1 PREAMBLE
South Peninsula High School is committed to protecting all persons’ privacy and recognises that it needs to comply with statutory requirements whenever it collects, processes and distributes personal information. South Africa has enshrined the right to privacy within the South African Bill of Rights (the Constitution of the Republic of South Africa, 108 of 1996) and has given effect to that right through the Protection of Personal Information Act 4 of 2013 (POPI). The purpose of POPI is to therefore give effect to everyone’s right to privacy as enshrined; to facilitate the balance between the right to privacy with other rights, such as the right to access information; and to safeguard important interests such as the free flow of information within the Republic and across international borders. South Peninsula High School is committed to protecting the privacy of our learners, employees, and partners, in line with POPI and related South African legislation, including the Promotion of Access to Information Act 2 of 2000, global leading practices, and our commitment to good established governance.
South Peninsula High School is established, mandated and governed by the South African Schools Act 84 of 1996 and the Constitution of the Governing Body of South Peninsula High School and relevant policies. In order to perform its functions, South Peninsula High School needs to process personal information about all persons with which it deals and interacts with from time to time. There are various reasons why South Peninsula High School may need to process such information, such as monitoring of performance, achievements, health and safety of learners, employees or other stakeholders. South Peninsula High School may also be obligated by Law or governing bodies to process such information for reporting, statistical or other purposes.
2 PURPOSE OF THIS POLICY
2.1 This policy, through clarifying foundational principles that give effect to the right to privacy, establishes and enables a school framework for the processing of personal information that positions respect for data subjects, transparency, accountability, and auditability at its core. The purpose of this policy is therefore to demonstrate South Peninsula High School’s commitment to safeguarding personal information of all persons, including juristic persons, with whom it interacts and to ensure that the School and its employees comply with the requirements imposed by POPI.
2.2 Without limiting the generality of the above purpose, the further purposes are to:
2.2.1 establish a school-wide policy that will provide direction with respect to the manner of compliance with POPI;
2.2.2 give effect to the right to privacy and at the same time balance the right to privacy against other rights such as the right to access to information, and to protect important interests such as the free flow of information;
2.2.3 regulate the way personal information may be processed;
2.2.4 establish measures to ensure respect for and to promote, enforce and fulfil the rights protected.
3 THE AMBIT AND SCOPE OF POPI
3.1 The ambit of POPI includes schools as entities that handle personal information for administrative purposes.
3.2 This policy has school-wide application.
3.3 This policy applies to personal information collected by the School in connection with the services it offers. This may include information collected offline through our helplines and call centres, and online through our websites, branded pages on third party platforms and applications accessed or used through such websites or third-party platforms which are operated by or on behalf of the School.
3.4 This policy is hereby incorporated into and forms part of the terms and conditions of use of the applicable School sites.
3.5 This policy does not apply to:
3.5.1 information collected by third party websites, platforms and/or applications (“Third Party Sites”) which we do not control.
3.5.2 information collected by Third Party Sites which you access via links on the school sites.
3.5.3 banners, sweepstakes and other advertisements or promotions on Third Party Sites that we may sponsor or participate in.
4 DEFINITIONS
‘Data subject’, as defined in POPI, means the person to whom personal information relates. Data subjects may include, but are not limited to:
- prospective learners,
- applicants,
- learners,
- alumni/ae
- research participants,
- employees,
- employment candidates,
- visitors, and
- members of the public.
‘Personal information’, as defined in POPI, means information relating to an identifiable, living individual or identifiable, existing company, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
- information relating to the education or the medical, financial, criminal or employment history of the person.
- any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
- the biometric information of the person.
- the personal opinions, views or preferences of the person.
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
- the views or opinions of another individual about the person, the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
A ‘Process’ is a collection of practices influenced by the school’s policies and procedures that takes inputs from several sources (including other processes), manipulates the inputs and produces outputs (such as products, services, or research findings).
‘Process owner’ is the individual accountable for the performance of a process in realising its objectives, driving process improvement, and approving process changes. ‘Processing’, as defined in POPI, means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information including:
- The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use,
- disseminations by means of transmission, distribution, or making available in any other form, or
- merging, linking, as well as restriction, degradation, erasure, or destruction of information.
‘Responsible party’ means South Peninsula High School, which engages in the act of processing personal information.
‘Special Personal Information’ means any information that could be used to identify a data subject and includes –
- Religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health, DNA, sexual life and criminal behaviour.
- Personal information concerning a child.
‘School’ means South Peninsula High School, which includes its faculties, departments, companies, bodies, organisations and employees.
5 RIGHTS OF DATA SUBJECTS
5.1 South Peninsula High School respects a data subject’s right to have his, her or its personal information processed lawfully.
5.2 Data subjects have the right to:
5.2.1 be notified that personal information about him, her or it is being collected or that his, her or its personal information has been accessed or acquired by an unauthorised person.
5.2.2 to establish whether South Peninsula High School holds personal information of that data subject and to request access thereto.
5.2.3 to request, where necessary, the correction, destruction or deletion of his, her or its personal information.
5.2.4 to object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information.
5.2.5 to object to the processing of his, her or its personal information at any time for purposes of direct marketing.
5.2.6 not to be subject, under certain circumstances, to a decision which is based solely on the automated processing of his, her or its personal information intended to provide a profile of such person.
5.2.7 to submit a complaint to the Regulator regarding the alleged interference with the protection of the personal information.
5.2.8 to institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.
6 LAWFUL PROCESSING
South Peninsula High School processes personal information lawfully and in a reasonable manner that does not infringe the privacy of the data subject.
7 MINIMALITY
7.1 Only information which is necessary for the specific purpose for which it is collected, is processed.
7.2 Information which is collected is adequate, relevant and not excessive.
7.3 Information is collected in a manner which does not infringe the rights of the data subject.
8 CONSENT
8.1 South Peninsula High School only processes personal information with the express consent of the data subject or a competent person where the data subject is a child.
8.2 South Peninsula High School processes personal information without express written consent, if:
8.2.1 processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is party.
8.2.2 processing complies with an obligation imposed by law on South Peninsula High School.
8.2.3 processing protects a legitimate interest of the data subject.
8.2.4 processing is necessary for the proper performance of a public law duty by South Peninsula High School.
8.2.4 processing is necessary for pursuing the legitimate interests of South Peninsula High School or of a third party to whom the information is supplied.
8.3 The data subject or competent person may withdraw his, her or its consent, at any time, provided that the lawfulness of the processing of personal information before such withdrawal or the processing of personal information will not be affected.
8.4 A data subject may object, at any time, to the processing of personal information in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing.
8.5 If a data subject has objected to the processing of personal information, South Peninsula High School no longer processes the personal information and the relationship between South Peninsula High School and the data subject may be terminated.
9 COLLECTION OF PERSONAL INFORMATION
9.1 South Peninsula High School collects personal information from the data subject directly, except as otherwise provided for below.
9.2 South Peninsula High School collects personal information from sources other than the data subject directly if:
9.2.1 the information is contained in or derived from a public record or has deliberately been made public by the data subject;
9.2.2 the data subject or a competent person where the data subject is a child has consented to the collection of the information from another source;
9.2.3 collection of the information from another source would not prejudice a legitimate interest of the data subject;
9.2.4 collection of the information from another source is necessary:
9.2.4.1 to avoid prejudice to the maintenance of the law by South Peninsula High School, including the prevention, detection, investigation, prosecution and punishment of offences;
9.2.4.2 to comply with an obligation imposed by law or to enforce legislation;
9.2.4.3 for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated;
9.2.4.4 in the interests of national security;
9.2.4.5 to maintain the legitimate interests of South Peninsula High School or of a third party to whom the information is supplied;
9.2.5 compliance would prejudice a lawful purpose of the collection;
9.2.6 compliance is not reasonably practicable in the circumstances of the particular case.
10 SPECIFIC PURPOSE
10.1 South Peninsula High School collects personal information for a specific, explicitly defined and lawful purpose related to a function or activity of the school.
10.2 South Peninsula High School takes steps to ensure that the data subject is aware of the purpose of the collection of the information.
11 RETENTION AND RESTRICTION OF RECORDS
11.1 South Peninsula High School does not retain records of personal information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
11.1.1 retention of the record is required or authorised by law;
11.1.2 South Peninsula High School reasonably requires the record for lawful purposes related to its functions or activities;
11.1.3 retention of the record is required by a contract between the parties thereto;
11.1.4 the data subject or a competent person where the data subject is a child has consented to the retention of the record.
11.2 South Peninsula High School restricts processing of personal information if:
11.2.1 its accuracy is contested by the data subject, for a period enabling the responsible party to verify the accuracy of the information.
11.2.2 South Peninsula High School no longer needs the personal information for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof.
12 FURTHER PROCESSING
12.1 Further processing of personal information is done in accordance or compatible with the purpose for which it was collected initially.
13 QUALITY OF INFORMATION
13.1 South Peninsula High School takes reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary, having regard to the purpose for which personal information is collected or further processed.
14 SECURITY AND INTEGRITY
14.1 South Peninsula High School aims and strives to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
14.1.1 loss of, damage to or unauthorised destruction of personal information; and
14.1.2 unlawful access to or processing of personal information.
14.2 It is the objective of South Peninsula High School to take reasonable measures to:
14.2.1 identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
14.2.2 establish and maintain appropriate safeguards against the risks identified.
14.2.3 regularly verify that the safeguards are effectively implemented; and
14.2.4 ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
14.3 . Anyone processing personal information on behalf of South Peninsula High School:
14.3.1 processes such information only with the knowledge or authorisation of South Peninsula High School;
14.3.2 treats personal information which comes to their knowledge as confidential and must not disclose it, unless required by law or in the course of the proper performance of their duties;
14.3.3 South Peninsula High School ensures, by way of written contracts between South Peninsula High School and an operator, that the operator which processes personal information for South Peninsula High School establishes and maintains the sufficient and proper security measures as required by the Act.
15 SPECIAL PERSONAL INFORMATION
15.1 South Peninsula High School, subject to 18.1 to 18.5 below, does not process special personal information concerning:
15.1.1 the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
15.1.2 the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
15.2 South Peninsula High School, processes special personal information when:
15.2.1 processing is carried out with the consent of a data subject
15.2.2 processing is necessary for the establishment, exercise or defence of a right or obligation in law;
15.2.3 processing is necessary to comply with an obligation of international public law;
15.2.4 processing is for historical, statistical or research purposes to the extent that the purpose serves a public interest and the processing is necessary for the purpose concerned; or it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent;
15.2.5 information has deliberately been made public by the data subject.
16 PERSONAL INFORMATION OF CHILDREN
16.1 The School processes personal information of children:
16.1.1 with the prior consent of a competent person;
16.1.2 where it is necessary for the establishment, exercise or defence of a right or obligation in law;
16.1.3 where it is necessary to comply with an obligation of international public law;
16.1.4 where it is necessary for historical, statistical or research purposes to the extent that the purpose serves a public interest and the processing is necessary for the purpose concerned; or it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent;
16.1.5 which has deliberately been made public by the child with the consent of a competent person.
17 TRANSFERS OF PERSONAL INFORMATION OUTSIDE THE REPUBLIC
17.1 South Peninsula High School does not transfer personal information about a data subject to a third party who is in a foreign country unless:
17.1.1 the third party who is the recipient of the information is subject to a law, binding corporate rules or binding agreement which provides an adequate level of protection that effectively upholds principles for reasonable processing of the information that are substantially similar to the conditions for the lawful processing of personal information relating to a data subject who is a natural person and, where applicable, a juristic person; and includes provisions that are substantially similar to this section, relating to the further transfer of personal information from the recipient to third parties who are in a foreign country;
17.1.2 the data subject consents to the transfer;
17.1.3 the transfer is necessary for the performance of a contract between the data subject and South Peninsula High School, or for the implementation of pre-contractual measures taken in response to the data subject’s request;
17.1.4 the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between South Peninsula High School and a third party;
17.1.5 the transfer is for the benefit of the data subject, and it is not reasonably practicable to obtain the consent of the data subject to that transfer; and if it were reasonably practicable to obtain such consent, the data subject would be likely to give it.
18 NON-COMPLIANCE WITH THIS POLICY
18.1 Failure to apply and explain the principles within this policy to processing of personal information may render South Peninsula High School or the individuals involved with processing non-compliant with South African privacy-related legislation.
18.2 This non-compliance may lead to fines and claims against South Peninsula High School and/or the individuals involved under South African legislation.
18.3 Non-compliance may further expose South Peninsula High School to significant reputational harm and data subjects to unnecessary risk and harm.
18.4 Based on the nature of the non-compliance, South Peninsula High School may execute its information breach procedures.
18.4.1 South Peninsula High School may take disciplinary action against staff or learners for non-compliance with this policy.
18.4.2 South Peninsula High School may take action, as allowed by contractual agreement or relevant
legislation, against members of institutional statutory bodies and third-party suppliers and
vendors for non-compliance with this policy.
This policy has been developed using resources of other institutions. We acknowledge:
- University of Johannesburg Policy: Privacy and Protection of Personal Information (2015) Corporate Governance and the Office of the Registrar UJ.
- Data Privacy Regulation Stellenbosch University (2019) The Rectorate Stellenbosch University.
- ISACA (2012) COBIT 5 A Business Framework for the Governance and Management of Enterprise IT.
- The European Union’s General Data Protection Regulation.