eduSYMS (PTY) Ltd.
Registration Number: 2018/481406/07

PROTECTION OF PERSONAL INFORMATION POLICY

 TABLE OF CONTENTS  
1.        Definitions 3
2.        Application and Purpose                                                                                                                                                                  4
Part A – Human Resources
3.        Recruitment and Appointment 5
4.        Collection, Processing and transferring of Personal Information 5
5.        Pre-employment screening checks                                                                                                                                               6
6.        Special Personal Information                                                                                                                                                          6
7.        Storage and management of Personal Information 6
8.        Termination of Employment 7
Part B – Third Parties
9.        Distribution of Personal Information to Third Parties 8
10.      Receiving Personal Information from Third Parties 8
General
11.      Review of Personal Information and revocation 9
12.      Storage and management of Personal Information                                                                                                                     9
13.      Data security 10
14.      Information Officer                                                                                                                                                                           11
15.      Amendments to this Policy                                                                                                                                                             11
DEFINITIONS
Unless otherwise stated, or the context otherwise requires, the words and expressions listed below shall bear the meanings ascribed to them:
1.1 Applicant – an individual who has applied to be considered for employment with the Company, or an existing employee who has applied to be considered for another position. The Applicant is the data subject as defined in terms of POPIA, being the person to whom the Personal Information or Special Personal Information relates;
1.2 Company – eduSYMS (Pty) Ltd, a Company duly incorporated in terms of the laws of the Republic of South Africa with its registered address situated at 405 Pretorius Street, Pretoria, 0007;
1.3 Deputy Information Officer – the person identified as a deputy information officer in clause 14;
1.4 Information Officer – the person identified as an information officer in  clause 14;
1.5 Operator – any third party that collects or uses Personal Information or Special Personal Information, or supports systems which contain Personal Information or Special Personal Information under the instructions of and solely for the Company or to which the Company discloses Personal Information or Special Personal Information for use or Processing on the Company’s behalf;
1.6 Personal Information – any information or set of information that identifies or is Processed by or on behalf of the Company, as described in Chapter 1, Section 1 of POPIA;
1.7 Policy – this Protection of Personal Information Policy;
1.8 POPIA – the Protection of Personal Information Act, 2013;
1.9 Processing – any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including –
1.9.1 the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
1.9.2 dissemination by means of transmission, distribution or making available in any other form; or
1.9.3 merging, linking as well as restriction, degradation, erasure or destruction of information, and “Process” has the corresponding meaning;
1.10 Regulator – the Information Regulator established in terms of section 39 of POPIA;
1.11 Retain – the keeping of Personal Information in accordance with the time periods provided for in terms of the applicable legislation depending on the nature of the record, this Policy and POPIA;
1.12 Special Personal Information – any personally identifiable information that reveals race or ethnic origin, political persuasion, religious or philosophical beliefs, trade union membership, health or biometric information, or criminal behaviour;
1.13 Third Parties – third parties include but are not limited to Operators, Licensees, customers and parties providing products, goods, equipment, systems and services, such as information technology or human resources system suppliers, pension or retirement funds, medical aid schemes, benefits administrators or providers, human resource management administrators and payroll administrators, as well as regulatory authorities (including tax authorities and Bargaining Councils) and trade unions.
APPLICATION AND PURPOSE
2.1 This Policy regulates the Processing of Personal Information or Special Personal Information by the Company.
2.2 This Policy applies to all Personal Information collected and processed by and on behalf of the Company for purposes of their business activities.  
2.3 The Company, as the responsible party in terms of POPIA, must ensure that the relevant laws relating to the Processing of Personal Information are complied with:
2.3.1 during the recruitment and appointment process of Applicants;
2.3.2 during the compilation, storage and management of Personal Information relating to Applicants and the employment records of employees;
2.3.3 for a prescribed period after the recruitment decision has been made in respect of Applicants;
2.3.4 during the Processing of the Personal Information of employees during their employment and for a prescribed period after the termination of the employment relationship; and
2.3.5 when Personal Information is shared with Third Parties. 
2.4 The Company aims to have agreements in place with all Third Parties to ensure a mutual understanding with regard to the protection of Personal Information.
2.5 The Company will ensure that the Policy is accessible to all employees.
2.6 The Company has appointed an Information Officer and Deputy Information Officer to administer this Policy and ensure compliance with the provisions of POPIA.

Part A – Human Resources

RECRUITMENT AND APPOINTMENT
3.1 All job advertisements sent out by the Company will set out the inherent job requirements and competency specifications for the particular vacancy, as well as the Personal Information required of an Applicant and the recruitment screening checks which will be conducted in order to Process the job application. 
3.2 The Company will only consider a job application and Process Personal Information received from an Applicant if the Applicant has granted the consent as stipulated in the internal or external advertisement.
3.3 The Company will take all reasonable steps to ensure that an Applicant’s Personal Information will only be Processed in order to assess whether or not the Applicant meets with the Company’s employment requirements.  In so doing, the Company will only Process such of the Applicant’s Personal Information as may be necessary to make a decision on the job application. Any extraneous Personal Information supplied by the Applicant will be disregarded.
3.4 The Company will also be required to Process employees’ Personal Information in connection with the employment relationship.  The Company will take all reasonable steps to ensure that employees’ Personal Information will only be used for purposes connected to the employment relationship. 
RECRUITMENT AND APPOINTMENT
4.1 During the online application process or pursuant to a response received from an Applicant to an internal or external advertisement of a vacancy, the Company will collect the Applicant’s Personal Information.
4.2 The Company will also need to Process Personal Information from existing employees due to changes in legislation, policies, procedures, benefits or terms and conditions of employment.  Employees’ Personal Information will be used for the purpose of implementing the employee’s terms and conditions of employment, benefits provided to the employee, complying with legislative requirements, and generally identifying employees during the course of their employment.   The Company will endeavour to obtain all of the employee’s Personal Information required, directly from the employee.
4.3 The Company will take reasonable steps to ensure that an Applicant or employee understands the purpose for the Processing of their Personal Information and that informed consent is obtained from the Applicant or the employee prior to Processing any of their Personal Information. 
4.4 The Company will ensure that in Processing an Applicant’s or employee’s Personal Information, it will adhere to its obligations in terms of POPIA. 
4.5 The Company will Process an Applicant’s Personal Information from the Applicant as captured in the Applicant’s online profile or pursuant to the Applicant responding to an advertisement, together with such other relevant Personal Information of the Applicant which is available from a public record or has been deliberately made public by the Applicant.
4.6 The Applicant’s profile as completed online or provided by the Applicant in response to an advertisement shall be directed to the Company’s relevant internal department for purposes of assessing the application and the Applicant’s suitability for the position applied for. 
4.7 Should an Applicant furnish Personal Information which is irrelevant or beyond what is necessary in order for the Company to Process his or her application, such additional Personal Information shall not be processed as far as reasonably practicable.  
4.8 The Company reserves its rights to Process Personal Information where required in accordance with any law. 
PRE-EMPLOYMENT SCREENING CHECKS
5.1 The Company may verify the Personal Information supplied by an Applicant and conduct such other background checks as may be relevant to assess the Applicant’s suitability to the position to which an Applicant applied. 
5.2 The Company will conduct a reference check on Applicants who have been shortlisted for a position, in order to verify the information provided by the Applicant. 
5.3 Reference checks will not be conducted in a manner that unfairly discriminates.  The same reference checks will be conducted on all short-listed Applicants. 
SPECIAL PERSONAL INFORMATION
6.1 Applicants will be notified of certain advertised positions which shall require the Company to Process the Applicant’s Special Personal Information.  Such positions may include positions where the Applicant would be working in a high risk area or in a position of trust. 
6.2 The Processing of Special Purpose Information must not unfairly discriminate against an Applicant or employee and the Processing of Special Personal Information must have a direct bearing on the recruitment decision. 
6.3 Special Personal Information shall only be Processed where such Processing is required in order to;
6.3.1 assess the Applicant’s suitability for the position based on the inherent job requirements of the position to which the Applicant has applied;
6.3.2 comply with the Company’s obligations in terms of the employee’s contract of employment or in relation to the provision of benefits such as medical aid, life or disability cover or retirement funding to employees.
6.4 Special Personal Information will only be Processed with the Applicant’s or employee’s informed consent.
6.5 The Company will not deny employment to any Applicant solely because the Applicant has been convicted of a crime.  The Company will consider the nature, date and circumstances of the offence as well as whether the offence is relevant to the duties of the position applied for.
6.6 Should an Applicant disclose a particular medical condition or disability on his/her application, the Applicant may be required to undergo further testing to determine the Applicant’s fitness for the position applied for. 
6.7 The Company will only Process the Special Personal Information of its employees where the employee has given express consent prior to the Processing or the Processing is required by law. 
6.8 Personal Information covered by medical confidentiality will be stored by Company personnel who will be bound by rules relating to medical secrecy and will be retained separately from other Personal Information. 
STORAGE AND MANAGEMENT OF PERSONAL INFORMATION
7.1 The Personal Information of an Applicant who successfully applies for a position within the Company and is appointed will be stored in the Applicant’s personnel file on their appointment and processed as part of the employment relationship. 
7.2 Should an Applicant who applied be unsuccessful in his/her application for employment, the Company will, subject to clause 11 below, store the Applicant’s data for no longer than six months after the decision has been taken not to appoint the Applicant concerned.  On expiry of the six month period, the Company shall destroy or de-identify the Personal Information. 
TERMINATION OF EMPLOYMENT
8.1 The Company will not provide references to employees upon termination of employment. 
8.2 Employees will be provided with the statutory certificate of service upon termination of their employment. 
8.3 Upon termination of employment, the employee’s Personal Information will be handed to the relevant pension or provident fund for the purposes of post-employment benefits and thereafter will be destroyed, deleted or de-identified, as legally required or in terms of this Policy and POPIA.
8.4 The Company undertakes to retain and thereafter destroy all hard copies of a terminated employee’s Personal Information within such periods as are legally required from time to time or in terms of this Policy and POPIA.  Such Personal Information will be destroyed on the Company’s premises and in a manner that prevents its reconstruction in an intelligible form. 
8.5 The Company undertakes to retain and thereafter delete or, where deletion is not reasonably possible, de-identify all soft copies of a terminated employee’s Personal Information, within such periods as are legally required from time to time or in terms of this Policy and POPIA.  Such deletion will be in a manner that prevents its reconstruction in an intelligible form.  Such de-identification will be in a manner that prevents any association between the employee and his or her Personal Information. 

Part B – Third Parties

DISTRIBUTION OF PERSONAL INFORMATION TO THIRD PARTIES
9.1 The Company may provide access or transfer Personal Information to Third Parties where it is necessary in the course of and for the purpose of giving effect to the Company’s business activities or as required by law. 
9.2 Processing of Personal Information in such circumstances would for example be for the purpose of giving effect to agreements between the Company and the Third Parties, the provision of retirement benefits, medical aid benefits, payroll and human resources administration and for the purpose of remuneration grading, salary surveys and benchmarking, procurement, supply and the provision of services. 
9.3 The Company undertakes to take reasonable practicable steps to ensure that Personal Information transferred to Third Parties is dealt with confidentiality and in accordance with applicable legal requirements by those Third Parties. 
9.4 The Company shall only transfer Personal Information to Third Parties in other jurisdictions where such Third Parties are subject to and comply with such laws, policies or agreements regarding privacy, data protection and confidentiality of Personal Information as may legally be required from time to time. 
9.5 The Company aims to have agreements in place with all Third Parties to ensure there is a mutual understanding with regard to the protection of Personal Information, such Third Parties will be required to comply with the same or substantially similar regulations as the Company are subjected to.
RECEIVING PERSONAL INFORMATION FROM THIRD PARTIES
10.1 During the course of conducting its business the Company will collect Third Parties’ Personal Information from time to time.
10.2 The Company will Process the Personal Information received from Third Parties pursuant to contractual arrangements and legislative requirements.
10.3 The Company will take reasonable steps to ensure that Third Parties understand the purpose for the Processing of their Personal Information and that informed consent or contractual agreement is obtained from such Third Parties prior to Processing any of their Personal Information. 
10.4 The Company will ensure that in Processing a Third Party’s Personal Information, it will adhere to its obligations in terms of POPIA. 
10.5 With the necessary consent, the Company may also supplement the information provided with information it receives from Third Parties to ensure the accuracy of information. 

General

REVIEW OF PERSONAL INFORMATION AND REVOCATION
11.1 The Company will verify periodically, but at least bi-annually or as legally required that the Personal Information which it has stored is accurate, up to date and complete. 
11.2 The Company will provide a means for persons providing Personal Information to it to review the accuracy of the Personal Information and a means to rectify inaccurate Personal Information. 
11.3 Employees must report any inaccuracies to the Information Officer or Deputy Information Officer. 
11.4 Persons may revoke or withdraw their authorisation for the Processing of their Personal Information at any time by directing an email to the Information Officer or Deputy Information Officer. 
11.5 As soon as a person has notified the Company that he or she has revoked or withdrawn his or her authorisation for the Processing of their Personal Information, the Company shall desist from any further Processing of the Personal Information of such person and thereafter such Personal Information will, subject to it being Retained, be destroyed, deleted or de-identified, as legally required or in terms of this Policy and POPIA.
11.6 Where appropriate persons will be made aware of potential detrimental consequences of the withdrawal or revocation of authorisation for the Processing of Personal Information. 
STORAGE AND MANAGEMENT OF PERSONAL INFORMATION
12.1 The Company will retain records of Personal Information for the period necessary for achieving the purpose for which the Personal Information was Processed.
12.1.1 Personal Information in a soft copy format is stored on the Company IT platform, including Cloud storage.
12.2 Personal Information in a hard copy format is stored as follows:
12.2.1 For human resources purposes, Personal Information is stored in personnel files on each site. 
12.2.2 For procurement, marketing and sales purposes, Personal Information is stored in [●]. 
12.3 The Company undertakes to confer an obligation on any of its management employees to maintain the Company’s privacy obligations when Personal Information is distributed to managers for the purposes of management and/or business administration. 
12.4 In instances where further Processing is required after the initial Processing of the Personal Information and further Processing does not correspond, as legally required, with the initial purpose of the initial Processing of Personal Information, the Company will obtain further consent from the employee, Applicant or Third Party for the further Processing of the Personal Information. 
12.5 The Company will take reasonably practicable steps to ensure that all Personal Information collected is complete, accurate and not misleading, having regard to the purpose for which the Personal Information is being Processed.
12.6 The Company will take all reasonably practicable steps to ensure that all Personal Information remains confidential and is not distributed to unauthorised third parties.
12.7 Employees’ Personal Information will only be made internally available within the Company to specifically authorised users, who will only have access to such Personal Information as is required for the fulfilment of their tasks. 
STORAGE AND MANAGEMENT OF PERSONAL INFORMATION
13.1 The Company will retain records of Personal Information for the period necessary for achieving the purpose for which the Personal Information was Processed.
13.2 The Company will implement the following security measures:
13.2.1 The Company’s Information Officer whose details are set out in 14 below is responsible for the compliance with the conditions of the lawful processing of Personal Information and other provisions of POPIA.
13.2.2 Information Officer is assisted by the Deputy Information Officer whose details are set out in clause 14 below.
13.2.3 Each new employee will be required to sign an Employment Contract containing relevant consent clauses for the use and storage of the employee’s Personal Information, or any other action so required, in terms of POPIA. 
13.2.4 In respect of those Employees who are employed at the time the Company implements this Policy the Company will assume tacit agreement from such Employees for the use and Processing of the Employees’ Personal Information for the purpose of implementing the employee’s terms and conditions of employment, benefits provided to the employee, complying with legislative requirements, and generally identifying employees during the course of their employment with the Company, provided that the Company may require existing Employees to provide written permission or sign an addendum to their contracts of employment in this regard where the Company deems it necessary or appropriate.
13.2.5 All current Third Parties of the Company will where appropriate be required to sign an addendum to their contracts with the Company containing relevant consent clauses for the use and storage of employee information, or any other action so required, in terms of POPIA. 
13.2.6 All electronic files or data are backed up by the Company’s IT department who is responsible for system security which protects third party access and physical threats. 
13.2.7 An Incident Register will be kept to log any security incidents and to report on and manage said incidents this register will be maintained by the Information Officer. 
13.2.8 The Company’s Information Officer and the IT department shall identify all reasonably foreseeable internal and external risks to Personal Information, establishing and maintaining appropriate safeguards against the risks identified, regularly verifying that the safeguards are effectively implemented, and ensuring that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
13.2.9 Applicants will be informed should their Personal Information be accessed or acquired by any unauthorised person. 
 INFORMATION OFFICER
The Company will appoint an Information Officer and Deputy Information Officer under the Company.  The details are as follows:
Information Officer Details Lovemore Chanengeta
Physical Address: 405 Pretorius Street, Pretoria, 0007
Postal Address: 405 Pretorius Street, Pretoria, 0007
Telephone No:          076 263 6000
Fax No: 086 202 0206
Email Address: ceo@edusyms.com
Deputy Information Officer Details  
Physical Address: 405 Pretorius Street, Pretoria, 0007
Postal Address: 405 Pretorius Street, Pretoria, 0007
Telephone No:          076 263 6000
Fax No: 086 202 0206
Email Address: info@edusyms.com
 AMENDMENTS TO THIS POLICY
This Policy may be amended on commencement of POPIA in its entirety insofar as there are substantive amendments to POPIA from its current form, pursuant to any amendments to POPIA or changes to the law relating to Personal Information and on publication of the regulations under POPIA insofar as this may be necessary from time to time.