Privacy Policy
Information
- Journey Beyond is obliged to comply with the Protection of Personal Information Act 4 of 2013 (POPIA).
- Journey Beyond is committed to protecting the constitutional right to privacy and to protecting Personal Information of data subjects.
- Journey Beyond Ltd will take all reasonable steps to protect the Personal Information of data subjects.
- Data (including Personal Information) is essential to the administrative duties of Journey Beyond. There is a balance to be struck between the individual’s right to privacy and the legitimate administrative requirements of Journey Beyond
- Journey Beyond, in performing its functions, may collect, hold, use or disseminate Personal Information.
- This Policy contains information about how Journey Beyond processes Personal Information and about how data subjects may access and correct Personal Information held by Journey Beyond.
- Journey Beyond will only process Personal Information in accordance with POPIA and other applicable laws.
Definitions
- “data subject” means the person to whom the Personal Information relates;
- “information officer” of, or in relation to, a-
- public body means an information officer or deputy information officer as contemplated in terms of section 1 or 17 of the Promotion of Access to Information Act, 2 of 2000; or
- private body means the head of a private body as contemplated in section 1, of the Promotion of Access to Information Act 2 of 2000;
- “operator” means a person who processes Personal Information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
- “person” means a natural person or a juristic person;
- “personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-
- information relating to the race, gender, sex, pregnancy, marital status, national ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
- information relating to the education or the medical, financial, criminal or employment history of the person,
- any identity number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
- the biometric information of the person;
- the personal opinions, views or preferences of the person;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
- the views or opinions of another individual about the person; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
- “private body” means –
- a natural person who carries or has carried on any trade, business, or profession, but only in such capacity;
- a partnership which carries or has carried on any trade, business or profession; or any former or existing juristic person, but excludes a public body;
- “processing” means any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including-
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information;
- “record” means any recorded information –
- regardless of form or medium, including any of the following:
- writing on any material;
- information produced, recorded or stored by means of any tape – recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
- label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;
- book, map, plan, graph or drawing;
- photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced;
- in the possession or under the control of a responsible party; and
- whether or not it was created by a responsible party; and
- regardless of when it came into existence;
- “responsibly party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information;
- “special personal information” means Personal Information as referred to in section 26 of POPIA.
Policy Statement
This policy is designed to guide officials in meeting the requirements of lawful processing of Personal Information.
Privacy Statement
- Journey Beyond‘s Web Site is offered to users conditioned on their acceptance of the terms, conditions and notices contained in the Privacy Statement.
- The user’s use of the Web Site constitutes in the user’s agreement to all such terms, conditions and notices as detailed in the Terms of Use.
Collection of Personal Information
- Section 10 of POPIA states that “Personal Information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive”.
- Journey Beyond generally only processes Personal Information if the data subject consents to the processing, or if the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, or if processing complies with an obligation imposed by law, or if processing is necessary for the proper performance of a public law duty.
- Journey Beyond also processes Personal Information where processing protects a legitimate interest of the data subject or where processing is necessary for pursuing the legitimate interests of Journey Beyond or of a third party to whom the information is supplied.
- The type of Personal Information processed will depend on the purposes for which it is collected and will be processed for these purposes only.
- Journey Beyond shall collect, as far as is reasonably possible, Personal Information directly from the data subject except where Personal Information is collected from a public record, or where the data subject has given his or her written consent to collect his or her Personal Information from another source, or where collection of Personal Information from another source will not prejudice any of the data subject’s legitimate interests, or where collection from another source is necessary (a) to avoid prejudice to the maintenance of the law by Journey Beyond , (b) to comply with an obligation imposed by law, (c) for the conduct of proceedings in any court or tribunal, (d) in the interests of national security, or (e) to maintain the legitimate interests of Journey Beyond or of a third party to whom the information is supplied, or where collection directly from the data subject would prejudice the purpose of the collection, or where collection directly from the data subject is not reasonably practicable in the circumstances.
- Personal information shall be collected for a specific, explicitly defined and lawful purpose related to a function or activity of Journey Beyond.
- Journey Beyond shall, when collecting Personal Information, take reasonably practicable steps to ensure that the data subject is aware of the following:
- the information being collected and where the information is not collected directly from the data subject, the source from which it is collected,
Journey Beyond POPI Policy 2021-06-24.docx Page 6 of 22 - the purpose for which the information is being collected
- the consequences of any failure to provide the information, except where any failure to do so would not prejudice the legitimate interests of the data subject or where any failure to do so is necessary to avoid prejudice in the maintenance of the law by Journey Beyond, or where any failure to do so is necessary to comply with an obligation imposed by law, or where any failure to do so is necessary for the conduct of proceedings in any court or tribunal, or in the interests of national security, or where any failure to do so is necessary to avoid prejudice to a lawful purpose for the collection, or where any failure to do so is because it is not reasonably practicable to do so in the particular circumstances.
- the information being collected and where the information is not collected directly from the data subject, the source from which it is collected,
- Journey Beyond collects Personal Information such as name, identity number, passport number and details, age, health status, telephone numbers, addresses and email address.
- Journey Beyond collects Personal Information relating to it officials such as name, identity number, age, race, gender, marital status, academic qualifications, skills, experience, address and telephonic contact details.
Retention of Personal Information
- Journey Beyond shall not retain records of Personal Information for any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless (a) the retention of the record is required or authorised by law, (b) Journey Beyond reasonably requires the record for lawful purposes related to its functions or activities, (c) retention of the record is required by a contract Journey Beyond is party to.
- Journey Beyond will destroy or delete records of Personal Information as soon as reasonably practicable after Journey Beyond is no longer authorised to retain the record.
Further Processing of Personal Information
Journey Beyond shall take all reasonably practicable steps to ensure that further processing of Personal Information is in accordance or compatible with the purpose for which it was originally collected.
Information Quality
Journey Beyond shall take all reasonably practicable steps to ensure that Personal Information is complete, accurate, not misleading and updated where necessary.
Openness
- Journey Beyond shall maintain the documentation of all processing operations under its responsibility as is referred to in Section 17 of POPIA.
- Journey Beyond’s Manual in terms of Section 51 of PAIA is amended to provide for an explanatory statement on the purpose of Personal Information processing, a description of the categories of data subjects and of the information or categories of information relating thereto, and of the recipients or categories of recipients to whom the Personal Information may be supplied.
Security Safeguards
- Journey Beyond shall take all reasonably practicable steps to secure the integrity and confidentiality of Personal Information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent unauthorized access to, loss of, damage to or unauthorised destruction of Personal Information and unlawful access to or processing of Personal
- To achieve this, Journey Beyond shall take reasonable measures to identify all reasonably foreseeable internal and external risks to Personal Information, to establish and maintain appropriate safeguards against the risks identified, to ensure that safeguards are effectively implemented and to ensure that the safeguards are continually updated.
- All Journey Beyond employees who process personal information shall treat personal information which comes to their knowledge as confidential and shall not disclose it unless required by law or in the course of the proper performance of their duties.
- Journey Beyond shall require of all employees to agree terms regulating their consent, responsibilities and confidentiality undertakings.
Notification of Security Compromises
Where there are reasonable grounds to believe that the Personal Information of a data subject has been accessed or acquired by any unauthorised person then Journey Beyond shall notify the Regulator, and the data subject, subject to any investigation into an offence.
Data Subject Rights / Participation
- Data subjects have the right to be notified by Journey Beyond that their personal information is being collected and of the purpose for which the information is collected before the information is collected.
- Data subjects have the right to be notified in any situation where there are reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorized person.
- Data subjects may request of Journey Beyond to confirm, free of charge, whether or not Journey Beyond holds Personal Information about the data subject, and to request access to their Personal Information.
- Data subjects may request of Journey Beyond to provide a record or a description of the Personal Information about the data subject held by Journey Beyond, within a reasonable time and at a prescribed fee.
- A data subject may request of Journey Beyond to correct or delete personal information about the data subject in Journey Beyond‘s possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully, or to destroy or delete a record of personal information about a data subject which Journey Beyond is no longer authorised to
- Data subjects have the right, on reasonable grounds, to object to the processing of their personal information, unless legislation provides for such processing.
Special Personal Information
Journey Beyond shall not, subject to the statutory exclusions, process Personal Information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject, or the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by the data subject of any offence or any proceedings in respect of any offence committed by a data subject or the disposal of such proceedings.
Information Officer
- Journey Beyond has appointed and registered the Information Officer and one (1) Deputy Information Officer.
- The appointed Officers are responsible for:
- the encouragement of compliance, by Journey Beyond, with the conditions for the lawful processing of Personal Information;
- dealing with requests made to Journey Beyond pursuant to POPIA;
- working with the Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA in relation to Journey Beyond;
- otherwise ensuring compliance by Journey Beyond with the provisions of POPIA; and as may be prescribed.
- An Information Officer shall, in addition to the responsibilities referred to in section 55(1) of POPI, ensure that-
- a compliance framework is developed, implemented, monitored and maintained;
- a Personal Information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of Personal Information;
- a manual is developed, monitored, maintained and made available as prescribed in sections 51 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000);
- internal measures are developed together with adequate systems to process requests for information or access thereto; and
- internal awareness sessions are conducted regarding the provisions of POPIA, regulations made in terms of POPIA, codes of conduct, or information obtained from the Regulator.
- The Information Officer shall upon request by any person, provide copies of the manual prescribed in section 51 of the Promotion of Access to Information Act, 2 of 2000, to that person upon the payment of a fee to be determined by the Regulator from time to time.
POPIA Audit
- The Information Officer will schedule periodic POPIA Audits.
- The purpose of a POPIA Audit is to:
- Identify the processes used to collect, record, store, disseminate and destroy personal information.
- Determine the flow of Personal Information throughout the organisation.
- Redefine the purpose for gathering and processing Personal Information.
- Ensure that the processing parameters are still adequately limited.
- Ensure that new data subjects are made aware of the processing of their Personal Information.
- Re-establish the rationale for any further processing where information is received via a third party.
- Verify the quality and security of Personal Information.
- Monitor the extent of compliance with POPIA and this Policy.
- Monitor the effectiveness of internal controls established to manage the organisation’s POPIA related
- compliance risk.
- In performing the POPIA Audit, Information Officers will liaise with line managers in order to identify areas within the organisation’s operation that are most vulnerable or susceptible to the unlawful processing of Personal Information.
- Information Officers will be permitted direct access to and have demonstrable support from line managers and the organisation’s governing body in performing their duties.
Disciplinary Action
Where a POPIA complaint or a POPIA infringement investigation has been finalised, Journey Beyond may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy.
Any gross negligence or the wilful mismanagement of Personal Information will be considered a serious form of misconduct for which Journey Beyond may summarily dismiss the employee.