Version	1
Publishing Date	April 2023
Last Review Date	April 2023
Frequency of Review	Annual
Next Review Date	April 2024
Policy Owner	de Goede Insurance Brokers cc
Responsible Business Unit	de Goede Insurance Brokers cc

 

POLICY STATEMENT

• Any reference to the “organisation” shall be interpreted to include the “policy owner”.
• The organisation’s Governing Body, its employees, volunteers, contractors, suppliers and any other persons acting on behalf of the organisation are required to familiarise themselves with the policy’s requirements and undertake to comply with the stated processes and procedures.

POLICY ADOPTION

By signing this document, I authorise the organisation’s approval and adoption of the processes and procedures outlined herein.

Name & Surname	Mrs Annemarie van Zijl
Capacity	Key Individual
Signature	A van Zijl
Date	30/4/2023

TABLE OF CONTENTS

1. Definitions

           1.1 Conflict of Interest

           1.2 Financial Interest

           1.3 Immaterial Financial Interest

           1.4 Ownership Interest

           1.5 Third Party

           1.6 Associate

           1.7 Distribution Channel

2. Purpose of a Conflict of Interest Management Policy
3. Identifying A Conflict Of Interest

           3.1 Individual Identification

           3.2 Further Guidance On Identifying A Conflict Of Interest

           3.3 Internal Controls To Identify Conflicts Of Interest

4. Avoiding and Mitigating a Conflict Of Interest
5. Disclosure of Conflicts Of Interest
6. Compliance Measures
7. Consequences of Non-Compliance
8. Annexure A: List of Associates
9. Annexure B: Ownership Interests held by the FSP
10. Annexure C: Ownership Interest held in the FSP
11. Annexure D: Type of Financial Interest & Entitlement Thereto

1.  DEFINITIONS

1.1 Conflict of Interest

Conflict of Interest means any situation in which a provider or a representative has an actual or potential interest that may, in rendering a financial service to a client:

• influence the objective performance of his, her or its obligations to that client; or
• prevent a provider or representative from rendering an unbiased and fair financial service to that client, or from acting in the interest of that client,

including but not limited to:

• a financial interest;
• an ownership interest;
• any relationship with a third party.

1.2 Financial Interest

Financial Interest means any cash, cash equivalent, voucher, gift, service, advantage, benefit, discount, domestic or foreign travel, hospitality, accommodation, sponsorship, other incentive or valuable consideration, other than:</span>

• an ownership interest;
• training, that is not exclusively available to a selected group of providers or representatives, on:

• products and legal matters relating to those products;
• general financial and industry information;
• specialised technological systems of a third party necessary for the rendering of a financial service, but excluding travel and accommodation associated with that training.

• a recognised qualifying enterprise development contribution to a qualifying beneficiary by a provider that is a measured entity.

1.3 Immaterial Financial Interest

Immaterial Financial Interest means any financial interest with a determinable monetary value, the aggregate of which does not exceed R1 000 in any calendar year from the same third party in that calendar year received by:

• a provider who is a sole proprietor; or
• a representative for that representative’s direct benefit;
• a provider, who for its benefit or that of some or all of its representatives, aggregates the immaterial financial interest paid to its representatives.

1.4 Ownership Interest

Ownership Interest means

• any equity or proprietary interest, for which fair value was paid by the owner at the time of acquisition, other than equity or a proprietary interest held as an approved nominee on behalf of another person, and
• includes any dividend, profit share or similar benefit derived from that equity or ownership interest.

1.5 Third Party

Third Party means

• a product supplier;
• another provider;
• an associate of a product supplier or a provider;
• a distribution channel;
• any person who in terms of an agreement or arrangement with a person referred to above provides a financial interest to a provider or its representatives.

1.6 Associate

Associate means

• in relation to a natural person:

           –   a person who is recognised in law or the tenets of religion as the spouse, life partner, or civil union partner of that person

           –   a child of that person, including a stepchild, adopted child and a child born out of wedlock

           –   a parent or stepparent of that person

           –   a person in respect of which that person is recognised in law or appointed by a Court as the person legally responsible for managing the affairs of or meeting the daily care needs of the first mentioned person

           –   a person who is a spouse, life partner or civil union partner of a person referred to above

           –   a person who is in a commercial partnership with that person

• in relation to a juristic person:

           –   which is a company, means any subsidiary or holding company of that company, any other subsidiary of that holding company and any other company of which that holding company is a subsidiary

           –   which is a close corporation registered under the Close Corporations Act, means any member thereof as defined in section1 of that Act

           –   which is not a company or a closed corporation, means another juristic person which would have been a subsidiary or holding company of the first-mentioned juristic person:

                –   had such first-mentioned juristic person been a company, or

                –   in the case where that other person, too, is not a company, had both the first-mentioned juristic person and that other person been a company

           –   means any person in accordance with whose directions or instructions the board of director of or, in the case where such juristic person is not a company, the governing body of such juristic person is accustomed to act. 

• in relation to any person:

           –   means any juristic person of which the board of directors or, in the case where such juristic person is not a company, of which the governing body is accustomed to act in accordance with the directions or instructions of the person first-mentioned in this paragraph

           –   includes any trust controlled or administered by that person

1.7 Distribution Channel

Distribution Channel means

• any arrangement between a product supplier of any of its associates and one or more providers or any of its associates in terms of which arrangement any support or service is provided to the provider or providers in rendering a financial service to a client
• any arrangement between two or more providers or any of their associates, which arrangement facilitates, supports or enhances a relationship between the provider or providers and a product supplier
• any arrangement between two or more product suppliers or any of their associates, which arrangement facilitates, supports or enhances a relationship between a provider or providers and a product supplier

2.  PURPOSE OF A CONFLICT OF INTEREST MANAGEMENT POLICY

In terms of Section 3A(2) every provider, other than a representative, must adopt, maintain and implement a conflict of interest management policy which complies with the provisions of the Financial Advisory and Intermediary Services Act, 37 of 2002.

In terms of the General Code of Conduct a provider and a representative must avoid, and where this is not possible, mitigate any conflict of interest between the provider and a client, or a representative of the provider and his, her or its clients. 

The FSP and its representatives are committed towards acting within the best interests of our clients and to avoid all conflict of interests in relation to the provision of financial services. Where we are unable to avoid a conflict of interest, we will take all necessary precautions to ensure that any actual or potential conflict of interest is mitigated and adequately disclosed to our clients.

In order to ensure the continued demonstration of our commitment, management has adopted a Conflict of Interest Management policy to provide for the effective management of any actual or potential conflicts of interest that may arise wholly or partially, in relation to the provision of financial services. 

The purpose of the Conflict of Interest Management Policy is therefore to:

• <span style=”font-weight: 400;”>establish internal controls and mechanisms towards the identification of conflicts of interest
• establish measures to avoid conflicts of interest, and where avoidance is not possible, to provide the reasons therefore
• establish measures to ensure that any unavoidable conflicts of interest are mitigated
• establish measures to ensure the proper disclosure of any conflicts of interest
• establish processes, procedures and internal controls to facilitate compliance with the policy
• communicate the consequences of non-compliance with the policy

3.  IDENTIFYING A CONFLICT OF INTEREST

3.1 INDIVIDUAL IDENTIFICATION

The primary responsibility for the identification of a conflict of interest rests with the representatives, employees and individual members of the governing body of the FSP. 

Throughout the process of rendering a financial service to a client, a representative must apply his or her mind to answering the following questions:

• is there any situation that exists that influences the objective performance of my obligations to my client?
• is there any situation that exists that prevents me from rendering an unbiased and fair financial service to my client?
• is there any situation that exists that prevents me from acting in the best interest of my client?

If the answer to all three questions is “no”, then there is no conflict of interest associated with the financial service and the representative may proceed.

If the answer to any one of the three questions is “yes”, the representative must proceed to answer the following additional questions: 

• is the situation caused as a result of an actual or potential relationship with a third party? (see definition of “third party”)
• is the situation caused by an actual or potential financial or ownership interest? (see definition of “financial interest” and “ownership interest”)

If the answer to any one of these questions is “yes”, an actual or potential conflict of interest will have been identified. 

3.2 FURTHER GUIDANCE ON IDENTIFYING A CONFLICT OF INTEREST

The definition of a Conflict of Interest incorporates the following terminology:

• …….…..influence the “objective performance” of his, her or its obligations to that client….
• …………prevent a provider or representative from rendering an “unbiased and fair financial service” to that client…..
• ………..including but not limited to a “financial interest”

It is generally understood that the word “objective” refers to a situation where an individual’s personal feelings or opinions are completely removed from the equation. The “objective performance” of an FSP or representative’s obligations therefore implies a situation where financial services are rendered without any untoward influences. 

The word “bias” or “biased” is understood to mean a form of prejudice towards a particular person or viewpoint, whereas the word “fair” or “fairness” indicates a situation of just circumstances or being treated on an equal footing. An unbiased financial service therefore implies a financial service that does not lend itself to a particular persuasion, where no reasonable justification for such persuasion can be found. Similarly, a fair financial service implies a situation where the same conclusion or outcome will consistently present itself given the exact same set of circumstances.

Subject to section 3A(1)(c) of the General Code of Conduct, the FSP and its representatives may only receive or offer the following “financial interest” from or to a “third party”:

• commission authorised under the Long-term Insurance Act, Short-term Insurance Act or under the Medical Schemes Act
• fees authorised under the Long-term Insurance Act, the Short-term Insurance Act or the Medical Schemes Act, if those fees are reasonably commensurate to a service being rendered
• fees for the rendering of a financial service in respect of which commission or fees referred to above is not paid, if those fees:
  • are specifically agreed to by a client in writing; and
  • may be stopped at the discretion of that client
• fees or remuneration for the rendering of a service to a third party, which fees or remuneration are reasonably commensurate to the service being rendered
• an immaterial financial interest (subject to any other law)
• a financial interest, not referred to above for which a consideration, fair value or remuneration that is reasonably commensurate to the value of the financial interest, is paid by that FSP or representative at the time of receipt thereof

The FSP will not offer any financial interest to its representatives for: 

• giving preference to the quantity of business secured for the FSP to the exclusion of the quality of the service rendered to clients; or
• giving preference to a specific product supplier, where a representative may recommend more than one product supplier to a client; or
• giving preference to a specific product of a product supplier, where a representative may recommend more than one product of that product supplier to a client.

3.3 INTERNAL CONTROLS TO IDENTIFY CONFLICTS OF INTEREST

The FSP has implemented the following internal controls to identify actual or potential conflicts of interest that may arise:

• The governing body of the FSP conducts annual reviews on all contracts held with third parties in order to assess whether the contractual relationship in any way influences the FSP’s objective performance towards its clients
• The governing body of the FSP conducts annual reviews on all contracts held with third parties in order to assess whether the contractual relationship in any way influences the FSP’s ability to render fair and unbiased financial services towards its clients 
• The governing body of the FSP conducts annual reviews on all contracts held with third parties in order to assess whether the contractual relationship in any way influences the FSP’s ability to act in the best interest of the client
• The governing body of the FSP conducts annual reviews on all relationships where an ownership interest exists between the FSP and a third party. The purpose of the review is to assess whether the relationship in any way influences the FSP’s objective performance towards its clients
• The governing body of the FSP conducts annual reviews on all relationships where an ownership interest exists between the FSP and a third party. The purpose of the review is to assess whether the relationship in any way influences the FSP’s ability to render fair and unbiased financial services towards its clients 
• Conflict of Interest declarations are signed by all relevant personnel on a quarterly basis. The purpose of collecting Conflict of Interest declarations is to assist the FSP and the appointed Compliance Officer to identify actual or potential conflicts of interest
• A list of the FSP’s associates is attached as an annexure hereto. The list is reviewed on an annual basis
• A list of all third parties in which the FSP holds an ownership interest is attached as an annexure hereto. The list is reviewed on an annual basis
• A list of all third parties that holds an ownership interest in the FSP is attached as an annexure hereto. The list is reviewed on an annual basis
• The FSP maintains a Gift Register. All gifts received from a third party with an estimated value of R500 or more will be recorded in the FSP’s Gift Register. The Gift Register is kept in the FSP’s Compliance Manual
• All relevant personnel (Key Individuals and Representatives) are required to immediately disclose in writing to the governing body of the FSP and the FSP’s Compliance Officer, any actual or potential conflicts of interest as soon as they become aware of such situation

4.  AVOIDING AND MITIGATING A CONFLICT OF INTEREST

Once an actual or potential conflict of interest has been identified, the following procedures will be followed in order to determine whether the conflict of interest is avoidable:

• The governing body of the FSP will convene and evaluate the actual or potential conflict of interest in an open and honest manner
• All information that’s led up to and resulting in, or causing the actual or potential conflict of interest will be disclosed to the FSP’s governing body and the FSP’s compliance officer
• The governing body of the FSP will apply its mind and determine by way of majority vote whether the FSP is in a position to avoid the actual or potential conflict of interest
• During the evaluation process, the governing body of the FSP will consider the following possible outcomes prior to a finding in favour of unavoidability:

           –   The possible negative impact it will have on the FSP’s clients where the actual or potential conflict of interest is deemed to be unavoidable

           –   The possible negative impact it will have on the integrity of the financial services industry where the actual or potential conflict of interest is deemed to be unavoidable

• Where the governing body of the FSP has determined that the actual or potential conflict of interest is in fact avoidable, the following processes will be followed:

          –   The governing body will remove the underlying cause or situation that results in the actual or potential conflict of interest as soon as reasonably possible

          –   Any immediate negative impact or prejudice towards clients pending the removal of the actual or potential conflict of interest will be kept to a minimum

          –   The reasons why the actual or potential conflict of interest was determined to be avoidable will be recorded in the FSP’s Compliance Manual

          –   Similar circumstances that has led up to the actual or potential conflict of interest will be avoided in the future

• Where the governing body of the FSP has determined that the actual or potential conflict of interest is unavoidable, the following processes will be followed:

          –   The governing body of the FSP and the FSP’s compliance officer will convene and determine the measures that will be implemented in order to mitigate the actual or potential conflict of interest as far as reasonably possible

          –   The reasons why the actual or potential conflict of interest was considered to be unavoidable will be recorded in the FSP’s Compliance Manual 

• Any measures implemented towards mitigating the actual or potential conflicts of interest will include the following arrangements:

          –    The status of whether the actual or potential conflicts of interest’s is still deemed to be unavoidable shall be reassessed on a continuous basis

          –    Where a previously deemed unavoidable actual or potential conflicts of interest is subsequently deemed to be avoidable, such actual or potential conflict of interest shall immediately be avoided

          –   All representatives will be notified of any actual or potential conflicts of interest as well as the reasons for its unavoidability

          –   When rendering a financial service, a representative shall be required to disclose to the client in writing that an actual or potential conflict of interest exist

          –   The FSP and/or the FSP’s compliance officer shall report on the status of the actual or potential conflict of interest in the FSP’s compliance report to be submitted to the Financial Services Board

5.  DISCLOSURE OF CONFLICTS OF INTEREST

It is acknowledged that while disclosure alone will often not be enough, disclosure must be treated as an integral part of managing conflicts of interest. The FSP is therefore committed to ensure that clients are fully informed about actual or potential conflicts of interest in relation to the provision of financial services.

The FSP has adopted the following disclosure measures: 

• The FSP shall disclose to a client any conflict of interest in respect of that client
• The disclosure shall be made in writing at the earliest reasonable opportunity. The disclosure may be communicated by way of appropriate electronic media
• The disclosure shall include the nature of any relationship or arrangement with a third party that gives rise to a conflict of interest
• The disclosure shall be made in sufficient detail to enable the client to understand the exact nature of the relationship or arrangement and the conflict of interest
• The disclosure shall include the measures taken to avoid or mitigate the conflict
• The disclosure shall include any ownership interest or financial interest, other than an immaterial financial interest, that the FSP or representative may be or become eligible for</li>
• The disclosure shall include a reference to the FSP’s Conflict of Interest Management Policy and how it may be accessed

6.  COMPLIANCE MEASURES

The measures implemented towards ensuring the FSP’s continued compliance with the Conflict of Interest Management Policy rests with the governing body of the FSP. The FSP’s appointed Compliance Officer will monitor the FSP’s continued compliance with the policy on an ongoing basis.

The FSP has adopted the following internal controls and processes:

• The governing body of the FSP shall ensure that the Conflict of Interest Management Policy is kept in the FSP’s Compliance Manual
• The governing body of the FSP shall ensure that all relevant personnel read the Conflict of Interest Management Policy and understand their duties in respect thereof
• The governing body of the FSP shall ensure that all personnel, and where appropriate, associates are made aware of the contents of the Conflict of Interest Management Policy and shall provide personnel with training and educational material where deemed appropriate 
• The governing body of the FSP shall ensure that all Conflict of Interest declarations are signed by relevant personnel on a quarterly (3 monthly) basis
• Where an employee or representative have any concerns whether or not an actual or potential conflict of interest might arise in a particular situation, the employee or representative will be required to refer his or her concern to the FSP’s Compliance Officer
• The governing body of the FSP shall ensure that a list of all the FSP’s associates is annexed to the Conflict of Interest Management Policy and that a review of the list shall be conducted annually
• The governing body of the FSP shall ensure that a list of all the parties in which the FSP holds an ownership interest is annexed to the Conflict of Interest Management Policy and that a review of the list shall be conducted annually
• The governing body of the FSP shall ensure that a list of all third parties that holds an ownership interest in the FSP is annexed to the Conflict of Interest Management Policy and that a review of the list shall be conducted annually
• The governing body of the FSP shall continue to maintain a Gift Register and shall ensure that all gifts received from a third party with an estimated value of R500 or more are recorded in the FSP’s Gift Register
• The governing body of the FSP shall ensure that the proper disclosures are made to the client regarding actual or potential conflicts of interest
• The Conflict of Interest Policy shall be regularly reviewed by the appointed Compliance Officer, and where necessary, updated to ensure that the measures contained herein remains effective
• The governing body of the FSP shall publish its Conflict of Interest Management Policy in appropriate media and ensure that it is easily accessible for public inspection at all reasonable times
• The governing body of the FSP shall ensure that the Conflict of Interest Management Policy is reviewed on at least an annual basis

7.  CONSEQUENCES OF NON-COMPLIANCE 

Where there is reason to believe that an employee or representative has failed to disclose an actual or potential conflict of interest via the proper communication channels, the FSP will proceed to investigate and take any appropriate steps it deems necessary to limit any financial prejudice that may be suffered by the FSP, its clients or any other third party.

Where an investigation concludes that an employee or representative of the FSP has indeed failed to disclose an actual or potential conflict of interest, the FSP shall immediately take appropriate disciplinary steps and corrective actions against such employee or representative. Any failure by an employee to comply with the Conflict of Interest Management Policy will be considered serious form of misconduct and a dismissible offence.

8.  ANNEXURE A: LIST OF ASSOCIATES

In terms of Section 3A(2)(b)(iii) of the General Code of Conduct, a Conflict of Interest Management Policy must include a list of all the FSP’s associates.

Please refer back to the definition of an “associate” and list all the FSP’s associates, as well as the nature of the associate relationship:

Andre John de Goede

Annemarie van Zijl

Key Individual Signature:	A van Zijl
Date:  30/4/2023

9.  ANNEXURE B: OWNERSHIP INTERESTS HELD BY THE FSP

In terms of Section 3A(2)(b)(v) of the General Code of Conduct, a Conflict of Interest Management Policy must include the names of any third parties in which the provider holds an ownership interest.

Please refer back to the definition of a “third party” and “ownership interest” and list all third parties in which the FSP holds an ownership interest. Also specify the nature and extent of the ownership interest. 

</tr>

</tr>>

Andre John de Goede	Annemarie van Zijl</td

Key Individual Signature:	A van Zijl
Date:  30/4/2023

10.  ANNEXURE C: OWNERSHIP INTEREST HELD IN THE FSP

In terms of Section 3A(2)(b)(vii) of the General Code of Conduct, a Conflict of Interest Management Policy must include the names of any third parties that holds an ownership interest in the provider. 

Please refer back to the definition of a “third party” and “ownership interest” and list all third parties that hold an ownership interest in the FSP. Also specify the nature and extent of the ownership interest.

Andre John de Goede

Annemarie van Zijl

</td>

</td>

Key Individual Signature:	A van Zijl
Date:  30/4/2023

11.  ANNEXURE D: TYPE OF FINANCIAL INTEREST & ENTITLEMENT THERETO

In terms of Section 3A(2)(b)(ii), a Conflict of Interest Management Policy must specify the type of financial interest that the provider will offer a Representative and the basis on which a Representative will be entitled to such a financial interest. The Conflict of Interest Management Policy must also include a motivation regarding how the financial interest complies with sections 3A(1)(b) and 3A(1)(bA).

Please refer back to the definition of “Financial Interest”, and specify in the table below which types of financial interest is offered by the provider to its Representatives. Also specify the basis on which these Representatives are entitled to such a financial interest. Lastly, specify how the financial interest afforded to the Representatives comply with sections 3A(1)(b) and 3A(1)(bA).

Form of Financial Interest Section 3A(1)(a)(i) – (vii)	Basis for entitlement to Financial Interest	Compliance with Sections 3A(1)(b) and 3A(1)(bA)
Commission authorised under the Long-term Insurance Act, 1998 (Act No. 52 of 1998) or the Short-term Insurance Act, 1998 (Act No. 53 of 1998).
Commission authorised under the Medical Schemes Act, 1998 (Act No. 131 of 1998).
Fees authorised under the Long-term Insurance Act, 1998 (Act No. 52 of 1998) or the Medical Schemes Act, 1998 (Act No. 131 of 1998).
Fees for the rendering of a financial service in respect of which commission or fees referred to above is not paid, if The amount, frequency, payment method and recipient of those fees and details of the services that are to be provided by the provider or its representatives in exchange for the fees are specifically agreed to by a client in writing; and style=”font-weight: 400;” aria-level=”1″>Those fees may be stopped at the discretion of that client.
Fees or remuneration for the rendering of a service to a third party.
Subject to any other law, an immaterial financial interest.
A financial interest, not referred to in the column above, for which a consideration, fair value or remuneration that is reasonably commensurate to the value of the financial interest, is paid by that provider or representative at the time of receipt thereof.

Version	2021.06 (v.2)
Publishing Date	April 2023
Last Review Date	April 2023
Frequency of Review	Annually
Next Review Date	April 2024
Policy Owner	De Goede Insurance Brokers
Responsible Business Unit	De Goede Insurance Brokers

POLICY STATEMENT

• This policy forms part of the policy owner’s internal business processes and procedures.
• Any reference to the “organisation” shall be interpreted to include the “policy owner”.
• The organisation’s governing body, its employees, volunteers, contractors, suppliers and any other persons acting on behalf of the organisation are required to familiarise themselves with the policy’s requirements and undertake to comply with the stated processes and procedures.
• Risk owners and control owners are responsible for overseeing and maintaining control procedures and activities.

POLICY ADOPTION

By signing this document, I authorise the policy owner’s approval and adoption of the processes and procedures outlined herein.

Name & Surname	A van Zijl
Capacity	Key Individual
Signature	A van Zijl
Date	30/4/2023

TABLE OF CONTENTS         

1. INTRODUCTION

      2.          DEFINITIONS

      2.1        Personal Information

      2.2       Data Subject

      2.3       Responsible Party

      2.4       Operator

      2.5       Information Officer

      2.6      Processing

      2.7      Record

      2.8      Filing System

      2.9      Unique Identifier

      2.10    De-Identify

      2.11     Re-Identify

      2.12     Consent

      2.13     Direct Marketing

      2.14     Biometrics

      3.         POLICY PURPOSE

      4.        POLICY APPLICATION

      5.        RIGHTS OF DATA SUBJECTS

      5.1      The Right to Access Personal Information

      5.2     The Right to have Personal Information Corrected or Deleted

      5.3     The Right to Object to the Processing of Personal Information

      5.4     The Right to Object to Direct Marketing

      5.5     The Right to Complain to the Information Officer

      5.6     The Right to be Informed

      6.        GENERAL GUIDING PRINCIPLES

      6.1      Accountability

      6.2     Processing Limitation

      6.3     Purpose Specification

      6.4     Further Processing Limitation

      6.5     Information Quality

      6.6     Open Communication

      6.7     Security Safeguards

      6.8     Data Subject Participation

      7.        INFORMATION OFFICERS

      8.        SPECIFIC DUTIES AND RESONSIBILITIES

      8.1      Governing Policy

      8.2     Information officer

      8.3     IT Manager

      8.4     Marketing & Communication Manager

      8.5     Employees and other Persons acting on behalf of the Organisation

      9.       POPI AUDIT

      10.     REQUEST TO ACCESS PERSONAL INFORMATION

      11.      POPI COMPLAINTS PROCEDURE

      12.      DISCIPLINARY ACTION

      13.     ANNEXURE A:  PERSONAL INFORMATION REQUEST FORM

      14.     ANNEXURE B:  POPI COMPLAINT FORM

      15.     ANNEXURE C:  POPI NOTICE AND CONSENT FORM

      16.     ANNEXURE D:  EMPLOYEE CONSENT AND CONFIDENTIALITY CLAUSE

      17.     ANNEXURE E:  SLA CONFIDENTIALITY CLAUSE

      18.     ANNEXURE F:  INFORMATION OFFICER APPOINTMENT LETTER

19.   INTRODUCTION

The right to privacy is an integral human right recognised and protected in the South African Constitution and in the Protection of Personal Information Act 4 of 2013 (“POPIA”). 

POPIA aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner.

Through the provision of quality goods and services, the organisation is necessarily involved in the collection, use and disclosure of certain aspects of the personal information of clients, customers, employees and other stakeholders. 

A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.

Given the importance of privacy, the organisation is committed to effectively managing personal information in accordance with POPIA’s provisions.

20.   DEFINITIONS

20.1   Personal Information

Personal information is any information that can be used to reveal a person’s identity. Personal information relates to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (such as a company), including, but not limited to information concerning:

• race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person;

• information relating to the education or the medical, financial, criminal or employment history of the person;

• any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person;

• the biometric information of the person;

• the personal opinions, views or preferences of the person;

• correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;

• the views or opinions of another individual about the person;

• the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

20.2   Data Subject

This refers to the natural or juristic person to whom personal information relates, such as an individual client, customer or a company that supplies the organisation with products or other goods.

20.3   Responsible Party

The responsible party is the entity that needs the personal information for a particular reason and determines the purpose of and means for processing the personal information. In this case, the organisation is the responsible party.

20.4   Operator

An operator means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party. For example, a third-party service provider that has contracted with the organisation to shred documents containing personal information. When dealing with an operator, it is considered good practice for a responsible party to include an indemnity clause.

20.5   Information Officer

The Information Officer is responsible for ensuring the organisation’s compliance with POPIA. 

Where no Information Officer is appointed, the head of the organisation will be responsible for performing the Information Officer’s duties.

 Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer. 

20.6   Processing

The act of processing information includes any activity or any set of operations, whether or not by automatic means, concerning personal information and includes:

• the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;

• dissemination by means of transmission, distribution or making available in any other form; or

• merging, linking, as well as any restriction, degradation, erasure or destruction of information.

20.7   Record

Means any recorded information, regardless of form or medium, including:

• Writing on any material;

• Information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;

• Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;

• Book, map, plan, graph or drawing;

• Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced. 

20.8   Filing System

Means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

20.9  Unique Identifier

Means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

20.10 De-Identify

This means to delete any information that identifies a data subject or which can be used by a reasonably foreseeable method to identify, or when linked to other information, that identifies the data subject.

20.11 Re-Identify

In relation to personal information of a data subject, means to resurrect any information that has been de-identified that identifies the data subject, or can be used or manipulated by a reasonably foreseeable method to identify the data subject.

20.12 Consent

Means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

20.13 Direct Marketing

Means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of:

• Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or

• Requesting the data subject to make a donation of any kind for any reason.

20.14 Biometrics

Means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.

21.    POLICY PURPOSE

This purpose of this policy is to protect the organisation from the compliance risks associated with the protection of personal information which includes:

• Breaches of confidentiality. For instance, the organisation could suffer loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately.

• Failing to offer choice. For instance, all data subjects should be free to choose how and for what purpose the organisation uses information relating to them.

• Reputational damage. For instance, the organisation could suffer a decline in shareholder value following an adverse event such as a computer hacker deleting the personal information held by the organisation.

This policy demonstrates the organisation’s commitment to protecting the privacy rights of data subjects in the following manner:

• Through stating desired behaviour and directing compliance with the provisions of POPIA and best practice.

• By cultivating an organisational culture that recognises privacy as a valuable human right.

• By developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information.

• By creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the organisation.

• By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary, Deputy Information Officers in order to protect the interests of the organisation and data subjects.

• By raising awareness through training and providing guidance to individuals who process personal information so that they can act confidently and consistently.

22.    POLICY APPLICATION

This policy and its guiding principles applies to:

• The organisation’s governing body

• All branches, business units and divisions of the organisation

• All employees and volunteers

• All contractors, suppliers and other persons acting on behalf of the organisation

The policy’s guiding principles find application in all situations and must be read in conjunction with POPIA as well as the organisation’s PAIA Policy as required by the Promotion of Access to Information Act (Act No 2 of 2000).

The legal duty to comply with POPIA’s provisions is activated in any situation where there is:

• A processing of…..….
• …………personal information……….
• ……………………..entered into a record……….
• ……………………..…………..by or for a responsible person…………
• ………………………………………………….…..who is domiciled in South Africa.

POPIA does not apply in situations where the processing of personal information:

• is concluded in the course of purely personal or household activities, or

• where the personal information has been de-identified.

23.    RIGHTS OF DATA SUBJECTS

Where appropriate, the organisation will ensure that its clients and customers are made aware of the rights conferred upon them as data subjects.

The organisation will ensure that it gives effect to the following seven rights.

5.1 The Right to Access Personal Information

The organisation recognises that a data subject has the right to establish whether the organisation holds personal information related to him, her or it including the right to request access to that personal information.

An example of a “Personal Information Request Form” can be found under Annexure A.

5.2 The Right to have Personal Information Corrected or Deleted

The data subject has the right to request, where necessary, that his, her or its personal information must be corrected or deleted where the organisation is no longer authorised to retain the personal information.

5.3 The Right to Object to the Processing of Personal Information

The data subject has the right, on reasonable grounds, to object to the processing of his, her or its personal information. 

In such circumstances, the organisation will give due consideration to the request and the requirements of POPIA. The organisation may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual record keeping requirements, also approve the destruction of the personal information.

5.4 The Right to Object to Direct Marketing

The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.

5.5    The Right to Complain to the Information Regulator

The data subject has the right to submit a complaint to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information.  

An example of a “POPI Complaint Form” can be found under Annexure B.

5.6 The Right to be Informed

The data subject has the right to be notified that his, her or its personal information is being collected by the organisation. 

The data subject also has the right to be notified in any situation where the organisation has reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person.

24.    GENERAL GUIDING PRINCIPLES

All employees and persons acting on behalf of the organisation will at all times be subject to, and act in accordance with, the following guiding principles:

6.1 Accountability

Failing to comply with POPIA could potentially damage the organisation’s reputation or expose the organisation to a civil claim for damages. The protection of personal information is therefore everybody’s responsibility.

The organisation will ensure that the provisions of POPIA and the guiding principles outlined in this policy are complied with through the encouragement of desired behaviour. However, the organisation will take appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the principles and responsibilities outlined in this policy.

6.2 Processing Limitation

The organisation will ensure that personal information under its control is processed:

• in a fair, lawful and non-excessive manner, and

• only with the informed consent of the data subject, and

• only for a specifically defined purpose.

The organisation will inform the data subject of the reasons for collecting his, her or its personal information and obtain written consent prior to processing personal information. 

Alternatively, where services or transactions are concluded over the telephone or electronic video feed, the organisation will maintain a voice recording of the stated purpose for collecting the personal information followed by the data subject’s subsequent consent.

The organisation will under no circumstances distribute or share personal information between separate legal entities, associated organisations (such as subsidiary companies) or with any individuals that are not directly involved with facilitating the purpose for which the information was originally collected.

Where applicable, the data subject must be informed of the possibility that their personal information will be shared with other aspects of the organisation’s business and be provided with the reasons for doing so. 

An example of a “POPI Notice and Consent Form” can be found under Annexure C.

6.3 Purpose Specification

All of the organisation’s business units and operations must be informed by the principle of transparency. 

The organisation will process personal information only for specific, explicitly defined and legitimate reasons. The organisation will inform data subjects of these reasons prior to collecting or recording the data subject’s personal information.

6.4 Further Processing Limitation

Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. 

Therefore, where the organisation seeks to process personal information it holds for a purpose other than the original purpose for which it was originally collected, and where this secondary purpose is not compatible with the original purpose, the organisation will first obtain additional consent from the data subject.

6.5 Information Quality

The organisation will take reasonable steps to ensure that all personal information collected is complete, accurate and not misleading. 

The more important it is that the personal information be accurate (for example, the beneficiary details of a life insurance policy are of the utmost importance), the greater the effort the organisation will put into ensuring its accuracy.

Where personal information is collected or received from third parties, the organisation will take reasonable steps to confirm that the information is correct by verifying the accuracy of the information directly with the data subject or by way of independent sources.

6.6 Open Communication

The organisation will take reasonable steps to ensure that data subjects are notified (are at all times aware) that their personal information is being collected including the purpose for which it is being collected and processed. 

The organisation will ensure that it establishes and maintains a “contact us” facility, for instance via its website or through an electronic helpdesk, for data subjects who want to:

• Enquire whether the organisation holds related personal information, or

• Request access to related personal information, or

• Request the organisation to update or correct related personal information, or 

• Make a complaint concerning the processing of personal information.

6.7 Security Safeguards

The organisation will manage the security of its filing system to ensure that personal information is adequately protected. To this end, security controls will be implemented in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction.

Security measures also need to be applied in a context-sensitive manner. For example, the more sensitive the personal information, such as medical information or credit card details, the greater the security required.

The organisation will continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the organisation’s IT network.

The organisation will ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals. 

All new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information. Confidentiality clauses will also be included to reduce the risk of unauthorised disclosures of personal information for which the organisation is responsible. 

All existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses.

The organisation’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.

An example of “Employee Consent and Confidentiality Clause” for inclusion in the organisation’s employment contracts can be found under Annexure D.

An example of an “SLA Confidentiality Clause” for inclusion in the organisation’s service level agreements can be found under Annexure E.

6.8 Data Subject Participation

A data subject may request the correction or deletion of his, her or its personal information held by the organisation.

The organisation will ensure that it provides a facility for data subjects who want to request the correction of deletion of their personal information. 

Where applicable, the organisation will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.

25.     INFORMATION OFFICERS

The organisation will appoint an Information Officer and where necessary, a Deputy Information Officer to assist the Information Officer. 

The organisation’s Information Officer is responsible for ensuring compliance with POPIA. 

There are no legal requirements under POPIA for an organisation to appoint an Information Officer. Appointing an Information Officer is however, considered to be a good business practice, particularly within larger organisations.

Where no Information Officer is appointed, the head of the organisation will assume the role of the Information Officer.

Consideration will be given on an annual basis to the re-appointment or replacement of the Information Officer and the re-appointment or replacement of any Deputy Information Officers.

Once appointed, the organisation will register the Information Officer with the South African Information Regulator established under POPIA prior to performing his or her duties. 

An example of an “Information Officer Appointment Letter” can be found under Annexure F.

26.    SPECIFIC DUTIES AND RESPONSIBILITIES

8.1    Governing Body

The organisation’s governing body cannot delegate its accountability and is ultimately answerable for ensuring that the organisation meets its legal obligations in terms of POPIA.  

The governing body may however delegate some of its responsibilities in terms of POPIA to management or other capable individuals. 

The governing body is responsible for ensuring that:

• The organisation appoints an Information Officer, and where necessary, a Deputy Information Officer.

• All persons responsible for the processing of personal information on behalf of the organisation:

• are appropriately trained and supervised to do so,
• understand that they are contractually obligated to protect the personal information they come into contact with, and
• are aware that a wilful or negligent breach of this policy’s processes and procedures may lead to disciplinary action being taken against them.

• Data subjects who want to make enquires about their personal information are made aware of the procedure that needs to be followed should they wish to do so.

• The scheduling of a periodic POPI Audit in order to accurately assess and review the ways in which the organisation collects, holds, uses, shares, discloses, destroys and processes personal information.

8.2    Information Officer

 The organisation’s Information Officer is responsible for:

• Taking steps to ensure the organisation’s reasonable compliance with the provision of POPIA.

• Keeping the governing body updated about the organisation’s information protection responsibilities under POPIA. For instance, in the case of a security breach, the Information Officer must inform and advise the governing body of their obligations pursuant to POPIA.

• Continually analysing privacy regulations and aligning them with the organisation’s personal information processing procedures. This will include reviewing the organisation’s information protection procedures and related policies.

• Ensuring that POPI Audits are scheduled and conducted on a regular basis.

• Ensuring that the organisation makes it convenient for data subjects who want to update their personal information or submit POPI related complaints to the organisation. For instance, maintaining a “contact us” facility on the organisation’s website.

• Approving any contracts entered into with operators, employees and other third parties which may have an impact on the personal information held by the organisation. This will include overseeing the amendment of the organisation’s employment contracts and other service level agreements. 

• Encouraging compliance with the conditions required for the lawful processing of personal information.

• Ensuring that employees and other persons acting on behalf of the organisation are fully aware of the risks associated with the processing of personal information and that they remain informed about the organisation’s security controls.

• Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of the organisation.

• Addressing employees’ POPIA related questions.

• Addressing all POPIA related requests and complaints made by the organisation’s data subjects.

• Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter.

The Deputy Information Officer will assist the Information Officer in performing his or her duties.

8.3    IT Manager

        The organisation’s IT Manager is responsible for:

• Ensuring that the organisation’s IT infrastructure, filing systems and any other devices used for processing personal information meet acceptable security standards.

• Ensuring that all electronically held personal information is kept only on designated drives and servers and uploaded only to approved cloud computing services.

• Ensuring that servers containing personal information are sited in a secure location, away from the general office space.

• Ensuring that all electronically stored personal information is backed-up and tested on a regular basis. 

• Ensuring that all back-ups containing personal information are protected from unauthorised access, accidental deletion and malicious hacking attempts.

• Ensuring that personal information being transferred electronically is encrypted.

• Ensuring that all servers and computers containing personal information are protected by a firewall and the latest security software.

• Performing regular IT audits to ensure that the security of the organisation’s hardware and software systems are functioning properly.

• Performing regular IT audits to verify whether electronically stored personal information has been accessed or acquired by any unauthorised persons.

• Performing a proper due diligence review prior to contracting with operators or any other third-party service providers to process personal information on the organisation’s behalf. For instance, cloud computing services.

8.4    Marketing & Communication Manager

The organisation’s Marketing & Communication Manager is responsible for:

• Approving and maintaining the protection of personal information statements and disclaimers that are displayed on the organisation’s website, including those attached to communications such as emails and electronic newsletters.

• Addressing any personal information protection queries from journalists or media outlets such as newspapers.

• Where necessary, working with persons acting on behalf of the organisation to ensure that any outsourced marketing initiatives comply with POPIA.

8.5    Employees and other Persons acting on behalf of the Organisation

Employees and other persons acting on behalf of the organisation will, during the course of the performance of their services, gain access to and become acquainted with the personal information of certain clients, suppliers and other employees. 

Employees and other persons acting on behalf of the organisation are required to treat personal information as a confidential business asset and to respect the privacy of data subjects. 

Employees and other persons acting on behalf of the organisation may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the organisation or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties. 

Employees and other persons acting on behalf of the organisation must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a data subject’s personal information.

 Employees and other persons acting on behalf of the organisation will only process personal information where:

• The data subject, or a competent person where the data subject is a child, consents to the processing; or

• The processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party; or

• The processing complies with an obligation imposed by law on the responsible party; or

• The processing protects a legitimate interest of the data subject; or

• The processing is necessary for pursuing the legitimate interests of the organisation or of a third party to whom the information is supplied.

Furthermore, personal information will only be processed where the data subject:

• Clearly understands why and for what purpose his, her or its personal information is being collected; and

• Has granted the organisation with explicit written or verbally recorded consent to process his, her or its personal information.

Employees and other persons acting on behalf of the organisation will consequently, prior to processing any personal information, obtain a specific and informed expression of will from the data subject, in terms of which permission is given for the processing of personal information. 

Informed consent is therefore when the data subject clearly understands for what purpose his, her or its personal information is needed and who it will be shared with.

Consent can be obtained in written form which includes any appropriate electronic medium that is accurately and readily reducible to printed form. Alternatively, the organisation will keep a voice recording of the data subject’s consent in instances where transactions are concluded telephonically or via electronic video feed. 

Consent to process a data subject’s personal information will be obtained directly from the data subject, except where:

• the personal information has been made public, or 

• where valid consent has been given to a third party, or 

• the information is necessary for effective law enforcement. 

        Employees and other persons acting on behalf of the organisation will under no circumstances:

• Process or have access to personal information where such processing or access is not a requirement to perform their respective work-related tasks or duties.

• Save copies of personal information directly to their own private computers, laptops or other mobile devices like tablets or smart phones. All personal information must be accessed and updated from the organisation’s central database or a dedicated server.

• Share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure. Where access to personal information is required, this may be requested from the relevant line manager or the Information Officer.

• Transfer personal information outside of South Africa without the express permission from the Information Officer.

Employees and other persons acting on behalf of the organisation are responsible for:

• Keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy.

• Ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created.

• Ensuring that personal information is encrypted prior to sending or sharing the information electronically. The IT Manager will assist employees and where required, other persons acting on behalf of the organisation, with the sending or sharing of personal information to or with authorised external persons.

• Ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons.

• Ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.

• Ensuring that where personal information is stored on removable storage medias such as external drives, CDs or DVDs that these are kept locked away securely when not being used.

• Ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet.

• Ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer.

• Taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a data subject’s contact details when the client or customer phones or communicates via email. Where a data subject’s information is found to be out of date, authorisation must first be obtained from the relevant line manager or the Information Officer to update the information accordingly.

• Taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the personal information in the appropriate manner.

• Undergoing POPI Awareness training from time to time.

Where an employee, or a person acting on behalf of the organisation, becomes aware or suspicious of any security breach such as the unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, he or she must immediately report this event or suspicion to the Information Officer or the Deputy Information Officer.

9. POPI AUDIT

The organisation’s Information Officer will schedule periodic POPI Audits.

The purpose of a POPI audit is to:

• Identify the processes used to collect, record, store, disseminate and destroy personal information.

 

• Determine the flow of personal information throughout the organisation. For instance, the organisation’s various business units, divisions, branches and other associated organisations.

• Redefine the purpose for gathering and processing personal information.

• Ensure that the processing parameters are still adequately limited.

• Ensure that new data subjects are made aware of the processing of their personal information.

• Re-establish the rationale for any further processing where information is received via a third party.

• Verify the quality and security of personal information.

• Monitor the extend of compliance with POPIA and this policy.

• Monitor the effectiveness of internal controls established to manage the organisation’s POPI related compliance risk.

In performing the POPI Audit, Information Officers will liaise with line managers in order to identify areas within in the organisation’s operation that are most vulnerable or susceptible to the unlawful processing of personal information. 

Information Officers will be permitted direct access to and have demonstrable support from line managers and the organisation’s governing body in performing their duties. 

10. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE

Data subjects have the right to:

• Request what personal information the organisation holds about them and why.

• Request access to their personal information.

• Be informed how to keep their personal information up to date.

Access to information requests can be made by email, addressed to the Information Officer. The Information Officer will provide the data subject with a “Personal Information Request Form”.

Once the completed form has been received, the Information Officer will verify the identity of the data subject prior to handing over any personal information. All requests will be processed and considered against the organisation’s PAIA Policy.

The Information Officer will process all requests within a reasonable time.

11. POPI COMPLAINTS PROCEDURE

Data subjects have the right to complain in instances where any of their rights under POPIA have been infringed upon. The organisation takes all complaints very seriously and will address all POPI related complaints in accordance with the following procedure:

• POPI complaints must be submitted to the organisation in writing. Where so required, the Information Officer will provide the data subject with a “POPI Complaint Form”. 

• Where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 1 working day.

• The Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days.

• The Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner. In considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA.

• The Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the organisation’s data subjects.

• Where the Information Officer has reason to believe that the personal information of data subjects has been accessed or acquired by an unauthorised person, the Information Officer will consult with the organisation’s governing body where after the affected data subjects and the Information Regulator will be informed of this breach.

• The Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the organisation’s governing body within 7 working days of receipt of the complaint. In all instances, the organisation will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines.

• The Information Officer’s response to the data subject may comprise any of the following:

• A suggested remedy for the complaint,
• A dismissal of the complaint and the reasons as to why it was dismissed,
• An apology (if applicable) and any disciplinary action that has been taken against any employees involved.

• Where the data subject is not satisfied with the Information Officer’s suggested remedies, the data subject has the right to complain to the Information Regulator.

• The Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPI related complaints.

12. DISCIPLINARY ACTION

Where a POPI complaint or a POPI infringement investigation has been finalised, the organisation may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.

In the case of ignorance or minor negligence, the organisation will undertake to provide further awareness training to the employee.

Any gross negligence or the wilful mismanagement of personal information, will be considered a serious form of misconduct for which the organisation may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.

Examples of immediate actions that may be taken subsequent to an investigation include:

• A recommendation to commence with disciplinary action.

• A referral to appropriate law enforcement agencies for criminal investigation.

• Recovery of funds and assets in order to limit any prejudice or damages caused.

ANNEXURE A: PERSONAL INFORMATION REQUEST FORM

PERSONAL INFORMATION REQUEST FORM

Please submit the completed form to the Information Officer: Name Annemarie van Zijl Contact Number 013-752 6223 Email Address: annemarie@degoedeinsurance.co.za Please be aware that we may require you to provide proof of identification prior to processing your request.  There may also be a reasonable charge for providing copies of the information requested. A. Particulars of Data Subject Name & Surname Identity Number: Postal Address: Contact Number: Email Address: B. Request I request the organisation to:  (a) Inform me whether it holds any of my personal information   (b) Provide me with a record or description of my personal information (c) Correct or update my personal information (d) Destroy or delete a record of my personal information C. Instructions D. Signature Page Signature Date

ANNEXURE B: POPI COMPLAINT FORM

POPI COMPLAINT FORM

We are committed to safeguarding your privacy and the confidentiality of your personal information and are bound by the Protection of Personal Information Act. Please submit your complaint to the Information Officer: Name A van Zijl Contact Number 013-752 6223 Email Address: annemarie@degoedeinsurance.co.za Where we are unable to resolve your complaint, to your satisfaction you have the right to complaint to the Information Regulator. The Information Regulator: Ms Mmamoroke Mphelo Physical Address: SALU Building, 316 Thabo Sehume Street, Pretoria Email: inforreg@justice.gov.za Website: http://www.justice.gov.za/inforeg/index.html A. Particulars of Complainant Name & Surname Identity Number: Postal Address: Contact Number: Email Address: B. Details of Complaint C. Desired Outcome D. Signature Page Signature: Date

ANNEXURE C: POPI NOTICE AND CONSENT FORM

POPI NOTICE AND CONSENT FORM

We understand that your personal information is important to you and that you may be apprehensive about disclosing it. Your privacy is just as important to us and we are committed to safeguarding and processing your information in a lawful manner. We also want to make sure that you understand how and for what purpose we process your information. If for any reason you think that your information is not processed in a correct manner, or that your information is being used for a purpose other than that for what it was originally intended, you can contact our Information Officer.  You can request access to the information we hold about you at any time and if you think that we have outdated information, please request us to update or correct it. Our Information Officer’s Contact Details Name Contact Number Email Address: Purpose for Processing your Information We collect, hold, use and disclose your personal information mainly to provide you with access to the services and products that we provide. We will only process your information for a purpose you would reasonably expect, including: Providing you with advice, products and services that suit your needs as requested  To verify your identity and to conduct credit reference searches To issue, administer and manage your insurance policies To process insurance claims and to take recovery action To notify you of new products or developments that may be of interest to you To confirm, verify and update your details To comply with any legal and regulatory requirements Some of your information that we hold may include, your first and last name, email address, a home, postal or other physical address, other contact information, your title, birth date, gender, occupation, qualifications, past employment, residency status, your investments, assets, liabilities, insurance, income, expenditure, family history, medical information and your banking details.  Consent to Disclose and Share your Information We may need to share your information to provide advice, reports, analyses, products or services that you have requested.  Where we share your information, we will take all precautions to ensure that the third party will treat your information with the same level of protection as required by us. Your information may be hosted on servers managed by a third-party service provider, which may be located outside of South Africa. I hereby authorise and consent to the organisation sharing my personal information with the following persons:  Name & Surname Signature Date

ANNEXURE D: EMPLOYEE CONSENT AND CONFIDENTIALITY CLAUSE 

EMPLOYEE CONSENT AND CONFIDENTIALITY CLAUSE

“Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise. “POPIA” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time. The employer undertakes to process the PI of the employee only in accordance with the conditions of lawful processing as set out in terms of POPIA and in terms of the employer’s relevant policy available to the employee on request and only to the extent that it is necessary to discharge its obligations and to perform its functions as an employer and within the framework of the employment relationship and as required by South African law. The employee acknowledges that the collection of his/her PI is both necessary and requisite as a legal obligation, which falls within the scope of execution of the legal functions and obligations of the employer. The employee therefore irrevocably and unconditionally agrees: That he/she is notified of the purpose and reason for the collection and processing of his or her PI insofar as it relates to the employer’s discharge of its obligations and to perform its functions as an employer. That he/she consents and authorises the employer to undertake the collection, processing and further processing of the employee’s PI by the employer for the purposes of securing and further facilitating the employee’s employment with the employer.  Without derogating from the generality of the aforestated, the employee consents to the employer’s collection and processing of PI pursuant to any of the employer’s Internet, Email and Interception policies in place insofar as PI of the employee is contained in relevant electronic communications.   To make available to the employer all necessary PI required by the employer for the purpose of securing and further facilitating the employee’s    employment with the employer. To absolve the employer from any liability in terms of POPIA for failing to obtain the employee’s consent or to notify the employee of the reason for the processing of any of the employee’s PI. To the disclosure of his/her PI by the employer to any third party, where the employer has a legal or contractual duty to disclose such PI. The employee further agrees to the disclosure of his/her PI for any reason enabling the employer to carry out or to comply with any business obligation the employer may have or to pursue a legitimate interest of the employer in order for the employer to perform its business on a day to day basis. The employee authorises the employer to transfer his/her PI outside of the Republic of South Africa for any legitimate business purpose of the employer within the international community. The employer undertakes not to transfer or disclose his/her PI unless it is required for its legitimate business requirements and shall comply strictly with legislative stipulations in this regard. The employee acknowledges that during the course of the performance of his/her services, he/she may gain access to and become acquainted with the personal information of certain clients, suppliers and other employees. The employee will treat personal information as a confidential business asset and agrees to respect the privacy of clients, suppliers and other employees.  To the extent that he/she is exposed to or insofar as PI of other employees or third parties are disclosed to him/her, the employee hereby agree to be bound by appropriate and legally binding confidentiality and non-usage obligations in relation to the PI of third parties or employees. Employees may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the organisation or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties on behalf of the employer.

ANNEXURE E: SLA CONFIDENTIALITY CLAUSE

SLA CONFIDENTIALITY CLAUSE

“Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise. “POPIA” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time.  The parties acknowledge that for the purposes of this agreement that the parties may come into contact with, or have access to PI and other information that may be classified, or deemed as private or confidential and for which the other party is responsible. Such PI may also be deemed or considered as private and confidential as it relates to any third party who may be directly or indirectly associated with this agreement. Further, it is acknowledged and agreed by the parties that they have the necessary consent to share or disclose the PI and that the information may have value.  The parties agree that they will at all times comply with POPIA’s Regulations and Codes of Conduct and that it shall only collect, use and process PI it comes into contact with pursuant to this agreement in a lawful manner, and only to the extend required to execute the services, or to provide the goods and to perform their respective obligations in terms of this agreement.    The parties agree that it shall put in place, and at all times maintain, appropriate physical, technological and contractual security measures to ensure the protection and confidentiality of PI that it, or its employees, its contractors or other authorised individuals comes into contact with pursuant to this agreement.   Unless so required by law, the parties agree that it shall not disclose any PI as defined in POPIA to any third party without the prior written consent of the other party, and notwithstanding anything to the contrary contained herein, shall any party in no manner whatsoever transfer any PI out of the Republic of South Africa.

ANNEXURE F: INFORMATION OFFICER APPOINTMENT LETTER

INFORMATION OFFICER APPOINTMENT LETTER

I herewith and with immediate effect appoint you as the Information Officer as required by the Protection of Personal Information Act (Act 4 of 2013). This appointment may at any time be withdrawn or amended in writing. You are entrusted with the following responsibilities: Taking steps to ensure the organisation’s reasonable compliance with the provision of POPIA. Keeping the governing body updated about the organisation’s information protection responsibilities under POPIA. For instance, in the case of a security breach, the Information Officer must inform and advise the governing body of their obligations pursuant to POPIA. Continually analysing privacy regulations and aligning them with the organisation’s personal information processing procedures. This will include reviewing the organisation’s information protection procedures and related policies. Ensuring that POPI Audits are scheduled and conducted on a regular basis. Ensuring that the organisation makes it convenient for data subjects who want to update their personal information or submit POPI related complaints to the organisation, to do so. For instance, maintaining a “contact us” facility on the organisation’s website. Approving any contracts entered into with operators, employees and other third parties which may have an impact on the personal information held by the organisation. This will include overseeing the amendment of the organisation’s employment contracts and other service level agreements.  Encouraging compliance with the conditions required for the lawful processing of personal information. Ensuring that employees and other persons acting on behalf of the organisation are fully aware of the risks associated with the processing of personal information and that they remain informed about the organisation’s security controls. Organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of the organisation. Addressing employees’ POPIA related questions. Addressing all POPIA related requests and complaints made by the organisation’s data subjects. Working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter. I hereby accept the appointment as Information Officer  Name & Surname:  A van Zijl Signature:  A van Zijl Date:  30/4/2023

OWNERSHIP:

This manual is owned by DE GOEDE INSURANCE BROKERS

a duly authorised Financial Services Provider (hereunder referred to as the “FSP”).

As Key Individual of the aforementioned Financial Services Provider 

I, Annemarie van Zijl hereby confirm the adoption of this manual.

A van Zijl                                                                                               30/4/2023

Key Individual Signature                                                                           Date

 

        INTRODUCTION

The Promotion of Access to Information Act, 2000, PAIA gives effect to section 32 of the Constitution, which provides that everyone has the right to access information held by the State, as well as information held by another person (or private body) when such privately held information is required to exercise a right or to protect a right.

PAIA, provides that a person requesting information must be given access to any record of a private body, if that record is required for the exercise or the protection of a right. However, such request has to comply with the procedural requirements laid down by the Act.

This manual is compiled in accordance with Section 51 of PAIA and contains the following provisions:

• the FSP’s postal address, street address, phone and fax number and e-mail address.
• a short description of the guidance document on the application of the Promotion of Information Act and the process to be followed in order to obtain a copy of this guide (compiled by the Human Rights Commission in terms of section 10 of the Act).
• the process to be followed in order to access information held by the FSP. See Annexure B.
• a description of the typology of records held by the FSP (i.e. various information subjects held on each category type). See Annexure A.
•  description of the FSP’s information which are available in accordance with any other legislation.

           

2.   FSP CONTACT DETAILS 

013-752 6223                                                                            Phone Number

Fax Number

annemarie@degoedeinsurance.co.za                      e-Mail Address

22 Marloth Street, Nelspruit, 1201                           Physical Address

PO Box 2343, Nelspruit, 1200                                          Postal Address

           

3.    GUIDE ON THE PROMOTION OF ACCESS TO INFORMATION ACT (SECTION 10 GUIDE)

The guidance document on the application of the Promotion of Access to Information Act has been compiled by the South African Human Rights Commission. The guidance document has been developed in order to assist people to access records and to exercise their right to information. 

The guide is available in all South African official languages free of charge, and any person may request a copy of the guide. A copy of the guide may be obtained by contacting the South African Human Rights Commission at:

The South African Human Rights Commission

PAIA Unit

The Research and Documentation Department

Private Bag 2700

Houghton

2041

Telephone: 011 877 3600

e-Mail: paia@sahrc.org.za

Website: www.sahrc.org.za

4.    PROCEDURE FOR OBTAINING ACCESS TO INFORMATION

Any person who wishes to request any information held by the FSP in order to protect or exercise a right may contact the FSP’s information officer at the following contact details:

Annemarie van Zijl                                           Information Officer Name

013-752 6223                                                                             Phone Number

annemarie@degoedeinsurance.co.za                       e-Mail Address

22 Marloth Street                                                               Physical Address

Nelspruit

1201

PO Box 2343                                                                               Postal Address

Nelspruit

1200

A request for access to information must be made in the prescribed form to the information officer indicated above. See Annexure B for the prescribed form.

All required text fields on the annexed “Request for Information Form” must be completed in full and in a legible form. The form (as well as any additional pages attached thereto) must be signed by the person submitting the form. 

Once the “Request for Information Form” has been submitted, the information officer will notify the person who submitted the request of the prescribed fee (if any) payable before further processing the request.

A fee of R50 will be charged for access to any records. If the request is granted, the person who submitted the request will be accordingly notified and a further fee will be payable. The additional fee would be for the reproduction, preparation and time reasonably required to search for and prepare the disclosure. The person who submitted the request may lodge an application to court against the tender or payment of the fee.

An individual seeking access to a record containing their own personal information will not be charged a request fee.

A person submitting the request must:

• indicate the identity of the person seeking access to the information
• provide sufficient particulars to enable the information officer to identify the information requested
• specify the format in which the information is required
• indicate the contact details of the person requiring the information
• indicate the right to be exercised and/or to be protected, and specify the reasons why the information required will enable the person to protect and/or exercise the right
• where the person requesting the information wishes to be informed of the decision of the request in a particular manner, state the manner and particulars to be so informed 
• if the request for information is made on behalf of another person, submit proof that the person submitting the request, has obtained the necessary authorisation to do so

5.   TYPE OF RECORDS HELD BY THE FSP 

Request for access to documents held by the FSP will be in accordance with the Act. The type of records available to the person requesting the information are listed in Annexure A.

6.   RECORDS AVAILABLE IN TERMS OF OTHER LEGISLATION 

The person requiring the information may also request information which is available in terms of the following legislation:

• Administration of Estates Act
• Arbitration Act
• Auditing Professions Act
• Basic Conditions of Employment Act
• Collective Investment Schemes Control Act
• Companies Act
• Compensation for Occupational Injuries & Diseases Act
• Consumer Protection Act
• Copyright Act
• Electronic Communications and Transactions Act
• Employment Equity Act
• Financial Advisory & Intermediary Services Act
• Financial Institutions (Protection of Funds) Act
• Financial Intelligence Centre Act
• Financial Services Board Act
• Financial Services Ombud Schemes Act
• Friendly Societies Act
• Income Tax Act
• Insolvency Act
• Labour Relations Act
• Long-term Insurance Act
• Medical Schemes Act
• National Credit Act
• Occupational Health & Safety Act
• Pension Funds Act
• Prevention of Organised Crime Act
• Promotion of Equality and Prevention of Unfair Discrimination Act
• Protection of Constitutional Democracy against Terrorist and related Activities Act
• Short-term Insurance Act
• Skills Development Act
• Skills Development Levies Act
• South African Qualifications Authority Act
• Stamp Duties Act
• Trademarks Act
• Unemployment Insurance Act
• Value Added Tax Act

7.   GROUNDS FOR REFUSAL OF ACCESS TO RECORDS

The Promotion of Access to Information Act provides a number of grounds on which a request for access to information must be refused. These grounds mainly concern instances where the privacy and interests of other individuals are protected, where such records are already otherwise publicly available, instances where public interest are not served, the mandatory protection of commercial information of a third party, as well as the mandatory protection of certain confidential information of a third party.

A complete list of the grounds for refusal are indicated within Chapter 4 of the Act.

8.   MANUAL AVAILABILITY 

The manual is available for inspection at the FSP’s office free of charge. Copies of this manual is also available at the South African Human Rights Commission.

ANNEXURE A

             RECORD TYPOLOGY

Request for access to documents held by the FSP will be in accordance with the Act. The type of records available to the person requesting the information are listed hereunder

Administrative Records

These include, but are not limited to the following:

• the FSP’s license
• the FSP’s compliance manual
• the FSP’s policies 
• the FSP’s internal rules and procedures
• any personal records provided to the FSP by its personnel
• any records which a third party has provided to the FSP about any of its personnel

Human Resources Records

These include, but are not limited to the following:

• any personal records provided to the FSP by its personnel
• any records which a third party has provided to the FSP about any of its personnel
• conditions of employment and other personnel-related contractual and quasi-legal records
• internal evaluation and training records
• other internal records and correspondence

Client-related Records

These include, but are not limited to the following:

• advice records
• operational records
• databases
• information technology
• marketing records
• internal correspondence
• product records
• statutory records
• internal policies and procedures
• treasury-related records
• securities and equities
• records held by officials of the FSP

Financial Records

These include, but are not limited to the following:

• financial statements
• audit records
• assets inventory

Other Parties

The FSP may possess records pertaining to other parties, including without limitation, contractors, suppliers, subsidiary/holding companies, joint venture companies and other financial services providers. 

These records include:

• service level agreements
• financial records
• correspondence

Alternatively, such other parties may possess records which can be said to belong to the FSP. The following records fall under this category:

• personnel, client or FSP records which are held by another party
• records held by FSP pertaining to other parties, including without limitation:
  • financial records
  • correspondence
  • contractual records
  • records provided by the other party

ANNEXURE B

REQUEST FOR INFORMATION FORM

1.   PARTICULARS OF PERSON REQUESTING ACCESS TO INFORMATION

Full Names & Surname:                                                                                                                                                                       

Identification Number:                                                                                                                                                                        

Telephone Number:                                                                                                                                                                               

Fax Number:                                                                                                                                                                                              

e-Mail Address:                                                                                                                                                                                       

Postal Address:                                                                                                                                                                                       

                                                                                                                                                                                                                          

2.   PARTICULARS OF PERSON ON WHOSE BEHALF THE REQUEST IS MADE

Only complete this section if a request for information is made on behalf of another person

Full Names & Surname:                                                                                                                                                                       

Identification/Company Number:                                                                                                                                                 

3.   PARTICULARS OF REQUESTED INFORMATION

Provide full particulars of the information to which access is requested. If the provided space is inadequate, please continue on a separate page and attach it to this form. (please sign all additional pages)

Full Description:                                                                                                                                                                                       

                                                                                                                                                                                                                           

                                                                                                                                                                                                                           

                                                                                                                                                                                                                           

4.   FORMAT IN WHICH INFORMATION IS REQUIRED

Indicate the format in which the information requested is required. Please note that the request for access in the specified format may depend on the format in which the record is available. Access in the requested format may be refused under certain circumstances.

Specify Format:                                                                                                                                                                                        

                                                                                                                                                                                                                           

5.   RIGHT TO BE EXERCISED OR PROTECTED

Indicate the right that is to be exercised and/or protected and why the information is required to protect and/or to exercise this right. 

Specify Right & Reason:                                                                                                                                                                     

                                                                                                                                                                                                                           

6.   NOTIFICATION

You will be notified by e-mail and/or post whether your request has been approved or denied. If you wish to be informed in another manner, please specify the manner and provide the necessary particulars. 

Alternate method of Notification:                                                                                                                                                 

                                                                                                                                                                                                                           

Signed at  :____________________________on this  _________day of_____________________20_____

_____________________________________

Signature of person submitting the request