POPIA Privacy Notice
INTRODUCTION
This privacy notice has been adopted as part of the Personal Information Protection Compliance Framework of Bishops Diocesan College (“Bishops” / “the School” / “we” / “us”), in terms of the Protection of Personal Information Act 4 of 2013 (“POPIA”).
During your interactions with us, it may happen that we need to process some information about you which may constitute personal information for purposes of POPIA, which may include accessing it, storing it, merging it with other information, deleting or destroying it, and possibly sharing it with third parties.
In terms of section 18 of POPIA we are required to bring to your attention certain matters relating your personal information, which we set out in this notice document. By interacting with Bishops and providing your personal information to us, you acknowledge that you have read and understood this notice and have agreed to the contents hereof. You furthermore authorize us to take any of the actions described herein insofar as your personal information, or that of your child, is concerned.
TERMS USED IN THIS NOTICE
Below is a list explaining some of the commonly used terms in this privacy notice:
Data Subject |
The person whose personal information is being processed by or on behalf of Bishops. |
Information Officer |
The person internally tasked with ensuring compliance by the Responsible Party, provided that such role may have been delegated to one or more Deputy Information Officers. |
Information Regulator |
The office established in terms of POPIA to oversee the implementation of, and compliance with POPIA. |
PAIA |
The Promotion of Access to Information Act 2 of 2000. |
Personal Information |
Any information that pertains to an identifiable Data Subject. POPIAA lists many examples. These include things like contact information, information about a person’s identity, health, religion, education, employment, biometric data, etc. |
POPIA |
The Protection of Personal Information Act 4 of 2013. |
Processing |
The actions taken in respect of Personal Information by the Responsible Party or on their behalf. This includes most forms of interaction with the records containing such information, such as creating new records, transmitting information, storing it, updating it and deleting or destroying it. |
Operators |
Third party service providers who process personal information on behalf of Bishops. |
Responsible Party |
The person who decides the reason and means by which personal info will be processed. In the context of this privacy notice, Bishops is the Responsible Party. |
Special Personal Information |
Certain types of personal information are classified as “special”, which means in most cases that their processing is restricted and subject to additional requirements. Most relevant for the purposes of this privacy notice is information relating to children. Other categories that are classified as “special” include information about a Data Subject’s religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information or criminal record. |
WHAT POPIA REQUIRES OF BISHOPS
This privacy notice constitutes Bishops’s commitment to uphold the following conditions when working with your Personal Information:
Accountability
We are committed to fulfilling our requirements in respect of implementing POPIA at Bishops. This includes:
- Encouraging compliance within Bishops.
- Handling information requests.
- Co-operating with the Information Regulator if there is an investigation or query.
- Taking such other measures as may be prescribed by regulation.
Limitations on processing
This condition is aimed at ensuring that processing of Personal Information is as limited as possible, with reference to the purpose for which it is processed. It requires that:
- Processing must be done in a lawful manner (i.e. comply with POPIA or other applicable laws) and in a reasonable manner, which does not unreasonably infringe on the Data Subject’s privacy.
- The extent of the Personal Information that is processed must be limited to such information as is relevant, adequate and not excessive in relation to the reason for processing the information.
- Personal Information may be processed if necessary in order to provide a service to a Data Subject, or if they consent to its processing. The Data Subject may withdraw this consent, but it may then become impossible to provide them with services.
- Lastly, as far as reasonably possible, Personal Information must be collected directly from the Data Subject to whom it pertains and not from third parties, although this is subject to other applicable laws (e.g. FICA), which may require verification with third parties.
Reasons for processing
This condition relates to the purpose for which personal information is being processed. In most cases, a Responsible Party must explain to the Data Subject, what their reason is for needing the information and what they are going to use it for.
Quality of information
A Responsible Party is required to take “reasonably practicable” steps to ensure that the information it processes is complete, accurate, not misleading and updated where necessary, with reference to the purpose for which the information is being processed. In other words, reasonable systems must be put in place to make it as simple and easy as possible to keep information accurate and up to date.
Notices and communication
This condition relates to communication and notifications to Data Subjects, which helps them to understand what their information is being used for and how to exercise their rights in respect of their information. That is the purpose of this privacy notice.
Security
A Responsible Party is required to take “appropriate, reasonable technical and organisational measures” to prevent loss, damage, unauthorized destruction and unauthorized access to or processing of personal information.
Where a Responsible Party allows information to be processed by an Operator in its behalf, it is required to have a written contract with such Operator, wherein the Operator agrees to comply with the same security requirements as the Responsible Party.
In the event of a suspected data breach, a Responsible Party is required to notify the Information Regulator, as well as Affected Data Subjects.
Participation
This condition relates to a Data Subject’s rights to access Personal Information about them and to request corrections, deletion or destruction thereof. The manner in which information may be requested is actually not regulated by POPIA, but by PAIA, which is why POPIA requires responsible parties to prepare or update their PAIA manuals.
PROCESSING OF PERSONAL INFORMATION AT BISHOPS
Information that we process
We process various types of information relating to various Data Subjects, which will differ depending on your relationship with Bishops.
Please refer to Schedule 1 of this notice for a breakdown of the Personal Information commonly processed by Bishops.
How we process it
We process personal information by way of digital and physical means. Certain information is processed only by digital means – especially if it was provided to us only in digital format or using one of our digital platforms – and is subject to the safeguards contained in our IT policies. Other information is captured manually by way of standard application forms. These records are kept in physical format and secured physically, in accordance with the Physical Information Security Policy. Such information is also captured digitally and stored on our digital infrastructure in accordance with the provisions of our IT security policies.
Reasons for processing personal information and consequences of not doing so
The proper functioning of Bishops as an independent school requires us to process certain personal information. This could be for any of the following reasons:
- To provide the educational services, extra-mural activities, accommodation, functions and events, sports and related services forming part of the ordinary course of the operations of an independent school.
- To provide employment to our employees and to interact with them in the context of the employment relationship.
- To engage with parents of students currently enrolled at the school, or with prospective parents and their children, or with past students, in the context of the operations of the school.
- To market Bishops to the existing school community and to prospective parents and students.
- To procure services and manage relationships with service providers.
- To provide legally required academic and statistical information to Government and other relevant oversight bodies.
- Any other reason which is integral to our functioning properly as an independent school.
If requested Personal Information is not provided to us, we may not be able to properly fulfil the above-mentioned functions, which may result in the relevant interaction being interrupted, or Bishops not engaging in such interaction at all, in the sole discretion of Bishops. We accept no responsibility for any such interruptions if Personal Information was requested by us but not provided.
Where we may obtain your personal information from
In most cases, we will request your personal information directly from you. However, in some cases we may need to obtain it from third parties. This will be the case if you have authorized us to do so, or where the nature of our interaction with you reasonably requires us to do so. If we process your personal information on behalf of a third party – for example where your spouse or your parent have provided us with such information – then we do so on their express authorisation and on the understanding that they have obtained your consent, or that they have the legal authority to provide us with your Personal Information.
We may also be legally required to independently verify some of the information provided to us in terms of applicable anti-terrorism and anti-money laundering legislation (including, but not limited to, the Financial Intelligence Centre Act 38 of 2001, as amended), which may include our accessing government or public directories in order to obtain certain personal information about you.
In some cases, especially if you are an organisation, we may need to obtain personal information relating to third parties (such as your office bearers or employees) from you. You hereby warrant that you have the express and informed consent of such third parties to provide us with any such information and indemnify us against any liability to such third parties, or any other party, as a result of a lack of such authorization.
If you are a parent or legal guardian of a learner who is younger than 18, you hereby consent to our processing the Personal Information of your child for the reasons set out above. If you are a pupil whose parents previously consented to our processing of your Personal Information and you have subsequently turned 18, you hereby confirm that your parents’ previous consent remains valid, unless you specifically withdraw your consent.
Where we need to process information classified as “special” personal information (e.g. medical information or information relating to children) for any of the reasons specified above, you hereby consent to our processing of such special personal information.
Note that if your child applies to enroll at the school and has previously been a pupil at another school, we may obtain any personal information relevant to their time at their previous school, including, but not limited to their academic and disciplinary record, from the previous school.
Sharing of your personal information with third parties
We may need to share your Personal Information with third parties. In general, this is limited to transmitting or storing such information through, or on, electronic communication and storage infrastructure administered by third party service providers, which is subject to reasonable security safeguards. However, depending on the nature of our interaction with you, we may need to share some of your Personal Information with other third parties. For example, all schools are legally required to submit information about their learners, exam results and similar information to Government for statistical purposes.
Please note that we may, with permission, share a pupil’s information with the ODU when the pupil matriculates. The ODU is a separate legal entity to Bishops and its processes Personal Information for its own benefit and that of its members. Any Personal Information that we share with the ODU on your instructions are accordingly not processed by Bishops or on our behalf and are subject to the custodianship and control of the ODU. We accordingly accept no responsibility for the ODU’s processing of your Personal Information.
Also note that, in the event of a transfer to another school, we may share a pupil’s personal information, including, but not limited to, their academic and disciplinary record, with the new school on request of such school.
As provided for in our Acceptance of Place agreement, we may share a pupil’s personal information within the Bishops community by way of publication in our various newsletters and intranet, relating to their sports, academic or other notable achievements and do not require additional consent to do so, provided that a pupil or their parents may at any time request for their personal information not to be published in this manner.
We periodically receive requests from prospective employers of our alumni for some of their school records. Where such records are still available, we may share such information with such prospective employers, with your permission. We will contact you in the event of receiving such a request.
Should you be in arrears with fees that are due and owing to us, we may share your contact, identity and financial information with our authorized representatives for purposes of recovering the debt due to us.
Information leaving the country
We may need to transmit your Personal Information to a location outside of the country, where it may be processed by third parties. This may, for example, happen when we are communicating with you while you are not in the country. It may also happen where our backup infrastructure is located in, or administered from another country. In such cases, the transmission and processing of such information is subject to the provisions of s72 of POPIA, meaning that the third party to which we may transmit your information will either be subject to laws, or a contract with us, or corporate binding rules, which requires them to employ the same reasonable safeguards in respect of your Personal Information that we are required to comply with in terms of POPIA.
Retention of your personal information
In general, we only retain your personal information for the duration of our interactions with you and for a reasonable period thereafter, in order to facilitate further similar interactions. We are, however, in some cases legally required to keep certain information for specific periods of time, which usually does not exceed a period of 5 years. Please refer to Schedule 2 of this policy for instances where specific retention periods apply.
Information that we retain for marketing or statistical purposes may be retained indefinitely, provided that you have authorised us to use the information for marketing purposes or, in the case of use for statistical purposes, that the information has been anonymized.
Please note that, as a school with a rich history and culture, we do retain Personal Information relating to important or historical school events, including significant sporting, cultural, academic and other achievements of our students, for an indefinite period, for historical and archival purposes, subject to Data Subjects’ rights to ask us to destroy any Personal Information relating to them.
Information Security
As required by s19 of POPIA, the confidentiality and integrity of any Personal Information processed by us is subject to reasonable technical and organisational safeguards to prevent loss, damage, destruction or unauthorised access, having due regard to generally accepted information security practices and procedures. We will notify you, and the Information Regulator, should we suspect that a data breach has occurred.
We are not liable to you, or any other person, for any harm, loss, damage, destruction or unauthorized access that may occur despite our implementation of such reasonable safeguards.
Your rights
In terms of sections 23 and 24 of POPIA, you have the right to access, and to request us to correct, any personal information retained by us, subject to the provisions of those sections. Please refer to Bishops’s PAIA manual, for more information on the process to follow in this regard.
You furthermore have the right, in terms of section 11(3) of POPIA, to object to our holding of your personal information. Please refer to Bishops’s PAIA manual, for more information on the process to follow in this regard.
Should you wish to lodge a complaint, you may contact the office of the Information Regulator, whose contact details appear above.
CONTACT INFORMATION
Information Officer
Bishops has appointed an Information Officer and a number of Deputy Information Officers in terms of s56 of POPIA, read with s17 of PAIA. The Information Officer should be the first point of contact for any queries regarding this framework or any of the policies contained herein. The Information Officer’s details are as follows:
Anthony Reeler
Tel: 021 6591000
Email: popi@bishops.org.za
The Information Regulator
The Information Regulator’s office may be contacted for any queries regarding POPIA in general, or to lodge formal documentation. According to the Information Regulator’s website, their contact details are as follows (this may change and you are advised to find their most up to date details on their website at www.justice.gov.za/inforeg/)
Information Regulator
JD House
27 Stiemens Street
Braamfontein, Johannesburg 2001
SCHEDULE 1 – TYPES OF PERSONAL INFORMATION PROCESSED BY BISHOPS
Information type |
Why we process it |
Identifying and age information, e.g. name, surname, ID number
|
To identify the data subjects that we interact with or, in some cases, to contact persons related to them (such as next of kin) in the case of an emergency. |
Contact information, e.g. telephone numbers, email addresses, etc.
|
To contact the data subject (or in some cases their next of kin), if necessary; to make the certain employees’ or officers’ contact information available to students, parents and visitors as part of the proper functioning of the school; |
Educational, behavioral and health information
|
To perform the services of a school; to report legally required information to the Department of Education and other regulatory bodies; to provide healthcare benefits to our employees; to have relevant health related information available in the event of an emergency for the benefit of first responders; |
Information relating to gender, nationality and ethnicity of employees
|
To report legally required statistics to the Department of Labour. |
Financial information relating to our employees, parents or service providers
|
To provide employment-related benefits or remuneration to our employees; or to screen potential employees; or to invoice parents for services rendered; or to pay service providers. |
Criminal history of potential employees
|
To screen potential employees before hiring them.
|
Images video footage and audio clips |
To secure our premises; to provide content-rich feedback to the school community on school activities. |
SCHEDULE 2 – SPECIFIC RETENTION PERIODS IN RESPECT OF CERTAIN INFORMATION
Information type |
Retention period
The retention dates below will be confirmed in future updates
|
Information relating to prospective employees
|
From application date, to the date that a decision is made to hire or not and up to 1 year thereafter. Unsolicited CV’s may be deleted or destroyed immediately upon delivery. |
Employee records
|
For duration of employment and up to a maximum of 5 years thereafter. |
Parent information
|
For the duration of our contract and up to a maximum of 5 years thereafter. |
Service provider information
|
For the duration of our contract and up to a maximum of 5 years thereafter. |
Information about students
|
For the duration of their school career and up to 5 years thereafter. Historically significant or achievement-related information may be archived for indefinite periods, for historical purposes. Academic information is stored by Government and the School has no obligation to keep such information indefinitely.
|
Financial records |
As long as required in terms of relevant tax laws, as advised by our accountants. |