Africa cosmos horizontal logo colour

Data Privacy Policy

1. Policy Statement

Data and Information is the lifeblood of any organisation. All transactions and management decisions are based on data. Organisations hold vast amounts of data, much of this being confidential. It is crucial to correctly manage the integrity, availability, and confidentiality of the data. With the onset of POPIA (Protection of Personal Information Act), data privacy is the critical requirement that needs to be met by all businesses.

2. Scope

This policy must be read in conjunction with Africa Cosmos Protection of Personal Information Policy, and the Records Management and Classification Policy. The Protection of Personal Information Policy includes all requirements related to the protection and privacy of personal information. The Records Management and Classification Policy includes the classification of documents, the retention and disposal of records and contains details of the retention periods for the various types of records.

This policy applies to all employees, management team, contractors and consultants at Africa Cosmos.

3. Definitions

Term Description
POPIA Protection of Personal Information Act.
Data subject The person to whom the personal information relates.
Controller This is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor This is the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Profiling This is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Record Information created, received, and maintained as evidence and information by an Organisation or person, in pursuance of legal obligations or in the transaction of business.
Personal Data Personal information is information such as contact details, age, race, birth date, educational background, and employment sensitive personal pata. This consists of data revealing racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.

4. Policy Requirements

General Data Confidentiality

  • Data Classification:

    Information must be classified in terms of its value, legal requirements, sensitivity, and criticality to Africa Cosmos. The Company must know what sensitive information it creates, stores, or uses and must understand where this information is stored.

  • Protection Of Records:

    All data and records must be protected from unauthorised access or release to persons who should not have access to the information. This must take place at all points in the data lifecycle, including creation, use, modification, processing, and disposal.

  • Least Privilege Principle:

    Users must only be given the information that is required to perform their work effectively. For this, an assessment of the information requirements of the different positions in the Company, needs to be conducted. Data that is used outside of the business areas where the data was intended to be used, must be authorised by the owner of the data.

  • Data Sharing:

    The sharing of a subset of the Company’s data across organisational boundaries is necessary. Procedures to control and authorise the sharing of data across Company boundaries whilst maintaining the security of information must be set up and implemented.

  • Data Collection Scope:

    When any IT System is created or modified, the design of systems must be such that only necessary information is collected. The collection of more sensitive types of personal information is only allowed under exceptional conditions and only where permission has been granted.

  • Consent:

    IT Systems must be designed to enable the storage of the consent obtained, in a clear and transparent manner. The IT Systems must be programmed such that consent may only be via Opt-In, not Opt-Out. The IT Systems must allow for consent to be withdrawn, and the data subject needs to be informed of their right to withdraw consent. Simple-to-use facilities to enable the withdrawal of consent must be provided.

  • Data Processing:

    When an IT System is designed or updated, and a report is created or updated, then processing of personal data must be lawful and as agreed upon in the consent. Only further processing that is compatible with the original use is allowed, without additional consent being obtained. No other use of the data is allowed unless additional consent is obtained for such use.

  • Query Personal Information:

    The IT System’s design must be such that the Company must be able to respond quickly to any request from any natural person regarding any personal information that is stored electronically within the Company.

  • Data Erasure:

    The IT Systems must provide facilities to ensure that the personal information can be destroyed (or de-identified) when the information is no longer needed or at the request of the data subject if such data erasure is allowed.

  • Data Accuracy:

    To assist with increasing the accuracy of data, IT systems must allow for personal records to be amended on request from the data subject.

  • Data Integrity and Confidentiality:

    Measures must be taken to ensure the integrity of the personal information and to prevent loss, damage, or unlawful access to the information. It is required that the internal and external risks be identified, and safeguards put into place to mitigate these risks. These safeguards must be tested and updated as and when necessary. If any of the data capturing or processing is outsourced, then Africa Cosmos must ensure that the outsource provider meets the data privacy requirements in this policy.

  • Data Breach Procedures:

    Accurate information regarding the contact details of data subjects must be kept such that the data subject can be rapidly informed in the event of any breach. IT systems that can detect and stop any breach must be put into place.

  • Demonstrable Compliance:

    The Company must implement appropriate technical and organisational measures to ensure and demonstrate that the processing of personal information is performed in accordance with POPIA and other applicable personal information, legislations, and regulations. A record of all processing of personal information, whether insourced or outsourced, must be kept as a record.

Data Integrity

  • Single Source of Truth:

    Information must be classified in terms of its value, legal requirements, sensitivity, and criticality to Africa Cosmos. The Company must know what sensitive information it creates, stores, or uses and must understand where this information is stored.

  • Data on Publicly Accessible Systems:

    The integrity of information on a publicly assessable system must be protected to prevent unauthorised modification.

  • E-mail Distribution Lists:

    Standards and procedures for the setup of E-mail distribution must be set up. All new distribution lists must be set up by Service Desk only, even though the owner of the distribution list must always be the relevant Business Manager.

Data Confidentiality

  • Protection of Data at Rest:

    The confidentiality and integrity of data at rest (in a storage device of any type) must be protected using appropriate techniques such as encryption.

  • Protection of Data in Motion:

    The confidentiality and integrity of data whilst in transit must be protected using appropriate techniques such as encryption.

  • Data Leakage:

    Procedures and automated tools must be implemented to ensure that confidential information is not accidently or deliberately released into the public domain or to unauthorised persons within or outside Africa Cosmos. Additionally, procedures must be put into place to detect any data leakage that takes place.

  • E-mail Messages:

    E-mails must be monitored to ensure that no sensitive information is sent outside the Company.

  • Database Server:

    Database servers must be configured in a manner such that IT administrators are unable to access sensitive information.

  • Sensitive Data Access Tracking:

    User access to sensitive documents, including the person who accessed the information and date and time of access, must be recorded for future analysis as required.

Data Backups and Availability

Backing up of data is an important mechanism to protect the availability of data and ensure that the Company can recover from accidental or malicious events that compromise the data in the operational systems. To protect the Company’s data, the following policy requirements must be adhered to:

  • Data Backups:

    All business data must be backed up at set intervals to a formal schedule as agreed with business. The backup process must include the physical execution of the backup as well as the checking of logs to identify errors, the rectifying of the errors and the testing of backup to ensure that data can be recovered from the backups. Appropriate mechanisms must be put into place to ensure that data is not lost due to being overwritten. Test restores must be conducted regularly as defined, based on the assessment of the risk of losing information.

  • Offsite Storage:

    Backup data must be stored offsite at a location different to the main production data.

  • Access to Backups:

    Data remains the sole property of Africa Cosmos. Backups of production data must not be in the possession of any users, including developers, with the exception of those employees with direct responsibility for backup operations.

  • Backup Documentation:

    Detailed documentation regarding backup schedules, backup procedures and restore procedures must be created and kept updated.

  • End-User Device Backups

    Company data must not be allowed to be stored on user devices as the primary or only store of the information. Any remaining data on end-user devices must be backed up and stored offsite if necessary; however, this must be resolved by using centralised Company systems for data storage.

Data Retention

Data within systems must be retained for the periods as specified in the Records Retention and Classification Policy.

5.Related Documents

This policy has been developed based on the following legislative frameworks:

  • Protection of Personal Information Act (POPIA)
  • Promotion of Access to Information Act (PAIA)
  • Records Retention and Classification Policy
  • Electronic Communications and Transactions Act

6.Policy Governance

  • Ownership:

    The policy owner is Anooradha Parsard supported by Ivan Du Plooy in his capacity of Deputy Information Officer.

  • Review and approval:

    The policy will be reviewed every 2 years unless changes in business structure or legislation require review sooner.

  • Action for non-compliance:

    Deviations or non-compliance with this policy may result in disciplinary actions up to and including termination as allowed by the Africa Cosmos Disciplinary procedure.