Protection of Personal Information (POPI) and Promotion of Access to Information (PAIA) Manual including the Practice Privacy Policy

1. Introduction

The Practice is a South African business that operates as a healthcare Professional. The Promotion of Access to Information Manual “Manual” provides an outline of the type pf records and the personal information it holds and explains how to submit requests to access to these records in terms of the Promotion of Personal Information Act 2 of 2000 (“PAIA Act”). In additional it explains how to access or object to personal information held by the company, or request correction of the personal information, in terms of the Protection of Personal Information Act 4 of 2013 (“POPI Act”). The PAIA and POPI Acts give effect to everyone’s constitutional right of access to information held by companies, if the record is required for the exercise or protection of any rights. Requests shall be made in accordance with the prescribed procedures, at the rates provided. The forms and Tariff are dealt with in section 5.

2. Practice Contact Details

Dr Merash Ramsammy
Suite G12, Mediclinic Kloof
Erasmuskloof, 511 Jochemus Street
Pretoria, 0048
Contact email: info@celestialneuro.co.za
Information Officer: Dr Merash Ramsammy

3. Company Records

3.1 Practice records availability

Departmental records Subject

• Financial Records
• Accounting records
• Annual Financial Report
• Annual Financial Statements
• Asset Registers
• Bank Statements
• Banking details and Bank accounts
• Banking records
• Debtors/creditors statements and invoices
• General ledger and subsidiary ledgers
• Invoices
• Tax returns
• Income Tax Records PAYE records & IRP5
• VAT
• SDL & UIF
• Workmen’s Compensation
• Personnel Address lists
• Disciplinary records
• Employment contracts
• Grievance procedures
• Leave records
• Payroll register
• Salary records
• Training records
• Procurement Standard terms and conditions for supply of services and products
• Contractor and client agreements
• List of suppliers, products, services, and distribution
• Marketing and Communications Events
• Emails
• Clients Client records
• Client interactions
• Client training
• Client presentations
• IT department Computer usage policy documentation
• Information security policies
• Software licenses
• System documentation and manuals

3.2 Description of records available in accordance with any other legislation

• Basic Conditions of Employment Act, No 75 of 1997
• Broad-Based Black Economic Empowerment Act, No 75 of 1997
• Companies Act, No 71 of 2008
• Compensation for Occupational Injuries & Diseases Act, 130 of 1993
• Constitution of the Republic of South Africa 2008; of 2005
• Employment Equity Act, No 55 of 1998
• Financial Intelligence Centre Act, No 38 of 2001
• Income Tax Act, No 58 of 1962
• Labour Relations Act, No 66 of 1995
• Occupational Health & Safety Act, No 85 of 1993
• Promotion of Access to Information Act, No 2 of 2000
• Protection of Personal Information Act, No. 4 of 2013
• Skills Development Levies Act No. 9 of 1999
• Unemployment Insurance Contributions Act 4 of 2002
• Unemployment Insurance Act No. 30 of 1966
• Health Professions Act 56 of 1974

4. The Information Officer

4.1 The Information Officer [Section 51(1)(b)]
The Act prescribes the appointment of an Information Officer for public bodies where such Information Officer is responsible to, inter alia, assess requests for access to information.

4.2 The head of a private body fulfills such a function in terms of section 51.

4.3 The Practice has appointed an Information Officer to assess such a request for access to information as well as to oversee its required functions in terms of the Act.

4.4 The Information Officer appointed in terms of the Act also refers to the Information Officer as referred to in the Protection of Personal Information Act 4 of 2013. The Information Officer oversees the functions and responsibilities as required for in terms of both this Act as well as the duties and responsibilities in terms of section 55 of the Protection of Personal Information Act 4 of 2013 after registering with the Information Regulator.

4.5 The Information Officer may appoint, where it is deemed necessary, Deputy Information Officers, as allowed in terms of section 17 of the Act as well as section 56 of the Protection of Personal Information Act 4 of 2013.

This is in order to render the Practice as accessible as reasonably possible for requesters of its records and to ensure fulfillment of its obligations and responsibilities as prescribed in terms of section 55 of the Protection of Personal Information Act 4 of 2013.

4.6 All requests for information in terms of this Act must be addressed to the Information Officer, see section 2 above.

5. Processing of Personal Information

5.1 The purpose of processing information

• To provide or manage any information, products and/or services requested by data subjects.
• To help us identify data subjects when they contact us.
• To maintain client/customer records.
• For recruitment purposes.
• For employment purposes.
• For general administration, financial and tax purposes.
• For legal or contractual purposes.
• For health and safety purposes.
• To monitor access, secure and manage our premises and facilities.
• To transact with our suppliers and business partners.
• To help us improve the quality of our products and services.
• To help us detect and prevent fraud and money laundering.
• To help us recover debts.
• To carry out analysis and customer profiling.
• To identify other products and services which might be of interest to data subjects and to inform them about our products and services.

5.2 Categories of data subjects and personal information processed.

5.3 Recipients or categories of recipients with whom personal information is shared.

• We may share the personal information of our data subjects for any of the purposes outlined in Section 4.1, with: the following:
• Our carefully selected business partners who provide products and services under one of our brands; and
• Our service providers and agents who perform services on our behalf.
• We do not share personal information of our data subjects with any third parties, except if:
• We are obliged to provide such information for legal or regulatory purposes.
• We are required to do so for purposes of existing or future legal proceedings,
• We are selling one or more of our businesses to someone to whom we may transfer our rights under any customer agreement we have with you.
• We are involved in the prevention of fraud, loss, bribery, or corruption.
• They perform services and process personal information on our behalf.
• This is required to provide or manage any information, products and/or services to data subjects; or
• Needed to help us improve the quality of our products and services.
• We will send our data subjects notifications or communications if we are obliged by law, or in terms of our contractual relationship with them.
• We will only disclose personal information to government authorities if we are required to do so by law.
• Our employees and our suppliers are required to adhere to data privacy and confidentiality principles and to attend data privacy training.

5.4 Information security measures to protect personal information.

• Reasonable technical and organisational measures have been implemented for the protection of personal information processed by the Practice. In terms of the POPI Act, operators are third parties that process personal information on behalf of the Practice.
• We continuously implement and monitor technical and organisational security measures to protect the personal information we hold, against unauthorised access, as well as accidental or wilful manipulation, loss, or destruction.
• We will take steps to ensure that operators that process personal information on behalf of the Practice, apply adequate safeguards as outlined above.

5.5 Trans-border flows of personal information

• We will only transfer personal information across South African borders if the relevant business transactions or situation requires trans-border processing and will do so only in accordance with South African legislative requirements; or if the data subject consents to transfer of their personal information to third parties in foreign countries.
• We will take steps to ensure that operators are bound by laws, binding corporate rules or binding agreements that provide an adequate level of protection and uphold principles for reasonable and lawful processing of personal information, in terms of the POPI Act.
• We will take steps to ensure that operators that process personal information in jurisdictions outside of South Africa, apply adequate safeguards as outlined in Section 4.4.

5.6 Personal information received from third parties.

• When we receive personal information from a third party on behalf of a data subject, we require confirmation that they have written consent from the data subject, that they are aware of the contents of this PAIA manual and the Practice Privacy Policy, and do not have any objection to our processing their information in accordance with this policy.

6. Prescribed Request Forms and Fees

6.1 Form of request

• To facilitate the processing of your request, kindly:
• Use the prescribed form.
• Address your request to the Information Officer.
• Provide sufficient detail to enable the Practice to identify:
  • The record(s) requested.
  • The requestor (and, if an agent is lodging the request, proof of capacity).
  • The email address of the requestor.
  • The form of access required.
  • The email address of the requestor.
  • If the requester wishes to be informed of the decision in any manner (in addition to written) the manner and particulars thereof.
  • The right which the requestor is seeking to exercise or protect with an explanation of the reason the record is required to exercise or protect the right.

6.2 Prescribed fees

• The following applies to requests (other than personal requests):
• A requestor is required to pay the prescribed fees (R50.00) before a request will be processed.
• If the preparation of the record requested requires more than the prescribed hours (six), a deposit shall be paid (of not more than one-third of the access fee which would be payable if the request were granted).
• A requestor may lodge an application with a court against the tender/payment of the request fee and/or deposit.
• Records may be withheld until the fees have been paid.

6.3 Access to prescribed forms and fees

Prescribed forms and fees are available from reception.

7. Remedies

7.1 Internal Appeal Procedures

The Practice does not have internal appeal procedures regarding PAIA and POPI Act requests. As such, the decision made by the duly authorized persons in section 2, is final.

7.2 Legal Relief

If a request is denied, the requestor is entitled to apply to a court with appropriate jurisdiction, or the Information Regulator, for relief.

Information Regulator (South Africa)
SALU Building, Hoofd Street, Forum III, 3rd Floor
Braampark
P.O. Box 31533
Braamfontein, Johannesburg
2017
Tel No. +27 (0) 10 023 5207
Cell No. +27 (0) 82 746 4173
Email: inforeg@justice.gov.za

8. Privacy Policy

8.10 Data Security

8.10.1 We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way. In addition, we limit access to your personal data to those employees, agents, contractors, and other third parties who have a legitimate need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

8.10.2 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8.11 Data Retention

8.11.1 We will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

8.11.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data, any other South African applicable law requiring us to retain the data and whether we can achieve those purposes through other means, and the applicable legal requirements.

8.11.3 Details of retention periods for different aspects of your personal data are available from us by contacting us.

8.11.4 In some circumstances you can ask us to delete your data; see below for further information.

8.11.5 In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

8.12 Your Legal Rights

8.12.1 Under certain circumstances, you have rights under data protection laws in relation to your personal data where we are the relevant “Responsible Party” over such personal data. Please contact us to find out more about, or manifest, these rights:

• 8.12.1.1 Request access to your personal data.
• 8.12.1.2 Request correction of your personal data.
• 8.12.1.3 Request erasure of your personal data.
• 8.12.1.4 Object to the processing of your personal data.
• 8.12.1.5 Request a restriction of processing your personal data.
• 8.12.1.6 Request transfer of your personal data; and/or
• 8.12.1.7 Right to withdraw consent.

8.12.2 You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

8.12.3 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

8.12.4 We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

8.13 Glossary

8.13.1 Lawful Basis

• 8.13.1.1 Legitimate Interest means the interest of our organisation in conducting and managing our organisation to enable us to give you the best service and the most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
• 8.13.1.2 Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering such a contract.
• 8.13.1.3 Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
• 8.13.1.4 Express consent means the confirmed express consent you have provided to our processing of your personal data by actively accepting this Privacy Policy.

8.13.2 Third Parties

• 8.13.2.1 Internal Third Parties means other entities or parties in the company group acting as joint controllers or processors and who are based in South Africa and provide IT and system administration services and undertake reporting.
• 8.13.2.2 External Third Parties means:
  • 8.13.2.2.1 Authorised third-party service providers under contract with the company who need your personal information in order to contact and transact with you pursuant to your use of the Services.
  • 8.13.2.2.2 Specific third parties who the company makes use of.
  • 8.13.2.2.3 Service providers acting as processors based in South Africa and other various jurisdictions who provide IT and system administration services.
  • 8.13.2.2.4 South African or other national governments and/or their respective authorities pursuant to our adherence with anti-corruption and crime-fighting legislation; and/or
  • 8.13.2.2.5 Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services as required.

8.14 Your Legal Rights

8.14.1 You have the right to request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

8.14.2 Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

8.14.3 Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no valid reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be communicated to you, if applicable, at the time of your request.

8.14.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

8.14.5 Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

• 8.14.5.1 If you want us to establish the data’s accuracy.
• 8.14.5.2 Where our use of the data is unlawful, but you do not want us to erase it.
• 8.14.5.3 Where you need us to hold the data even if we no longer require it as you need it to establish, exercise, or defend legal claims; or
• 8.14.5.4 You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

8.14.6 Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform on a contract with you.

8.14.7 Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Website access or Services to you. We will advise you if this is the case at the time you withdraw your consent. Please take note that regardless of your right to withdraw consent under the GDPR and POPI, other South African legislation applies and may require that we continue to process your data to comply with anti-corruption, crime-fighting, and/or other national legislation, which you expressly understand and agree to.