PROTECTION OF PERSONAL INFORMATION

1. PURPOSE

The NID (National Institute for the Deaf) believes that, in accordance with the POPI Act, the protection of personal information is essential in achieving professional service delivery which meets our staffs and clients’ expectations.

2. DEFINITION:

Personal Information as stated in the POPI Act:

“Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person.
2. Information relating to the education or the medical, financial, criminal or employment history of the person.
3. Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other assignment to the person.
4. The biometric information of the person.
5. The personal opinions, views, or preferences of the person.
6. Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence.
7. The views or opinions of another individual about the person.
8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

3. ACCOUNTABILITY:

The person responsible to ensure that the conditions and all the measures set out in the Act that give effect to such conditions, are complied with at the time of the determining the purpose and means of the processing. The appointed person at the NID with this responsibility is the CRO.

The following employees of the NID are appointed to take responsibility for the sharing of personal information with the necessary written consent:

Head Office:

• Financial Manager
• Resource Officer
• Executive Assistant of CEO

Care:

• Senior Social Worker
• Senior Finance Officer
• Head Nurse
• Staff Nurse

Training:

• Co-Ordinator Training Finance & Resources
• Co-Ordinator: Accreditation & Programmes
• Co-Ordinator: Student Affairs

ISS:

• Support Co-Ordinator
• Social Worker

Development:

• Development Officer

4. PROCESSING LIMITATION:

Personal information may only be processed in a fair and lawful manner and only with the consent of the data subject. To use existing personal information for any other purpose other than what the information was gathered for, confirmation will be required from the Data Subject again. When gathering information, the NID will advise the Data Subject what the information will be used for and for what period the information will be hold.

5. PURPOSE SPECIFIC

Personal information may only be processed for specific, explicitly defined, and legitimate reasons taking the following into account:

1. The purpose must be documented and adhered to. Each Department of the NID must create a personal information inventory stipulating the following information:
• Whose personal information is hold
• Why it is hold
• Under which lawful basis
• How long it is kept
• Where it is kept
• Who the information is shared with
2. Data Subject has the right to know what information you have and for what purpose it was gathered.
3. Personal information may only be used for the specific purpose for which it was gathered and thereafter it must be destroyed after a period of 5 years after the last date of used.
4. Required to account for what information is hold, for what purpose it was gathered and a date that that information must be destroyed.
5. Personal Information will be destroyed, by means of shredding to prevent its reconstruction, after the NID are no longer authorized to retain such records.

6. INFORMATION QUALITY

By obtaining information directly from the data source, accuracy is more probable. It is always advisable to validate the personal information as it is being captured. To automatically check the accuracy of information on a regular basis, a validation request should be sent to the data subjects annually.

7. OPENNESS

The data subject whose information are collecting must be aware that such personal information is collected and for what purpose the information will be used. At the time that the personal information is gathered, the Data Subject must be advised of his/her rights to complain to the CRO if misuse is suspected. The CRO information and contact details must be provided to the Data Subject.

The Data Subject must be advised of his / her right to access his / her information and to object to the processing of the information.

8. SECURITY SAFEGUARDS

Personal information must be kept secure against the risk of loss, unlawful access, interference, modification, unauthorized destruction, and disclosure. The following procedures should be adhered to:

1. All personal information should be kept in a safe place that should be always locked.
2. All personal information that are kept on computer should be password protected.
3. The necessary firewall is in place to prevent unlawful access to the NID server.
4. Only employees of the NID who need to have access to the information to be able to properly perform their duties will be granted access.
5. The NID, in terms of a written contract between the NID and a 3rd party, ensure that the 3rd party maintains the required security measures. The 3rd party must advise immediately if there is the possibility that personal data has been accessed or acquired by any unauthorized person.
6. The Data Subject must be advised via e-mail or in writing immediately if it is suspected that their personal information has been accessed by unauthorized persons. Sufficient information must be provided to allow the Data Subject to put measures in place to safeguard themselves against potential consequences of the security compromise.
7. The CRO must be informed in the event of a security breach where personal information could be compromised.
8. Donor information is kept in a donor database.
9. Information supplied to the NID by donors will be used solely to fulfill their donation and shall not be shared for any reason unless permission is granted by the donor to share such information.
10. All special requests and donor preferences will be honored e.g. remain anonymous; remove from mailing list or any other requests.
11. NID do not disclose, sell, or share donor lists.
12. Donors who supply NID with their postal address or email address are contacted periodically for solicitation purposes and/or with information regarding upcoming events.

9. DATA SUBJECT PARTICIPATION

Data subjects may request whether their personal information is held safely, as well as the correction and/or deletion of any personal information held about them. The Data Subject has the right to access and correct the personal information that the NID hold. They also have the right to withdraw consent at any time.