VN May 2017

Article I Artikel

POPI has arrived and no , I am not referring to your niece !<<< 15

contracts of employment giving you as an employer inter alia consent to - collect, utilise and retain his/ her personal for

Remember, POPI also applies to personal information send to a foreign country. 9. If I do share personal information with a third party; does this third party comply with POPI? For example, the practice outsources its payroll to VIP. VIP's processing systems must be compatible with the purpose for which the data was initially collected, namely the payment of salaries and PAYE, employment equity, etc.. 10. Do I allow a "data subject” access to his/her personal information when requested to do so? POPI allows "data subjects" to make certain requests, free of charge, to organisations holding their PI. 11. How long do I retain records and how do I delete/destroy such records? (Retain records for required periods and then delete, destroyed or de-identified as soon as the purpose for collecting the information has been achieved unless you have a valid reason for keeping such record, for example another Act of Parliament.) 12. Do I disclose personal information to third parties who request such information? For example, your employee wishes to buy furniture and the furniture shop contacts you to enquire: - Whether the employee works for you - His salary - Date of employment - Any other information that you believe is relevant, for instance whether there are any garnishing orders against the employee’s salary - Whether the employee is permanently or temporary employed? 12. Do my employees know what are expected off them in order to comply with POPI? 13. Do I address the requirements of POPI in all my agreements (employees/clients/providers/etc.)?

partner/owner /employer will have to prove that you have taken appropriate and reasonable steps to safeguard personal information. Proposed guidelines to follow in order to prepare for the implementation of POPI (List is not exclusive) Check your vehicles, homes, offices, etc. to determine whether you have any data (employee/ customer/ supplier) which could be construed as personal information and ask the following questions: 1. Whose personal information do I have? 2 Why do I need this personal information (what do I do with the personal information)? Personal information must only be collected for a specific, explicitly defined and lawful purpose that is related to a function or activity of the practice concerned. 3 Why and how is the personal information processed (i.e. this covers all phases of a typical information management lifecycle – from collection to usage, sharing, disposal, archiving, etc.)? Ensure that the processing is adequate, relevant and not excessive given the purpose for which it is processed. 4 What checks and balances do I have in place to safeguard against the unauthorised disclosure of personal information? These checks and balances apply to all electronic and/or hand processing systems. 5. Do I need the consent of the data subject to process his/her/its information? 6. Do I have the data subject's consent? 7. Do I need to process the personal information further? It may be relevant if you, for example, wish to forward newsletters to a client. 8. With whom do I share the personal information, i.e. third parties – both locally and internationally, other legal entities – sometimes within the same group or company, etc.?

employment purposes, including but not limited to identity and/ or passport number, date of birth, age, gender, race, driver’s license, contact details (physical and e-mail addresses/telephone/ cell phone number), marital status, education information, employment history, salary and tax information, photos, physical and mental health information (if an operational requirement) and fingerprints; - forward his/her personal information to specific third parties, for example XX Pension Fund, YY Medical Aid and SARS. Some Practice tips: (a) Ensure that laptops, cell phones, I-pads, etc. are secured when you remove them from your work premises, especially whilst in your vehicle. (b) Incidents which may result in personal information being compromised must be reported as soon as possible. (c) Be careful when personal information is forwarded by fax or email. (d) Follow set procedure when storing or destroying personal information. Do not discard documents in a rubbish dump. (e) When you receive a request by a third party, irrespective whether the third party is a family member of the data subject, or a local authority, government department or the police, to disclose another person/legal entity’s personal information, tread with caution. (i) A key point to consider is whether the disclosure is relevant to and necessary for the conduct of the practice’s business. For example, it would generally be appropriate to disclose a veterinarian’s work >>> 17

For example, a clause relating to POPI should be included in

16 Mei/May 2017