. Personal information of children may be processed by the School only if: a) The parent or guardian consents to the processing of the child’s personal information;10 b) Processing is necessary for compliance with an obligation imposed by law; c) Processing is necessary to comply with an obligation imposed in terms of international public law; d) Processing is for historical, statistical, or research purposes; or e) Personal information was deliberately made public by the child with the consent of the child’s parent(s) or guardian(s).

10 Consent must be informed and voluntarily, therefore, the parent or guardian must: a. clearly understands why and for what purpose his or her personal information is being collected; and b. grant the School explicitly written or verbally recorded consent.

12 | P a g e

6. DATA SUBJECT PARTICPATION a. Rights of the Data Subject i. In order to ensure that data subjects are made aware of the rights conferred upon them by POPIA11 the School notes for the purposes of this Policy that data subjects have, amongst others, the right to:

a) Be notified that personal information about them is being collected;

12

b) Request access to, the correction of, or the deletion of any Personal Information held by the School using the form attached hereto as Annexure “A” to this Policy; 13

c) Withdraw consent to process their personal information in terms of the Form attached hereto as Annexure “A”; d) Lodge a complaint concerning the processing of their personal information in terms of the Form attached hereto as Annexure “B”; e) Object, on reasonable grounds, to the processing of their personal information;14 f) Object to the processing of their personal information at any time for purposes of direct marketing;15 g) Be notified that their personal information has been accessed or acquired by an unauthorised person;16 h) Submit a complaint to the Information Regulator regarding the alleged interference with the protection of their personal information; and i) Institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.17 b. Processes to vindicate the rights of Data Subject i. The School will uphold the rights of the data subject by ensuring that it: a) Does not collect data unnecessarily; b) Implements this Policy in respect of processing personal information; c) does not retain records of personal information longer than it is necessary for achieving the purpose for which the personal information was collected, or as may be prescribed in terms of a law or contract, or with the consent of the data subject; d) Trainsstaff on the obligations imposed by POPIA when they process personal information; e) Ensures that personal information is securely stored;

11 Section 5 of POPIA. When a minor turn 18, the rights belong directly to him or her, unless it is stipulated to the contrary in other legislation. 12 Section 18 of POPIA. 13 Sections 23 and 24 of POPIA. 14 Section 11(3)(a) of POPIA. 15 Section 11(3)(b)of POPIA. 16 Section 22 of POPIA. 17 Section 99 of POPIA.

13 | P a g e

f) Has complete control over personal information kept at the School; g) Keeps a catalogue system to assist the School to address requests for access to personal information by data subjects; h) Destroys and / or deletes Personal Information this will be conducted in a manner that prevents its reconstruction or reidentification; i) Informs data subjects about the use of a CCTV on the premises; j) Informs the data subject if it collects personal information for marketing or advertising purposes and provides an opportunity for them to object; k) In the case of an access breach to the personal information under the control of the School the School will notify the data subject and the Information Regulator in writing as soon as reasonably possible after the discovery of the access breach to the personal information via either: (ii) mail at the last known physical or postal address; (iii) e-mail to the last known e-mail address; (iv) publishing a notice on the School website; or (v) publishing a notice in the news media, and (vi) where applicable, the School will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.

c. Rights of the School i. Please note that the School may lawfully process personal information without obtaining consent from a data subject if the processing of the personal information: a) Is necessary for pursuing the legitimate interest of the School or of a third party to whom the information is given; b) Protects a legitimate interest of a data subject; c) Is necessary to conclude or perform a contract to which a data subject is a party; or d) Complies with an obligation imposed by law.

7. SECURITY SAFEGUARDS i. The School, in order to ensure that all personal information is adequately protected, shall takes steps to: a) Implement security controls in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction; b) Apply Security measures in a context-sensitive manner;

14 | P a g e

c) Continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the School’s IT network; d) Ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals; e) Ensure that all new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information; 18

f) Ensure that all existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses; and g) Ensure that all the School’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.

8. SPECIFIC DUTIES AND RESPONSIBILITIES OF SCHOOL’S POPIA TEAM a. Information Officer (and/or Deputy Information Officer/s) i. The School’s Information Officer (or delegated Deputy Information Officer/s) is responsible for: a) Keeping the Management Team and/or Board of Governors and/or Board of Trustees of the School updated about the School’s responsibilities under POPIA; b) Continually analysing POPIA regulations and/or notices issued by the Information Regulator in order to align these with this Policy and procedures thereto; c) Ensuring that POPIA Audits are scheduled and conducted on a quarterly basis; d) Ensuring that the School has accessible processes in place makes it convenient for data subjects who want to update their personal information or submit POPIA related complaints to the School; e) Approving any contracts entered into with operators, employees and other third parties which may have an impact on the Personal Information held by the School; f) Oversee the amendment of the School’s employment contracts and other service level agreements; g) Ensure that employees and other persons acting on behalf of the School are fully aware of the risks associated with the processing of personal information and that they remain informed about the School’s security controls. h) Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of the School;

18 Confidentiality clauses will also be included to reduce the risk of unauthorized disclosures of personal information for which the School is responsible.

15 | P a g e

i) Addressing employees’ POPIA related questions; j) Addressing all POPIA related requests and complaints; k) Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter; l) Ensuring that the School’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards; m) Ensuring that all electronically held personal information is kept only on designated drives and servers; n) Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software; o) Approving and maintaining the protection of personal information statements and disclaimers that are displayed on the School’s websites, including those attached to communications such as emails and electronic newsletters; p) Addressing any personal information protection queries from journalists or media outlets such as newspapers; and q) Where necessary, working with persons acting on behalf of the School to ensure that any outsourced marketing initiatives comply with POPIA. b. Employees and other persons acting on behalf of the School i. Employees and other persons acting on behalf of the School will, during the course of the performance of their services, gain access to and become acquainted with the personal information of certain pupils, parents, suppliers and other employees. Employees and other persons acting on behalf of the School are required to treat personal information as a confidential business asset and to respect the privacy of data subjects in the following manner: a) Employees and other persons acting on behalf of the School may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the School or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties; b) Employees and other persons acting on behalf of the School must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information; c) Employees and other persons acting on behalf of the School will only process Personal Information where: (i) the data subject, or a competent person where the data subject is a child, consents to the processing; or (ii) the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; or

16 | P a g e

(iii) the processing complies with an obligation imposed by law on the responsible party; or (iv) the processing protects a legitimate interest of the data subject; or (v) the processing is necessary for pursuing the legitimate interests of the School or of a third party to whom the information is supplied.

c. Employees and other persons acting on behalf of the School will under no circumstances: i. Process or have access to Personal Information where such processing or access is not a requirement to perform their respective work-related tasks or duties; ii. Save copies of Personal Information directly to their own private computers, laptops or other mobile devices like tablets or smartphones. All personal information must be accessed and updated from the School’s administrative system and central database on dedicated servers; iii. Share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure; or iv. Transfer personal information outside of South Africa without the express permission from the Information Officer.

d. Employees and other persons acting on behalf of the School are responsible for: i. Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy; ii. Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created; iii. Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons; iv. Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks. v. Ensuring that where personal information is stored on removable storage media such as external drives, CDs or DVDs that these are kept locked away securely when not being used. vi. Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet; vii. Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer; viii. Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a data subject’s contact details when the parent or customer phones or communicates via email;

17 | P a g e

ix. Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the personal information in the appropriate manner; x. Undergoing POPIA Awareness training from time to time; and xi. Reporting any suspicious activity, security breach, interference, modification, destruction or the unsanctioned disclosure of personal information, immediately to the Information Officer.

9. POPIA AUDIT i. The School’s Information Officer will schedule periodic POPIA Audits. ii. The purpose of a POPIA audit is to: a) Identify the processes used to collect, record, store, disseminate and destroy personal information; b) Determine the flow of personal information throughout the School. For instance, the transfer of information from one section of the School to another; c) Redefine the purpose for gathering and processing personal information; d) Ensure that the processing parameters are still adequately limited; e) Ensure that new data subjects are made aware of the processing of their personal information; f) Re-establish the rationale for any further processing where information is received via a third party; g) Verify the quality and security of personal information; h) Monitor the extent of compliance with POPIA and this policy; and i) Monitor the effectiveness of internal controls established to manage the School’s POPIA related compliance risk; and j) Liaise with line managers in order to identify areas within the School’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.

10. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE Access to information requests can be made by email, addressed to the Information Officer in a form substantively similar to Annexure “A”. Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any Personal Information. All requests will be processed and considered against this Policy. The Information Officer will process all requests within a reasonable time.

18 | P a g e

11. POPIA COMPLAINTS PROCEDURE i. Data subjects have the right to lodge a written complaint with the School in instances where there is any reason to believe that their rights under POPIA have been infringed upon. The School takes all complaints very seriously and will address all POPIA related complaints in accordance with the following procedure: a) POPIA complaints must be submitted to the School in writing in a form substantively similar to Annexure “B”; b) Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 3 working days; c) The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days; d) The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner; e) In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA; f) The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the School’s data subjects; g) Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer the affected data subjects and the Information Regulator will be informed of this breach; and h) The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the School’s Information Officer within 7 working days of receipt of the complaint; i) In all instances, the School will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines; j) The Information Officer’s response to the data subject may comprise any of the following: (i) a suggested remedy for the complaint; (ii) a dismissal of the complaint and the reasons as to why it was dismissed; or (iii) an apology (if applicable) and any disciplinary action that has been taken against any employees involved; and (iv) the Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPIA related complaints.

19 | P a g e

ii. Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to lodge a complaint with the Information Regulator.

12. DISCIPLINARY ACTION i. Where a POPIA complaint or a POPIA infringement investigation has been finalised, the School may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy. In the case of ignorance or minor negligence, the School will undertake to provide further awareness training to the employee. Any gross negligence or the willful mismanagement of personal information, will be considered a serious form of misconduct for which the School may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence. ii. Examples of immediate actions that may be taken after an investigation include: a) A recommendation to commence with disciplinary action. b) A referral to appropriate law enforcement agencies for criminal investigation. c) Recovery of funds and assets to limit any prejudice or damages caused.

13. CAUTION TO PARENTS/GUARDIANS/CAREGIVERS i. While laws apply to what the School and third parties can disclose about learners, they do not apply to what learners or their parents might disclose publicly, which means the parent and the child also have a responsibility to protect the child’s privacy. What a parent and or his/her child posts on social media, for example, could be used by others, including private companies and law enforcement in some cases, and is not protected by POPIA. ii. Parents and learners must understand and use the privacy tools on any website or app that the School or they use for School or at home to limit who can view or access their information (that includes having strong, secure and unique passwords and be sure to never post anything online that they wouldn’t want to be shared with others, including law enforcement, the School, tertiary institutions and current or future employers).

14. ANNEXURES ATTACHED: a. Annexure A Forms 1 to 3 (Access/Correction/Deletion/Destruction/Objection Request Forms) b. Annexure B POPIA Complaint Form c. Annexure POPI Parental Consent Form d. Annexure POPI Employee Consent and Confidentiality Clause e. Annexure POPI Service Provider Agreement

20 | P a g e

ANNEXURE A: FORMS 1 TO 3

(ACCESS, CORRECTION, DELETION, DESTRUCTION, OBJECTION REQUEST FORMS)

21 | P a g e

Form 1

REQUEST FOR ACCESS TO RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 23(1) OF THE PROTECTION

OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

The following information is required to help us give an accurate response to your enquiry. Please complete this form and return it with the additional information referred to below by delivery to the Responsible Party’s offices or email to the Responsible Party’s Information Officer (email address can be found at the end of this form). Note: 1. Affidavits, powers of attorney, identification documentation and/or other documentary evidence as

applicable in support of the request must be attached.

2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and

sign each page.

3. *Complete as is applicable. 4. Each page of this completed Form 1 must be initialed and Part 4 must be signed in full. PART 1: YOUR REQUEST

A DETAILS OF THE DATA SUBJECT

Title Surname Maiden name (if applicable) Forename(s) Identification number Passport number (if not a South African citizen) Address

Telephone number Email address Other name(s) by which you have been known, if applicable Are you the data subject? Please tick either Y or N

YES NO

Relationship to the Responsible Party – for example, employee, ex-employee, third party doing or having done business with the Responsible Party, etc.

B DETAILS OF THE RESPONSIBLE PARTY

Name and Surname / Registered Name of Responsible Party

22 | P a g e

Address (Residential, Postal or Business Address)

Contact Numbers: Email Address:

C ACCESS REQUEST DETAILS

Please provide a detailed description of your request. Include any information which will enable us to locate your personal data and comply with your request.

PART 2. PROOF OF IDENTITY The Protection of Personal Information Act (POPIA) requires the Responsible Party to satisfy itself as to the identity of the person making the request. Where you are making a request for access to your personal data, please send the following to the Information Officer: • Certified copies of two forms of proof of identity (for example, passport, ID document, driving licence) • Proof of address (for example, a recent utility bill) which must match the address you have given on the form for applications. Where you are making a request for access to another data subject’s personal data, please send the following to the Information Officer: • certified copy of one form of proof of identity (for example, passport, ID document, driving licence) • original signed affidavits/written authority of the data subject • If it is not possible to provide written authority, please provide other evidence - for example, a power of attorney If you are not able to supply this documentation, please contact us to discuss alternative proof of identity arrangements. If the Responsible Party is unable to satisfy itself as to your identity from the documentation you send us, we will contact you as soon as possible. Additionally, the Responsible Party reserves the right to undertake electronic ID checks on legal identity documentation provided, and the data subject consents thereto.

23 | P a g e

We will make every effort to deal with your request and, where applicable, provide you with copies of the information and other information to which you are entitled. You may request St Monica’s to confirm, free of charge, whether or not it holds personal information about you. However, where you request a copy of the records themselves, or descriptions of personal information held about you (including information about the identity of all third parties or categories of third parties) who have, or have had, access to the information, or where we believe that any requests are excessive, we reserve the right to charge a reasonable fee. The fee will be communicated in writing for acceptance prior to providing the services. We also reserve the right to request you to pay a deposit in respect of such fee. Where we believe that the request is manifestly unfounded, we reserve the right to refuse to act on your request. If following our response to your request you have any further requests that you wish to make (for example, that we rectify or erase any personal data that we are holding about you), please complete the relevant forms provided. You will not need to provide us with forms of identification for any further request made within three months of this initial request. For more detailed explanations of these and other data subjects’ rights, see: • https://stmonicas.za.net/ • https://popia.co.za/section-5-rights-of-data-subjects/ PART 3: DECLARATION I certify that the information given on this application form is true and accurate. I understand that it is necessary for the Responsible Party to confirm my/the data subject’s identity and it may be necessary for them to obtain more detailed information in order to locate the correct personal data. I understand that the response period will be within a reasonable time and will not commence until the Responsible Party is satisfied in this regard and has received the ID requirements stipulated on this form. I enclose the requested form(s) of identification and, if I am not the data subject, I enclose evidence of my identity and written authority or other documents as described above.

Signature: ........................................................................................ Date: .............................................................................................

PART 4: DELIVERY OF COMPLETED FORMS, IDENTIFICATION AND OTHER SUPPORTING DOCUMENTATION Please deliver the completed forms, identification and supporting documentation to: The Information Officer Physical address: 44 Station Road, Matatiele, Eastern Cape, 4730 Email address: secretary@stmonicas.za.net/staging Mr G. Roberts (Principal and Information Officer – head@stmonicas.za.net/staging

24 | P a g e

 

Form 2

REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION OR DESTROYING OR DELETION OF RECORD OF PERSONAL INFORMATION IN TERMS OF SECTION 24(1) OF THE PROTECTION OF PERSONAL INFORMATION ACT,

2013 (ACT NO. 4 OF 2013)

Note: 1. Affidavits, powers of attorney, identification documentation and/or other documentary evidence as

applicable in support of the request must be attached.

2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and

sign each page.

3. *Complete as is applicable. 4. Each page of this completed Form 2 must be initialed and Part 4 must be signed in full. Mark the appropriate box with an "x". Request for:

*Correction or deletion of the personal information about the data subject which is in possession or under the control of the responsible party.

*Destroying or deletion of a record of personal information about the data subject which is in possession or under the control of the responsible party and who is no longer authorized to retain the record of information.

The following information is required to help us give an accurate response to your enquiry. Please complete this form and return it with the additional information referred to below by delivery to the Responsible Party’s offices or email to the Information Officer (email address can be found at the end of this form). PART 1: REQUEST

A DETAILS OF THE DATA SUBJECT

Title Surname Maiden name (if applicable) Forename(s) Identification number Passport number (if not a South African citizen) Address

Telephone number Email address

25 | P a g e

Other name(s) by which you have been known, if applicable Are you the data subject? Please tick either Y or N

YES NO

Relationship to the Responsible Party – for example, employee, ex-employee, third party doing or having done business with the Responsible Party, etc.

B DETAILS OF THE RESPONSIBLE PARTY

Name and Surname / Registered Name of Responsible Party Address (Residential, Postal or Business Address)

Contact Numbers: Email Address:

C INFORMATION TO BE CORRECTED / DELETED / DESTROYED Please provide a detailed description of your request regarding information to be corrected, deleted and/or destroyed.

D REASONS

Please provide reasons for: *Correction or Deletion of the Personal Information about the data subject in terms of S24(1)(a) which is in the possession of, or under the control of the Responsible Party; OR *Destruction or deletion of a record of Personal Information about the data subject in terms of S(24(1)(b) which the Responsible Party is no longer authorized to retain. (Please provide detailed reasons for the request)

26 | P a g e

PART 2. PROOF OF IDENTITY The Protection of Personal Information Act (POPIA) requires the Responsible Party to satisfy itself as to the identity of the person making the request. Where you are making a request for correction, deletion and/or destruction of, or to your personal data, please send the following to the Information Officer: • Certified copies of two forms of proof of identity (for example, passport, ID document, driving licence) • Proof of address (for example, a recent utility bill) which must match the address you have given on the form for applications. Where you are making a request for correction, deletion and/or destruction of, or to another data subject’s personal data, please send the following to the Information Officer: • Certified copy of one form of proof of identity (for example, passport, ID document, driving licence) • Original signed affidavits/written authority of the data subject • If it is not possible to provide written authority, please provide other evidence - for example, a power of attorney If you are not able to supply this documentation, please contact us to discuss alternative proof of identity arrangements. If the Responsible Party is unable to satisfy itself as to your identity from the documentation you send us, we will contact you as soon as possible. Additionally, the Responsible Party reserves the right to undertake electronic ID checks on legal identity documentation provided, and the data subject consents thereto. We will make every effort to deal with your request and, where applicable, provide you with copies of the information and other information to which you are entitled. You may request the Responsible Party to confirm, free of charge, whether or not it holds personal information about you. Where we believe that any requests are excessive, we reserve the right to charge a reasonable fee. The fee will be communicated in writing for acceptance prior to providing the services. We also reserve the right to request you to pay a deposit in respect of such fee. Where we believe that the request is manifestly unfounded, we reserve the right to refuse to act on your request. For more detailed explanations of these and other data subjects’ rights, see: • https://stmonicas.za.net/ • https://popia.co.za/section-5-rights-of-data-subjects/

27 | P a g e

PART 3: DECLARATION I certify that the information given on this application form is true and accurate. I understand that it is necessary for the Responsible Party to confirm my/the data subject’s identity and it may be necessary for them to obtain more detailed information in order to locate the correct personal data. I understand that the response period will be within a reasonable time and will not commence until the Responsible Party is satisfied in this regard and has received the ID requirements stipulated on this form. I enclose the requested form(s) of identification and, if I am not the data subject, I enclose evidence of my identity and written authority or other documents as described above. Signature: ........................................................................................ Date: ............................................................................................. PART 4: DELIVERY OF COMPLETED FORMS, IDENTIFICATION AND SUPPORTING DOCUMENTATION Please deliver the completed forms, identification and supporting documentation to: The Information Officer Physical address: Physical address: 44 Station Road, Matatiele, Eastern Cape, 4730 Email address: head@stmonicas.za.net/staging / secretary@stmonicas.za.net/staging

28 | P a g e

 

Form 3

OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION IN TERMS OF SECTION 11(3) OF THE PROTECTION

OF PERSONAL INFORMATION ACT, 2013 (ACT NO. 4 OF 2013)

Note: 1. Affidavits, powers of attorney, identification documentation and/or other documentary evidence as applicable in support of the request must be attached. 2. If the space provided for in this Form is inadequate, submit information as an Annexure to this Form and sign each page. 3. *Complete as is applicable. 4. Each page of this completed Form 3 must be initialed and Part 4 must be signed in full. The following information is required to help us give an accurate response to your enquiry. Please complete this form and return it with the additional information referred to below by delivery to the Responsible Party’s offices or email to the Information Officer (email address can be found at the end of this form). PART 1: REQUEST

A DETAILS OF THE DATA SUBJECT

Title Surname Maiden name (if applicable) Forename(s) Identification number Passport number (if not a South African citizen) Address

Telephone number Email address Other name(s) by which you have been known, if applicable Are you the data subject? Please tick either Y or N

YES NO

Relationship to the Responsible Party – for example, employee, ex-employee, third party doing or having done business with the Responsible Party etc.

B DETAILS OF THE RESPONSIBLE PARTY

Name and Surname / Registered Name of Responsible Party

Address (Residential, Postal or Business Address)

29 | P a g e

Contact Numbers: Email Address:

C REASONS FOR OBJECTION IN TERMS OF SECTION 11(1)(d) to (f)

(Please provide detailed reasons for the objection)

Please provide a detailed description of your objection

PART 2. PROOF OF IDENTITY The Protection of Personal Information Act (POPIA) requires the Responsible Party to satisfy itself as to the identity of the person making the request. Where you are objecting to the Responsible Party’s processing of your personal data, please send the following to the Information Officer: • certified copies of two forms of proof of identity (for example, passport, ID document, driving licence) • proof of address (for example, a recent utility bill) which must match the address you have given on the form for applications. Where you are objecting to the Responsible Party’s processing of another data subject’s personal data, please send the following to the Information Officer: • certified copy of one form of proof of identity (for example, passport, ID document, driving licence) • original signed affidavits/written authority of the data subject • if it is not possible to provide written authority, please provide other evidence - for example, a power of attorney If you are not able to supply this documentation, please contact us to discuss alternative proof of identity arrangements. If the Responsible Party is unable to satisfy itself as to your identity from the documentation you send us, we will contact you as soon as possible.

30 | P a g e

Additionally, the Responsible Party reserves the right to undertake electronic ID checks on legal identity documentation provided, and the data subject consents thereto. We will make every effort to deal with your request and, where applicable, provide you with copies of the information and other information to which you are entitled. You may request the Responsible Party to confirm, free of charge, whether it holds personal information about you. Where we believe that any requests are excessive, we reserve the right to charge a reasonable fee. The fee will be communicated in writing for acceptance prior to providing the services. We also reserve the right to request you to pay a deposit in respect of such fee. Where we believe that the request is manifestly unfounded, we reserve the right to refuse to act on your request. For more detailed explanations of these and other data subjects’ rights, see: • https://stmonicas.za.net/ • https://popia.co.za/section-5-rights-of-data-subjects/

PART 3: DECLARATION I certify that the information given on this application form is true and accurate. I understand that it is necessary for the Responsible Party to confirm my/the data subject’s identity and it may be necessary for them to obtain more detailed information in order to locate the correct personal data. I understand that the response period will be within a reasonable time and will not commence until the Responsible Party is satisfied in this regard and has received the ID requirements stipulated on this form. I enclose the requested form(s) of identification and, if I am not the data subject, I enclose evidence of my identity and written authority or other documents as described above.

Signature: .................................................................................... Date: ................................................................................................... PART 4: DELIVERY OF COMPLETED FORMS, IDENTIFICATION AND OTHER SUPPORTING DOCUMENTATION Please deliver the completed forms, identification and supporting documentation to: The Information Officer Physical address: 44 Station Road, Matatiele, Eastern Cape, 4730 Email address: head@stmonicas.za.net/staging / bursar@stmonicas.za.net/staging

31 | P a g e

We are committed to safeguarding your privacy and the confidentiality of your personal information and are boundby the Protection of Personal Information Act. Please submit the completed form to the Information Officer below: Name: Mr G. Roberts Email address: head@stmonicas.za.net/staging / bursar@stmonicas.za.net/staging

Where we are unable to resolve your complaint to your satisfaction you have the right to complain to the Information Regulator who can be contacted at http://www.justice.gov.za/inforeg/index.html Particulars of Complainant Name and Surname: Identity Number: Mobile Number: Email Address: Years associated with St Monica’s Diocesan School Details of complaint

Desired Outcome

Signature: Date:

ANNEXURE B: POPIA COMPLAINT FORM

32 | P a g e

 

ANNEXURE B: CONSENT FORMS

33 | P a g e

 

34 | P a g e

 

St Monica’s Diocesan School

PROTECTION OF PERSONAL INFORMATION PARENTAL CONSENT FORM

 

I acknowledge that I have read and understood St Monica’s Diocesan School, Privacy Policy which can be found at By signing this form, and unless you at any time instruct the School expressly and in writing to the contrary, your consent is given for the School to: 1) Collect, store and process credit information; 2) Collect, store and process names, contact details and information relating to yourself and your Child, and to such information being made available to staff or responsible persons engaged orauthorized by the School for School-related purposes to the extent required for the purpose of managing relationships between the School, parents/guardians, and current learners as well asproviding references and communicating with the body of former learners; 3) Supply information and a reference in respect of your Child to any educational institution which you propose your Child may attend. We will take care to ensure that all information that is supplied relating to your Child is accurate and any opinion given on his ability, aptitudeand character is fair. 4) Include photographs, with or without name, of your Child in School publications, on the School’s website or in press releases to celebrate the School's or your Child's activities, achievements, or successes (Please mark YES or NO box below). YES NO

The School cannot be held liable for any loss you or your Child is alleged to have suffered resulting from opinions reasonably given, or correct statements of fact contained, in any reference or report given by us including informing any other school or educational institution to which you propose to send your Child of any outstanding fees. The School may not distribute or otherwise publish any of your personal information in its possession, unless you give your consent, in writing, to the School that it may do so. Should this be the case, the School may only distribute or otherwise publish the information specified in your consent to the people and for the purpose stated in your written consent.

NAME OF PARENT: FULL NAME OF CHILD: SIGNATURE: DATE:

35 | P a g e

 

St Monica’s Diocesan School

PROTECTION OF PERSONAL INFORMATION EMPLOYEE CONSENT AND CONFIDENTIALITY CLAUSE

“Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise. “POPIA” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time. St Monica’s Diocesan School undertakes to process the personal information of the employee only in accordance with the conditions of lawful processing as set out in terms of POPIA and in terms of the employer’s POPIA Policy and only to the extent that it is necessary to discharge its obligations and to perform its functions as an employer and within the framework of the employment relationship and as required by South African law. The employee acknowledges that the collection of his/her personal information is both necessary and requisite as a legal obligation, which falls within the scope of execution of the legal functions and obligations of the employer. The employee therefore irrevocably and unconditionally agrees: 1. That they are notified of the purpose and reason for the collection and processing of his or her PI insofar as it relates to the employer’s discharge of its obligations and to perform its functions as an employer. 2. That they consent and authorize the employer to undertake the collection, processing and further processing of the employee’s PI by the employer for the purposes of securing and further facilitating the employee’s employment with the employer. 3. Without derogating from the generality of the aforesaid, the employee consents to the employer’s collection and processing of PI pursuant to any of the employer’s Internet, Email and Interception policies in place insofar as PI of the employee is contained in relevant electronic communications. 4. To make available to the employer all necessary PI required by the employer for the purpose of securing and further facilitating the employee’s employment with the employer.

36 | P a g e

5. To absolve the employer from any liability in terms of POPIA for failing to obtain the employee’s consent or to notify the employee of the reason for the processing of any of the employee’s PI. 6. To the disclosure of his/her PI by the employer to any third party, where the employer has a legal or contractual duty to disclose such PI. 7. The employee further agrees to the disclosure of his/her PI for any reason enabling the employer to carry out or to comply with any business obligation the employer may have or to pursue a legitimate interest of the employer in order for the employer to perform its business on a day-to-day basis. 8. The employer undertakes not to transfer or disclose his/her PI unless it is required for its legitimate business requirements and shall comply strictly with legislative stipulations in this regard. 9. The employee acknowledges that during the course of the performance of his/her services, he/she may gain access to and become acquainted with the personal information of parents, pupils, other employees and suppliers. The employee will treat personal information as a confidential school asset and agrees to respect the privacy of parents, pupils, other employees and suppliers and other employees. 10. To the extent that he/she is exposed to or insofar as PI of other employees or third parties are disclosed to him/her, the employee hereby agree to be bound by appropriate and legally binding confidentiality and non-usage obligations in relation to the PI of third parties or employees. 11. Employees may not directly or indirectly, utilize, disclose or make public in any manner to any person or third party, either within the school community or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties on behalf of the employer.

Name of Employee: Signature: Date:

Name of Employer: St Monica’s Diocesan School Head of School: Mr G. Roberts Signature: Date:

37 | P a g e

 

St Monica’s Diocesan School

PROTECTION OF PERSONAL INFORMATION SERVICE PROVIDER AGREEMENT

The Parties have entered into a Service Level Agreement for the provision of

This Service Level Agreement Personal Information and Confidentiality clause shall be deemed to form part of and be construed with such Service Level Agreement. Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise. “POPIA” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time. 1. The parties acknowledge that for the purposes of this agreement that the service provider contracted to St Monica’s Diocesan School may come into contact with, or have access to PI and other information that may be classified, or deemed as private or confidential and for which St Monica’s Diocesan School is responsible. 2. Such PI may also be deemed or considered as private and confidential as it relates to any third party who may be directly or indirectly associated with this agreement. Further, it is acknowledged and agreed by the parties that they have the necessary consent to share or disclose the PI and that the information may have value. 3. The parties agree that they will at all times comply with POPIA’s Regulations and Codes of Conduct and that it shall only collect, use and process PI it comes into contact with pursuant to this agreement in a lawful manner, and only to the extent required to execute the services, or to provide the goods and to perform their respective obligations in terms of this agreement. 4. The parties agree that it shall put in place, and at all times maintain, appropriate physical, technological and contractual security measures to ensure the protection and confidentiality of PI that it, or its employees, its contractors or other authorized individuals comes into contact with pursuant to this agreement. 5. Unless so required by law, the parties agree that it shall not disclose any PI as defined in POPIA to any third party without the prior written consent of the other party, and notwithstanding anything to the contrary contained herein, shall any party in no manner whatsoever transfer any PI out of the Republic of South Africa.

38 | P a g e

FOR AND ON BEHALF OF ST MONICA’S DIOCESAN SCHOOL

Principal: Mr G. Roberts Signature: Date: FOR AND ON BEHALF OF SERVICE PROVIDER Service Provider: Representative: Signature: