POPIA

WIT DEEP PRIMARY SCHOOL

POLICY ON THE PROTECTION OF PERSONAL INFORMATION (POPIA)

Introduction

This document is the policy on the protection of personal information of Wit Deep Primary, as approved by the school governing body on 21 June 2022. The policy has been drafted in accordance with the Constitution of the Republic of South Africa, 1996; the Protection of Personal Information Act 4 of 2013 (POPIA), the Promotion of Access to Information Act 2 of 2000, the South African Schools Act 84 of 1996, and other applicable legislation on school education.

As public bodies, schools have to comply with POPIA. The act requires public bodies to inform data subjects of the manner in which their personal information is used, disclosed, and destroyed.

Wit Deep Primary School is committed to protecting the privacy of all data subjects, and ensuring that their personal information is used appropriately, transparently, securely and in accordance with applicable laws.

This policy sets out the manner in which Wit Deep Primary deals with personal information and stipulates the purpose for which said information is used.

Definitions

For purposes of this policy, the following terms are assigned the meanings as indicated:

“Biometric information” means information obtained through a technique of personal identification that is based on physical, physiological or behavioral characterization, including blood-typing, fingerprinting, DNA analysis, retinal scanning and voice recognition.

“Competent person” means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child.

“Data subject” means the person to whom personal information relates.

“Deputy Information officer” is the vice-principal.^[1]

“Employee” refers to a staff member appointed at the school in terms of sections 20(4) and (5) of the South African Schools Act 84 of 1996.

“Employer” refers to (school).

“Information officer” is the school principal.

“Personal information” means information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person, including but not limited to —

(a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.

(b) information relating to the education or the medical, financial, criminal or employment history of the person.

(c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person.

(d) The biometric information of the person;

(e) The personal opinions, views or preferences of the person;

(f) Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence;

(g) The views or opinions of another individual about the person; and

(h) The name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.

‘‘Processing’’ means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including —

(a) The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration, consultation or use thereof;

(b) Dissemination by means of transmission, distribution or making available in any other form; or

‘‘Record’’ means any recorded information —

(a) Regardless its form or medium, including any of the following:

(i) Writing on any material

(ii) Information produced, recorded or stored by means of any tape recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored

(iii) A label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means

(iv) A book, map, plan, graph or drawing

(v) A photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced

(b) in the possession or under the control of a responsible party;

(d) regardless of when it came into existence.

‘‘Responsible party’’ means the governing body of Wit Deep Primary School, who determines the purpose of and means for processing personal information.

Application of the policy

This policy applies to all personal information collected from all data subjects with whom the school interacts, including but not limited to parents, learners, educators, other staff members, contractors and other third parties who conclude any type of agreement or contract with the school.

The collection of personal information

Personal information may be processed only if, given the purpose for which it is processed, such processing is adequate, relevant, not excessive, and in accordance with the relevant provisions of POPIA. The purpose must relate to a function or an activity of the school.

Wit Deep Primary School collects and processes personal information pertaining to the proper functioning, management and governance of the school, as prescribed in the South African Schools Act and other relevant education legislation and policies.

The type of information collected and processed will depend on the purpose for which it is collected, and any such information will be processed for that purpose alone. The school will inform the data subject of the information required, whether or not the supply of the information by that data subject is voluntary or mandatory, the purpose for which the information is to be processed, and the consequences of not providing the information.

The school will see to it that agreements are in place with all product suppliers, insurers and third-party service providers to ensure a mutual understanding of the protection of a data subject’s personal information.

For purposes of this policy, any references to data subjects include both potential and existing data subjects.

The processing and use of personal information

Personal information will be processed (a) lawfully, and (b) in a reasonable manner that does not infringe the privacy of the data subject.

A data subject’s personal information will be used only for the purpose for which it was collected. The overall purpose of data collection, processing and use by the school is to ensure that the school is governed and managed in accordance with the principles and prescripts stipulated in the South African Schools Act and other applicable education legislation and policies.

Personal information may be processed only if these conditions are met:

(a) If the data subject consented to the processing of the personal information beforehand. Consent is obtained from parents/guardians through the signing of the applicable consent form at the beginning of the academic year. Where the data subject is a child, the consent must be given by a competent person.

(b) If processing is necessary to carry out actions in order to conclude or perform a contract to which the data subject is a party.

(d) If processing protects a legitimate interest of the data subject.

(e) If processing is necessary for the school’s proper exercising of a public law duty.

(f) If processing is necessary for pursuing the legitimate interests of the school or a third party to whom the information is supplied.

Unless legislation provides for the processing of personal information, a data subject may object to such processing in terms of subparagraphs (d) to (f) above, in the prescribed manner and on reasonable grounds relating to the particular situation, in which case the school may no longer process the information.

The school will not process personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject, unless processing is carried out with the data subject’s consent or is necessary for the establishment, exercise or defence of a right or obligation in law, or the information has deliberately been made public by the data subject. The school may however process personal information concerning a learner’s health or sex life if such processing is necessary to provide special support to learners or to make special arrangements in connection with their health or sex life.

Disclosure of personal information

The information officer will refuse a third party’s request for access to a record held by the school if its disclosure would involve the unreasonable disclosure of personal information about a data subject.

A data subject, having provided adequate proof of identity, has the right to request the school —

(a) to confirm whether or not it holds personal information about the data subject; and

(b) to supply the record or a description of the personal information so held, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information. This request must be made within a reasonable time; at a prescribed fee, if any; in a reasonable manner and format, and in a form that is generally understandable.

A data subject may request the school to —

(a) correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully; or

(b) destroy or delete a record of personal information about the data subject that the school is no longer authorised to retain.

On receipt of a request, the school will, as soon as reasonably practicable —

(a) correct the information;

(b) destroy or delete the information; or

The school will notify the data subject of the action taken as a result of the request.

Safeguarding personal information

The school is legally required to adequately protect personal information. Therefore, the school will continually review its security controls and processes to ensure that personal information is secure.

The following procedures are in place to protect personal information:

Each new employee is required to sign an employment contract containing relevant consent clauses for the use and storage of employee information or any other action so required in terms of legislation, as well as an undertaking and agreement that (s)he will not, during or after the period of service to the school, convey any personal information of any data subject collected by the school to any third party.
Every employee currently employed at the school is required to sign an addendum to their employment contracts containing relevant consent clauses for the use and storage of employee information or any other action so required in terms of legislation,as well as an undertaking and agreement that (s)he will not, during or after the period of service to the school, convey any personal information of any data subject collected by the school to any third party.
Where feasible, all servers hosting personal information shall be located in a physically secure environment, where access is strictly controlled. All server rooms shall be regarded as high-risk security areas with strict access control.
All servers shall be equipped and protected with approved antivirus software. The designated information technology (IT) service provider or the school’s IT specialist shall regularly install patch updates and upgrades.
Only an authorised administrator shall be granted administrative rights to the servers. Administrative passwords shall be kept secret and changed on a regular basis, and only personnel nominated at the discretion of the executive committee of the governing body shall have access to the passwords.
Third-party service providers will be required to sign a service provider agreement guaranteeing their commitment to the protection of personal information.
All electronic files or data are backed up by EDUPAC which is also responsible for system security to protect against third-party access and physical threats. EDUPAC is responsible for electronic information security.
If the school has reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, the school will notify the data subject of such breach in accordance with sections 22(4) and (5) of POPIA.

Retention and restriction of records

Records of personal information will not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless —

retention of the record is required or authorised by law;
the responsible party reasonably requires the record for lawful purposes relating to its functions or activities;
retention of the record is required by a contract between the parties thereto; or
the data subject or, where the data subject is a child, a competent person has consented to the retention of the record.

The school will destroy, delete or de-identify a record of personal information as soon as is reasonably practicable after the school is no longer authorised to retain the record. This will be done in a manner that prevents reconstruction of the information in an intelligible form.

See Annexure A for a list of prescribed retention periods.

The school will restrict the processing of personal information in accordance with section 14(6) of POPIA.

Access to documents held by the school

Any request for access to a document held by the school must be dealt with in accordance with the school’s manual in terms of the POPIA, which contains the prescribed forms as well as details of prescribed fees. This manual is available from the school principal or the school’s website,.

Witdeep Primary School

Witdeep Primary School

POPIA

POPIA

POPIA