MANUAL IN TERMS OF THE PROMOTION OF ACCESS TO INFORMATION ACT,
2000 AND THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013
- DEFINITIONS AND INTERPRETATION
1.1. Conditions for Lawful Processingmeans the conditions for the lawful processing of Personal Information as fully set out in Chapter 3 of POPIA and in paragraph 14 of this Manual;
1.2. Constitutionmeans the Constitution of the Republic of South Africa, 1996;
1.3. Customer/Client refers to any natural of juristic person that received or receives services from the Group of Companies;
1.4. Data Subject has the meaning ascribed thereto in Section 1 of POPIA;
1.5. Employee means any person who works for, or provides services to or on behalf of the Group of Companies, and receives or is entitled to receive remuneration and any other person who assists in carrying out or conducting the business of the Group of Companies, which includes, without limitation, directors, all permanent, temporary and part-time staff as well as contract workers;
1.6. Information Officer means the duly authorized persons as set out in paragraph 4;
1.7. Manual means this Manual prepared in accordance with Section 51 of PAIA and Regulation 4(1)(d) of the POPIA Regulations;
1.8. Group of Companies means the entities listed in paragraph 3.3;
1.9. PAIA means the Promotion of Access to Information Act 2 of 2000;
1.10. Personal Information has the meaning ascribed thereto in Section 1 of POPIA;
1.11. POPIA means the Protection of Personal Information Act 4 of 2013;
1.12. POPIA Regulations means the Regulations promulgated in terms of Section 112(2) of POPIA;
1.13. Private Body has the meaning ascribed thereto in Sections 1 of both PAIA and POPIA;
1.14. Record has the meaning ascribed thereto in Section 1 of PAIA and includes Personal Information;
1.15. Requestor has the meaning ascribed thereto in Section 1 of PAIA;
1.16. Request for Access has the meaning ascribed thereto in Section 1 of PAIA;
1.17. Responsible Party has the meaning ascribed thereto in Section 1 of POPIA;
1.18. SAHRC means the South African Human Rights Commission.
- INTRODUCTION
2.1. The Group of Companies operate within the fertilizer and retail environment and as such is a Private Body for purposes of POPIA and PAIA and accordingly has produced this Manual in compliance with both POPIA and PAIA. This Manual will replace any PAIA Manuals that were previously submitted to the SAHRC.
2.2. PAIA was assented to on 2 February 2000 and commenced on 9 March 2001 and the fundamental purpose of PAIA is to give effect to section 32 of the Constitution, being the constitutional right of access to any information held by the State or by a Private Body and that is required for the exercise or protection of any rights. Where a Request for Access is made in terms of section 50 of PAIA, the Private Body to which the request is made, is obliged to release the Record, except where PAIA expressly provides that Records may or must be withheld. PAIA sets out the requisite procedures to be followed by a Requester when making a Request for Access.
2.3. POPIA was assented to on 26 November 2013 and the purpose of POPIA is to give effect to section 14 of the Constitution, being the constitutional right to privacy by protecting Personal Information and regulating the free flow and processing of Personal Information. POPIA sets minimum limits which all responsible parties must comply with so as to ensure that Personal Information is respected and protected.
2.4. Both PAIA and POPIA recognise that the rights to access to information and privacy respectively may be limited in accordance with section 36 of the Constitution to the extent that such limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom.
2.5. The purpose of this Manual is to foster a culture of transparency and accountability in the Group of Companies and to give effect to both the constitutional right of access to information, where that information is required for the exercise or protection of a right, and the right to privacy in relation to the protection of Personal Information.
2.6. This Manual:
2.6.1. For purposes of PAIA, details the procedure to be followed by a Requester and the manner in which a Request for Access shall be facilitated; and
2.6.2. For purposes of POPIA, amongst other things, details the purpose for which Personal Information may be processed, a description of the categories of Data Subjects for whom the Group of Companies processes Personal Information as well as the categories of Personal Information relating to such Data Subjects and the recipients to whom Personal Information may be supplied.
2.7. This Manual is not exhaustive of, nor does it comprehensively deal with, every procedure provided for in both PAIA and POPIA and the Group of Companies make no representation and gives no undertaking or warranty that the information in the Manual is complete or accurate.
ACCESS TO INFORMATON IN TERMS OF THE PROMOTION OF ACCESS TO INFORMATION ACT 2 OF 2000
- THE GROUP of Companies consist of:
3.1. Afrifert (Pty) Ltd, with registration number: 2021/605477/07
3.2 Koedoeskop Kunsmis (Pty) Ltd, with registration number: 2021/701599/07
- THE GROUP OF COMPANIES CONTACT DETAILS
4.1. The Chief Executive Officer of the Group of Companies has delegated his powers in terms of PAIA and POPIA to the Information Officers and Deputy Information Officers set out below, to handle all requests on the Group of Companies’ behalf and ensure that the requirements of PAIA and POPIA are administered in a fair, objective and unbiased manner.
4.1.1. PAIA INFORMATION OFFICER
Name: Ms Lynette Douglas
Physical address: c/o Graham & Silver Lakes Road, Silver Lakes, Pretoria, 0081
Postal address: Postnet Suite 0618, Private Bag X37, Lynnwood Ridge, 0040
Telephone number: (012) 381 2800
4.1.2 POPIA INFORMATION OFFICER
Name: Ms Lynette Douglas
Physical address: c/o Graham & Silver Lakes Road, Silver Lakes, Pretoria, 0081
Postal address: Postnet Suite 0618, Private Bag X37, Lynnwood Ridge, 0040
Telephone number: (012) 381 2800
4.1.3 DEPUTY PAIA AND POPIA INFORMATION OFFICER
Name: Mrs Chantell Human
Physical address: c/o Graham & Silver Lakes Road, Silver Lakes, Pretoria, 0081
Postal address: Postnet Suite 0618, Private Bag X37, Lynnwood Ridge, 0040
Telephone number: (012) 381 2800
- THE SOUTH AFRICAN HUMAN RIGHTS COMMISSION
5.1. The SAHRC has published a guide pursuant to section 10 of PAIA (the “SAHRC Guide”), which guide contains such information as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA. The SAHRC Guide is available from the SAHRC in all the official languages of the Republic of South Africa.
5.2. Any enquiries with regard to the SAHRC Guide can be directed to:
SAHRC PAIA Unit (The Research and Documentation Department)
Private Bag X2700, Houghton, 2041
Tel:011-877 3600/011-887 3803
E-mail:section51.paia@sahrc.org.za
Website: www.sahrc.org.za
- INFORMATION AVAILABLE IN TERMS OF SECTION 51(1)(D) OF PAIA
Where applicable to its operations, the Group of Companies retains records and documents in terms of the legislation listed below:
Basic Conditions of Employment Act / No 75 of 1997
Broad Based Black Economic Empowerment Act / No 53 of 2003
Companies Act / No 71 of 2008
Compensation for Occupational Injuries and Diseases Act / No 130 of 1993
Competition Act / No 89 of 1998
Constitution of the Republic of South Africa / No 108 of 1996
Consumer Protection Act / No 68 of 2008
Criminal Procedure Act / No 51 of 1977
Debt Collectors Act / No 114 of 1198
Deed Registries Act / No 47 of 1937
Electronic Communications and Transactions Act / No 25 of 2002
Employment Equity Act / No 55 of 1998
Financial Advisory and Intermediary Services Act / No 37 of 2002
Financial Intelligence Centre Act / No 38 of 2001
Firearms Control Act / No 60 of 2000
Identification Act / No 68 of 1997
Income Tax Act / No 58 of 1962
Insolvency Act / No 24 of 1936
Inspection of Financial Institutions Act / No 18 of 1998
Intellectual Property Laws Amendment Act / No 38 of 1997
Labour Relations Act / No 66 of 1995
Long Term Insurance Act / No 52 of 1998
National Credit Act / No 34 of 2005
Occupational Health and Safety Act / No 85 of 1993
Pension Funds Act / No 24 of 1956
Petroleum Products Act / No 120 of 1977
Prescription Act / No 68 of 1969
Prevention of Organized Crime Act / No 121 of 1998
Promotion of Access to Information Act / No 2 of 2000
Protection of Personal Information Act / No 4 of 2013
Short Term Insurance Act / No 53 of 1998
Skills Development Levies Act / No 9 of 1999
Skills Development Act / No 97 of 1998
Trademarks Act / No 194 of 1993
Transfer Duty Act / No 40 of 1949
Unemployment Insurance Act / No 63 of 2001
Unemployment Insurance Contributions Act / No 4 of 2002
Value Added Tax Act / No 89 of 1991
- INFORMATION AVAILABLE IN TERMS OF SECTION 51(1)(C) AND (E) OF PAIA
Records that may be requested with prior application for access:
Incorporation documents :
- Memorandum of incorporation
- Certificate of incorporation
Statutory secretarial records :
- Company policies, rules and regulations
- Records of all subsidiary companies
- Shareholder’s agreements
- Share registers
- Minutes of shareholder meetings
- Resolutions
Policy documents :
- Corporate governance
- Ethics policy
Financial and tax records :
- Accounting records
- Details of external auditors
- External auditor’s reports
- Tax returns
- PAYE records
- Skills development levies records
- Other documents and agreements pertaining to tax
Banking details :
- Bank facilities and account details
- Bank statements
Human resources / employee records :
- List of employees
- Contracts of employment with directors, officers and employees
- Documents relating to employee benefits
- Expenditure or reimbursement agreements with employees
- Information pertaining to bonus, commission or profit sharing schemes or arrangements of each employee
- Compensation or redundancy payments
- Employee files
- Policies and procedures relating to appointments, dismissals and resignations
- Job profiles
- Training records of employees
- Attendance records at operating points and head office
- Disciplinary code and procedures
- Disciplinary records and documentation pertaining to disciplinary proceedings
- Arbitration orders and agreements
- Other information relating to employees
Pension and Provident Funds :
- Information regarding the processes and rules of the pension and/or provident funds
- List of employees who are members of pension and/or provident funds
- Minutes of meetings of trustees
Insurance records :
- Group life insurance
- Liability insurance
- Short term insurance
- Directors and officers liability insurance
- Claims records
Moveable and immovable property :
- Title deeds of land owned by the Group of Companies
- Mortgage bonds, notarial bonds or security interests on property
- Agreements for the lease or sale of land and/or other immovable property
- Asset registers
- Agreements for the lease of moveable assets
- Other agreements pertaining to the purchase, sale or hire of assets
Information technology :
- Computer software support and maintenance agreements
- Web site development, support and maintenance agreements
- Computer software license agreements
- Agreements with internet service providers and other telecommunications entities
- Other documents pertaining to computer systems and computer programs
Client related records :
- Agreements with clients
- Security agreements, deeds, guarantees, cessions and bonds
- Contact lists
- Correspondence with clients
- Transactional records including invoices, receipts, credit and debit notes
Internal and external communication :
- Publications in newspapers and magazines
- Press releases
- Other communication documents
Production, marketing and sales :
- Product specifications
- Promotional and marketing material
- THE REQUEST PROCEDURE
8.1 A Request for Access must be directed to the Information Officer or any authorized person. The Requester must use the prescribed form to request access to a Record. This must be made to the address or electronic mail address of the Information Officer.
8.2 The form must be adequately completed, with sufficient information and detail particularly to enable the Group of Companies to identify
– by whom the request is made
– exact reference to Records being requested
– access fee in the event that access is granted
8.3 The Requester should also indicate which form of access is required and
– the preferred language if applicable
– whether the Requester wishes to be informed of the decision in another manner in addition to a written reply
– an e-mail address and/or postal address
8.4 The Requester must indicate the right he wishes to exercise or protect and provide reasons or an explanation as to how the particular Record is relevant and required in order to exercise or protect the relevant right.
8.5 Requests made in a representative capacity or on behalf of another person, must be accompanied by proof of the capacity and/or mandate and/or authorization in this regard.
8.6 If an individual is unable to complete the prescribed form due to reasons relating to illiteracy or disability, such a person may make the request verbally.
8.7 The Requester must pay the prescribed fee before any further processing can take place.
- PROCESS OF REQUEST
9.1 When the Request is received by the Information Officer, such officer shall by notice require the Requester, other than a personal requester, to pay the prescribed fee (if any), before further processing of the Request.
9.2 The Group of Companies will, within 30 days of receipt of the Request make a decision and notify the Requester in the required form of its decision to grant or decline the Request. The 30 day period which the Group of Companies has to make a decision may be extended for a further period of not more than 30 days if the request is for a large number of information, or the request requires a search for information that is not held at the Group of Companies’s premises.
9.3 A Requester whose Request for Access to a Record has been granted, must pay an access fee for reproduction and for search and preparation, and for any time reasonably required in excess of the prescribed hours to search for and prepare the Record for disclosure including making arrangements to make it available in the requested form.
9.4 If the search for the Record has been made and the preparation of the Record for disclosure, including arrangements to make it available in the requested from, requires more than the hours prescribed in the regulations for this purpose, the Information Officer shall notify the Requester to pay as a deposit the prescribed portion of the access fee which would be payable if the request is granted.
9.5 The Information Officer shall withhold a Record until the Requester has paid the required fees.
9.6 If the Group of Companies searches for a Record and it is believed that the Record either does not exist or cannot be found, the Requester will be notified by way of an affidavit. This affidavit will indicate the steps that were taken to try to locate the Record.
- PRESCRIBED FORMS AND FEES
10.1 PAIA provides for two types of fees, namely:
– A request fee, which will be a standard fee
– An access fee, which must be calculated by taking into account reproduction costs, search and preparation time and cost, as well as postage.
10.2 The prescribed forms and fees are available on the website of the Information Regulator: PAIA Forms – Information Regulator (inforegulator.org.za)
- GROUNDS FOR REFUSAL OF ACCESS
The Group of Companies are entitled to refuse a Request for Access on the following grounds:
11.1 Mandatory protection of privacy of a third party who is a natural person, deceased person or a juristic person;
11.2 Mandatory protection of the commercial information of a third party if the record contains trade secrets of the third party, financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party and information disclosed in confidence by a third party to the Group of Companies , if the disclosure could put that third party at a disadvantage in negotiations or commercial competition;
11.3 Mandatory protection of confidential information of third parties if it is protected in terms of any agreement;
11.4 Mandatory protection of the safety of individuals and protection of property;
11.5 Mandatory protection of Records that would be regarded as privileged in legal proceedings;
11.5 The commercial activities of the Group of Companies which may include trade secrets of the Group of Companies, financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of the Group of Companies, information which, if disclosed could put the Group of Companies at a disadvantage in negotiations or commercial competition, a computer program which is owned by the Group of Companies, and which is protected by copyright;
11.6 Requests for information that are clearly frivolous or vexations, or which involve an unreasonable diversion of resources.
11.7 A Requestor who is dissatisfied with the Information Officer’s refusal to disclose information, may within 30 (thirty) days of notification of the decision, apply to a court for relief.
PROTECTION OF PERSONAL INFORMATION IN TERMS OF THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013
- INTRODUCTION
12.1 Chapter 3 of POPIA provides for the minimum conditions of lawful processing or Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA. The eight conditions of lawful processing are described in POPIA as:
12.1.1 Accountability – the Responsible Party has an obligation to ensure that there is compliance with POPIA in respect of the processing of Personal Information;
12.1.2 Processing limitation – Personal Information must be collected directly from a Data Subject to the extent applicable, must only be processed with the consent of the Data Subject and must only be used for the purposes for which it is obtained;
12.1.3 Purpose specification – Personal Information must only be processed for the specific purpose for which it was obtained and must not be retained for any longer than it is needed to achieve such purpose;
12.1.4 Further processing limitation – further processing of Personal Information must be compatible with the initial purpose for which the information was collected;
12.1.5 Information quality – the Responsible Party must ensure that Personal Information held is accurate and updated regularly and that the integrity of the information is maintained by appropriate security measures;
12.1.6 Openness – there must be transparency between the Data Subject and the Responsible Party;
12.1.7 Security safeguards – a Responsible Party must take reasonable steps to ensure that adequate safeguards are in place to ensure that Employee information is being processed responsibly and it not unlawfully accessed;
12.1.8 Data Subject participation – the Data Subject must be made aware that their information is being processed and must have provided their informed consent to such processing.
12.2 POPIA requires the Group of Companies to inform its clients as to how their Personal Information is used, processes, disclosed and destroyed.
12.3 The Group of Companies guarantees its commitment to protecting the privacy of its clients and ensuring that their Personal Information is used appropriately, transparently, securely and in accordance with applicable legislation.
- PERSONAL INFORMATION COLLECTED BY THE GROUP OF COMPANIES
13.1 In terms of section 9 of POPIA Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
13.2 The Group of Companies collects and processes Personal Information of:
13.2.1 existing and potential clients for purposes of
– compliance with legislation
– verification of identity
– risk assessment
– credit assessment
– managing the relationship with the client
13.2.2 existing and potential employees for purposes of
– compliance with legislation
– verification of qualifications
– managing employer-employee relationship
13.3 Personal Information collected by the Group of Companies include, but are not limited to:
– identity number
– name
– surname
– address
– postal code
– marital status
– number of dependents
– description of client’s residence
– description of client’s business
– assets
– financial information
– banking details
– business activities
– personal views / preferences
– education and employment details
- HOW PERSONAL INFORMATION IS USED BY THE GROUP OF COMPANIES
14.1 Personal Information collected by the Group of Companeis will only be used for the purpose for which it was collected and to which the client agreed.
14.2 Purposes for which Personal Information may be used include, but are not limited to:
– Compliance with legal and regulatory requirements
– Support and management of employees
– Rendering services requested by clients
– Provision of value added services
– Provision of financial services and advice
– For underwriting purposes
– Assessing and processing claims
– Conducting credit reference searches and verification
– Confirming, verifying and updating client details
– For purposes of claims history
– For the detection and prevention of fraud, crime, money laundering and other malpractices
– Market research and statistical analysis
– For audit and record keeping purposes
– In connection with legal proceedings
– Use of CCTV systems to prevent and detect crime
14.3 In terms of section 10 of POPIA Personal Information may only be processed if the following conditions are met:
14.3.1 Client consents to the processing – consent is obtained from clients during the introductory, appointment and needs analysis stage of the relationship;
14.3.2 The processing is necessary – in order to conduct an accurate analysis of client needs for purposes of amongst other credit limits, insurance requirements etc. the processing of certain Personal Information is required;
14.3.3 Processing complies with an obligation imposed by legislation;
14.3.4 Processing protects a legitimate interest of the client – it is in the client’s best interest to have a full and proper needs analysis performed in order to provide them with an applicable and beneficial product or service, this requires obtaining and processing Personal Information;
14.3.5 Processing is necessary for pursuing the legitimate interests of the Group of Companies or of a third party to whom information is supplied – in order to provide the Group of Companie’s clients with products and or services both the Group of Companies and any of its product suppliers need certain Personal Information from the clients to make an expert decision on the unique and specific product and or service they require.
- DISCLOSURE OF PERSONAL INFORMATION
15.1 The Group of Companies may disclose clients’ Personal Information to any of its group companies or subsidiaries, joint venture partners and approved product or third party service providers whose services or products clients elect to use. The Group of Companies have agreements in place to ensure that they comply with confidentiality and privacy conditions.
15.2 The Group of Companies may share client Personal Information with, and obtain Personal Information about clients from third parties for reasons already discussed in 14.2 above.
15.3 The Group of Companies may also disclose client information where it has a duty or right to disclose in terms of applicable legislation, or where it may be necessary to protect its rights.
- PROTECTING CLIENT INFORMATION
16.1 It is a requirement of POPIA to adequately protect the Personal Information the Group of Companies holds and to avoid unauthorized access and use of the Personal Information of clients. The Group of Companies continuously reviews its security controls and processes to ensure that Personal Information held by it is secure.
16.2 The following procedures are in place in order to protect the Personal Information of clients held by the Group; of Companies:
16.1.1 The Group Information Officer, assisted by the Deputy Information Officer, is responsible for compliance with the conditions of the lawful processing of Personal Information and other provisions of POPIA;
16.1.2 A POPIA policy will be implemented throughout the Group of Companies and training on this policy and POPIA will be done on an annual basis;
16.1.3 Each new employee will be required to sign an employment contract containing relevant consent clauses for the use and storage of employee information, or any action so required, in terms of POPIA;
16.1.4 Every employee currently employed in the Group of Companies will be required to sign an addendum to their employment contracts containing relevant consent clauses for the use and storage of employee information, or any other so required, in terms of POPIA;
16.1.5 The Group of Companies’s archived client information is stored on site and is also governed by this policy;
16.1.6 The Group of Companies’s product suppliers, insurers and other third party service providers will be required to sign a service level agreement guaranteeing their commitment to the Protection of Personal Information;
16.1.7 All electronic files and data are backed up by the Group IT Division, who is also responsible for system security which protects third party access and physical threats. The Group IT Division is also responsible for electronic information security;
16.1.8 Consent to process Personal Information is obtained from clients (or a person who has been given authorization by the client to provide the client’s Personal Information) during the application stage of the relationship.
- ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
17.1 Clients have the right access the Personal Information about them that the Group of Companies hold.
17.2 Clients also have the right to request the Group of Companies to update, correct or delete their Personal Information on reasonable grounds.
17.3 Once a client objects to the processing of their Personal Information, the Group of Companies may no longer process said client’s Personal Information.
17.4 The Group of Companies will take all reasonable steps to confirm the identity of the client before providing details of their Personal Information or making changes to their Personal Information.