Protection of Personal Information

Protection of Personal Information

  • Bastion is entrusted with the processing of personal information including employee and other stakeholder information. The company takes this responsibility seriously whilst encompassing acceptance, inclusion, and respect. Bastion subscribes to the eight-core information protection principles contained in the Act for effective data privacy regulation,
  • Bastion shall process personal information in accordance with the provisions of the Protection of Personal Information Act No. 4 of 2013 (“the Act”) and as may be directed by the Regulator, according to the eight principles of:
    Principle 1: Accountability
    Principle 2: Processing Limitation
    Principle 3: Purpose Specification
    Principle 4: Further Processing Limitation
    Principle 5: Information Quality
    Principle 6: Openness
    Principle 7: Security Safeguards
    Principle 8: Data Subject Participation

The purpose of this policy is to:

  • Govern the processing of personal information by Bastion employees and contractors in accordance with the requirements of the Protection of Personal Information Act No. 4 of 2013 (“the Act”).
  • Safeguard the personal information held by Bastion from threats, whether internally or externally, deliberate, or accidental, protecting the right of privacy of all data subjects as listed in Appendix A of this policy.
  • Protect Bastion’s records and information as listed in Annexure A in order to ensure the continuation of the day-to-day running of the company and its functions.
  • Regulate the manner in which personal information is processed by the company.
  • Establishing an Information officer to ensure respect for and to promote, enforce and fulfil the rights of data subjects referred to in Annexure A.
  • The basis of this policy is that personal information must be processed in compliance with relevant Protection of Personal Information legislation, Bastion’s policy, governance directives, and administrative directives of its Information Officer.
  • This policy applies to the directors, management, the Information Officer, all employees, and all third parties processing personal information as operators where Bastion is the responsible party.

In this policy, unless the context indicates otherwise —

“Bastion” – means  Bastion Group or its affiliates
“biometrics” – means a technique of personal identification that is based on physical, physiological, or behavioural characterisation including blood typing, fingerprinting, DNA analysis, and retinal scanning and voice recognition;
“child” – means a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself;
“code of conduct” – means a code of conduct issued in terms of Chapter 7;
“competent person” – means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child;
“consent” – means any voluntary, specific, and informed expression of will in terms of which permission is given for the processing of personal information;
“constitution” – means the Constitution of the Republic of South Africa, 1996;
“data subject” – means the person to whom personal information relates;
“data users” – means employees, stakeholders and data subjects as the context may indicate;
“de-identify” – in relation to personal information of a data subject, means to delete any information that—

  • identifies the data subject;
  • can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
  • can be linked by a reasonably foreseeable method to other information that identifies the data subject,
  • and “de-identified” has a corresponding meaning;

“direct marketing” – means to approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of—

  • promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
  • requesting the data subject to make a donation of any kind for any reason;

“electronic communication” – means any text, voice, sound, or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient;
“enforcement notice” – means a notice issued in terms of section 95;
“filing system” – means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
“information matching programme” – means the comparison, whether manually or by means of any electronic or other device, of any document that contains personal information about ten or more data subjects with one or more documents that contain personal information of ten or more data subjects, for the purpose of producing or verifying information that may be used for the purpose of taking any action in regard to an identifiable data subject;
“Information officer” – of, or in relation to, a —

  • public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17; or
  • private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act;

“Minister” – means the Cabinet member responsible for the administration of justice;
“operator” – means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
“person” – means a natural person or a juristic person;

“personal information” – means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic, or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views, or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

“prescribed” – means prescribed by regulation or by a code of conduct;
“private body” – means—

  • a natural person who carries or has carried on any trade, business, or profession, but only in such capacity;
  • a partnership which carries or has carried on any trade, business, or profession; or
  • any former or existing juristic person, but excludes a public body;

“processing” – means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including —

  • the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use;
  • dissemination by means of transmission, distribution or making available in any other form; or
  • merging, linking, as well as restriction, degradation, erasure, or destruction of information;

“professional legal adviser” – means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice;
“Promotion of Access to Information Act” – means the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);

“public body” – means —

  • any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
  • any other functionary or institution when—
    • exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
    • exercising a public power or performing a public function in terms of any legislation;

“public record” – means a record that is accessible in the public domain, and which is in the possession of or under the control of a public body, whether or not it was created by that public body;
“record” – means any recorded information —

  • regardless of form or medium, including any of the following:
    • Writing on any material;
    • information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other devices, and any material subsequently derived from information so produced, recorded, or stored;
    • label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
    • book, map, plan, graph, or drawing;
    • photograph, film, negative, tape or other devices in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
  • in the possession or under the control of a responsible party;
  • whether or not it was created by a responsible party; and
  • regardless of when it came into existence;

“Regulator” – means the Information Regulator established in terms of section 39;
“re-identify” – in relation to personal information of a data subject, means to resurrect any information that has been de-identified, that —

  • identifies the data subject;
  • can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
  • can be linked by a reasonably foreseeable method to other information that identifies the data subject,
  • and “re-identified” has a corresponding meaning;

“Republic” – means the Republic of South Africa;

“responsible party” – means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;

“restriction” – means to withhold from circulation, use, or publication any personal information that forms part of a filing system, but not to delete or destroy such information;

“special personal information” – means personal information as referred to in section 26;

“this Act” – includes any regulation or code of conduct made under this Act; and

“the company” – means Bastion or its affiliates

“unique identifier” – means any identifier that is assigned to a data subject and is used by a responsible party for the purposes of the operations of that responsible party and that uniquely identifies that data subject in relation to that responsible party.

  • The directors have appointed Benjamin Nathaniel Joannou as the Information Officer.
  • The directors and Information Officer are ultimately responsible for ensuring that information security is properly managed.
  • The Information Officer is responsible for:
    • The encouragement of compliance, by the body, with the conditions for the lawful processing of personal information;
    • dealing with requests made to the body pursuant to this Act;
    • working with the Regulator in relation to investigations conducted pursuant to Chapter 6 in relation to the body;
    • otherwise ensuring compliance by the body with the provisions of this Act; and
    • as may be prescribed.
  • The employees are responsible for adhering to this policy, and for reporting any security breaches or incidents to the Information Officer.
  • The Information Officer shall, in addition to normal information security functions, ensure compliance with the Act, and in particular that personal information and special personal information is processed in accordance with the conditions governing their respective processing, as defined in Chapter 3 of the Act.
  • The Information Officer shall:
    • supervise the development and maintenance of a compliance framework;
    • maintain the PAIA manual and make available as prescribed in sections 14 and 51 of PAIA, as amended;
    • maintain internal measures together with adequate systems to process requests for information or access thereto;
    • conduct internal awareness sessions regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Regulator; and
    • upon request by any person, copies of the manual are provided to that person upon the payment of a fee to be determined by the Regulator from time to time.
  • The Information Officer must annually, and in terms of section 32 of PAIA, submit to a report to the Regulator.
  • The Information Officer shall report to the board.
  • The Information Officer and employees of Bastion are committed to the following principles:
    • to be transparent with regards to the standard operating procedures governing the collection and processing of personal information.
    • to comply with all applicable regulatory requirements regarding the collection and processing of personal information.
    • to collect personal information only by lawful and fair means and to process personal information in a manner compatible with the purpose for which it was collected.
    • where required by regulatory provisions, to inform individuals when personal information is collected about them.
    • to treat sensitive personal information that is collected or processed with the highest of care as prescribed by regulation.
    • where required by regulatory provisions or guidelines, to obtain individuals’ consent to process their personal information.
    • to strive to keep personal information accurate, complete, and up to date, and reliable for their intended use.
    • to develop reasonable security safeguards against risks such as loss, unauthorized access, destruction, use, amendment, or disclosure of personal information.
    • to provide individuals with the opportunity to access the personal information relating to them and, where applicable, to comply with requests to correct, amend or delete personal information.
    • to share personal information, such as permitting access, transmission, or publication, with third parties only with a reasonable assurance that the recipient has suitable privacy and security protection controls in place regarding personal information.
    • to comply with any restriction and/or requirement that applies to the transfer of personal information internationally.
  • Accountability
    • Bastion must ensure compliance with the Act. The company is required to audit the processes used to collect, record, store, disseminate and destroy personal information: in particular:
      • ensure the integrity and safekeeping of personal information in Bastion’s possession or under the company’s control.
    • The company must take steps to prevent the information from being lost or damaged, or unlawfully accessed.
  • Processing Limitation
    • The company must ensure processing is lawful and:
      • is done in a reasonable manner that does not infringe the privacy of the data subject.
      • must be adequate, relevant, and not excessive given the purpose.
      • must have obtained consent or necessity if consent, it must be voluntary and specific,
    • Data subject consent is required – but not if;
      • would prejudice lawful purpose, or
      • information is contained in public record.
    • Personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed unless retention of the record is required or authorised by law or contract, the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form.
  • Purpose Specification
    • Bastion must define the purpose of the information gathering and processing:
      • personal information must be collected for a specific, explicitly defined, and lawful purpose that is related to a function or activity of the company concerned.
  • Further processing limitation
    • The Responsible Party must ensure processing is lawful and:
      • is done in a reasonable manner that does not infringe the privacy of the data subject.
      • must be adequate, relevant, and not excessive given the purpose.
      • must have obtained consent or necessity if consent, it must be voluntary and specific,
    • Data subject consent is required but not if;
      • would prejudice lawful purpose, or
      • information is contained in public record.
  • Information quality
    • The Responsible Party must take reasonably practicable steps to ensure that the information is:
      • complete
      • accurate
      • not misleading; and
      • updated where necessary
    • In taking the steps referred to in 9.6.1, Bastion must have regard to the purpose for which personal information is collected or further processed.
  • Openness
    • Bastion must maintain the documentation of all processing operations under its responsibility as referred to in section 14 (retention and restriction of records) or 51 (meetings of Regulator) of the Promotion of Access to Information Act.
    • The company is to inform the data subject
      • the information being collected and where the information is not collected from the data subject, the source from which it is collected;
      • the name and address of the company;
      • the purpose for which the information is being collected;
      • whether or not the supply of the information by that data subject is voluntary or mandatory;
      • the consequences of failure to provide the information;
      • any particular law authorising or requiring the collection of the information;
      • the fact that, where applicable, the company intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation;
      • any further information
    • It is not necessary for a responsible party to comply with 9.7.2 if the information will:
      • not be used in a form in which the data subject may be identified; or
      • be used for historical, statistical, or research purposes.
  • Security safeguards
    • Bastion will secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical, and organisational measures to prevent:
      • loss of, damage to, or unauthorised destruction of personal information; and
      • unlawful access to or processing of personal information.
    • The company will oversee an operator who processes data on his/her behalf in that:
      • the operator treats information confidentially
      • the operator establishes and maintains appropriate security safeguards
      • all processing by an operator is be governed by a written contract
      • in the event of security breaches, the company will notify the Regulator and the data subject
  • Data subject participation
    • Bastion will confirm to a data subject, having provided adequate proof of identity, free of charge:
      • whether or not the responsible party holds personal information about the data subject;
      • provide the record or a description of the personal information:
        • within a reasonable time;
        • at a prescribed fee, if any;
        • in a reasonable manner and format; and
        • in a form that is generally understandable.
    • Bastion will correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully on receipt of a request from the data subject.
    • The provisions of the Promotion of Access to Information Act apply to requests made.
    • The company will not process special personal information including religious or political beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life, criminal behaviour unless
      • consent has been obtained by the data subject
      • processing is necessitated by law
      • processing is for historical, statistical, or research purposes
      • information has deliberately been made public by the data subject
    • Bastion will not process the personal information of children unless:
      • prior consent of a competent person has been obtained
      • it is necessary for the establishment, exercise, or defence of a right or obligation in law
      • for historical, statistical, or research purposes
      • of personal information which has deliberately been made public by the child with the consent of a competent person

The company’s directors, management, Information Officer, and all operators, as defined by the Act, of Bastion are responsible for administering and overseeing the implementation of this policy and, as applicable, supporting guidelines, standard operating procedures, notices, consents, and appropriate related documents and processes. Periodic reviews and audits will be conducted where appropriate, to demonstrate compliance with privacy regulation, policy, and guidelines.

Bastion shall establish appropriate privacy standard operating controls that are consistent with this policy and regulatory requirements. This will include:

  • Allocation of information security responsibilities.
  • Incident reporting and management.
  • User ID addition or removal.
  • Information security training and education.
  • Data backup.
  • Record retention

This policy is implemented by Bastion and will be adhered to by all employees who are tasked with collecting and processing of personal information. Non-compliance with this policy may result in disciplinary action and possible termination of employment or mandate, where applicable.

30 June 2021

30 June 2022

Subjects and categories of records held at physical address

Secretarial
Correspondence
Founding documents
Minutes of Meetings
Statutory returns

Human Resources
Conditions of Service
Employee records
Employment contracts
General correspondence
Retirement annuity, pension and provident fund records
Medical aid
Performance appraisals
Personnel guidelines, policies and procedures
Remuneration records and policies
Skills requirements
Employee’s recruitment policies
Statutory records
Training records

Marketing
Client and customer database

Financial
Contracts
Annual Financial Statements
Asset register
Banking records
Budgets
Financial transactions
Insurance information
Management accounts
Purchase and order information
Tax records (company and employee)

Information technology
IT policies and procedures
Physical security, (PC’s locked to fixture/locked computer room)
Virus & malware protection
Software updates

Suppliers
Personal information of all suppliers
Financial records of all suppliers’ account
Contract agreement with all suppliers
Correspondence with all suppliers
Tender documents

Lessors
Personal information details
Lease agreements
Correspondence

Sponsors/Donees
Personal information details
Contact details
Receipts – 18A
Donation register
Correspondence

Publishing houses
Personal information details
Contact details
Details of advert
Correspondence

Statutory bodies e.g., SARS, Department of Labour, SETAs
Personal information details
Contact details
Statutory returns
Correspondence

Auditors
Personal information details
Contact details
Certificates of their registration with an authorizing body
Audit reports
Contract of service
Statement of account
Financial statements
Correspondence

Insurance houses
Personal information details
Contact details
Insurance agreement
Claim forms
Correspondence

Banking institutions
Personal information details
Contact details
Record of accounts kept at the institution
Correspondence

Outsourced IT
Personal information details of the company
Contact details
Contract with company
Statement of account
Correspondence

Clients
Identity numbers
Dates of birth
Telephone numbers
Emails
Addresses
Contractual agreements
Tender and RFP information

Countries of operation
South Africa

Let's chat