PROTECTION OF PERSONAL INFORMATION POLICY^[1]

1. INTRODUCTION

1. Background

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy, the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information. The Protection of Personal Information Act (“POPIA”) is South Africa’s data protection law.^[2] 

2. Purpose

POPIA is intended to promote the protection of personal information processed by public and private bodies and establish minimum requirements for the processing of personal information in a context-sensitive manner. This Policy is intended to facilitate the responsible processing of personal information received by the school in accordance to the right to privacy of data subjects (pupils, parents, employees and other stakeholders).

3. Applicability

As an educational institution, AL GHAZALI COLLEGE is necessarily involved in the processing of the personal information of pupils, parents, employees and other stakeholders for administrative and other purposes. In accordance with the provisions of POPIA, AL GHAZALI COLLEGE is committed to effectively managing, collecting, handling and disposing of personal information.

4. Details of the School:

5. Objectives

1. To safeguard the personal information held by the school from threats, whether internally or externally, deliberate or accidental and thus protecting the right of privacy of all Data Subjects.

2. Protecting the school’s records and information in order to ensure the continuation of the day to day running of the school.

3. Regulating the manner in which personal information is processed by the school and stipulate the purpose for which information collected is used.

4. Appointing Information Officers to ensure respect for and to promote, enforce and fulfil the rights of Data Subjects.

5. To protect the school from the compliance risks associated with the protection of personal information which includes:

1. breaches of confidentiality where the school could suffer a loss in revenue where it is found that the personal information of data subjects has been shared or disclosed inappropriately;
2. failing to offer a choice, including the choice where all data subjects should be free to decide how and for what purpose the school may use information relating to them; and
3. any instances of any reputational damage where the school could suffer a decline in its reputation, or its good name is impugned through the actions of another party who disseminates or has gained unauthorised access to any personal information of the school’s data subjects.

6. DEFINITIONS

The following definitions in the POPIA are key in determining what activities undertaken by education institutions will be affected by the Policy:

2. POLICY APPLICATION

This policy and its guiding principles apply to all sections of AL GHAZALI COLLEGE (FOUNDATION PHASE, INTERMEDIATE AND SENIOR PHASE, AND FET PHASE)

1. Who is Responsible for Compliance?

1. The Head of School

The Head of School is automatically deemed to be the Information Officer in accordance with the provisions of POPIA but may delegate their duties to a Deputy Information Officer(s). Duties of the Information Officer are as follows:

1. the encouragement of compliance by the school with the conditions for the lawful processing of personal information;
2. dealing with requests made to the school pursuant to POPIA;
3. working with the Information Regulator in relation to investigations conducted pursuant to Chapter 6 of POPIA (Prior Authorisation) in relation to the school;
4. ensuring that a compliance framework is developed, implemented, monitored and maintained;
5. monitoring and implementing Codes of Conduct issued by the Information Regulator; and
6. otherwise ensuring compliance by the school with the provisions of POPIA.

2. All employees

Both permanent and temporary staff, staff working on a contract basis for the school, coaches, volunteers and others who are authorised to access personal data held by the school.

3. All contractors, suppliers and other persons acting on behalf of the organisation.

2. Compliance with this Policy

The Information Officer, Deputy Information Officer(s), and staff are responsible for adhering to this Policy, including:

1. the development and upkeep of this policy;
2. ensuring this policy is supported by appropriate documentation, such as procedural instructions.
3. ensuring that documentation is relevant and kept up to date;
4. ensuring this policy and subsequent updates are communicated to the Board of Governors, staff and parents where applicable;
5. ensuring that the school’s Board of Governors, the School’s employees, volunteers, contractors, suppliers and any other persons acting on behalf of the school have familiarised themselves with this Policy’s requirements and shall undertake to comply with the stated processes and procedures; and
6. reporting any security breaches or incidents to the Information Officer.

3. Scope of Policy

This Policy applies to personal information collected by the school in connection with the services it offers. This includes information collected by the school, at its premises, offline through the school’s telephone lines, and online through the school’s websites, branded pages on third-party platforms and applications accessed or used through such websites or third-party platforms which are operated by or on behalf of the school. This policy is hereby incorporated into and forms part of the terms and conditions of use of the applicable School web sites and other social media platforms. The provisions of the Policy are applicable to both on and off-site processing of personal information. Non-compliance with this policy may result in disciplinary action and possible termination of employment or mandate, where applicable.

3. THE PRINCIPLES OF LAWFUL PROCESSING OF PERSONAL INFORMATION

The school undertakes to lawfully process personal information by ensuring compliance with the following eight guiding principles:

1. To assign responsibility to designated persons for lawful processing of information

The school must assign and register the Information Officer and Deputy Information Officers who will ensure that personal information is collected and processed in accordance with POPIA. These persons will oversee and manage the school’s compliance with POPIA and will furthermore handle all requests made by learners, parents, staff and all relevant stakeholders, for access to information. 

The designated persons will ensure that the school takes appropriate sanctions, which may include disciplinary action, against those individuals who through their intentional or negligent actions and/or omissions fail to comply with the responsibilities outlined in this policy.

2. To only collect data needed for legitimate purposes

Personal information must be collected for a specific, explicitly defined, and lawful purpose.^[3] Therefore, the School will always determine the purposes for which the personal information was collected.

1. To ensure it has a legal basis for processing (Justification)

Once the purpose for processing the personal information has been determined, the lawfulness of the processing activity must be assessed.^[4] All processing activities must have a legal basis. POPIA provides several justifications for processing activities:

1. Personal information may be processed to conclude or perform in terms of a contract;^[5]
2. Personal information may be processed to comply with an obligation imposed by law;^[6]
3. Personal information may be processed to protect a legitimate interest of the data subject;
4. Personal information may be processed to ensure proper performance of a public law duty by a public body;
5. Personal information may be processed to ensure the legitimate interest of the responsible party or of a third party;^[7]
6. Personal information may be processed with the consent of the data subject or a competent person where the data subject is a child.^[8] Consent must be voluntary, specific, explicit, informed and the data subject has the right to withdraw consent at any time.

3. To use the information in a way that matches the purpose of collection

The processing must be necessary to fulfil the purpose of the collection and it must be the least invasive way to achieve that purpose. Any further processing of personal information (for a secondary purpose) by the school must be upon the consent obtained from the relevant Data Subject.

4. To ensure that the information is accurate and regularly updated

The school must ensure that the personal information being processed is regularly updated. This means that the school must maintain the quality of the personal information and as such all personal information must be kept reliable, accurate, up-to-date and relevant to the purposes for which it was collected.^[9]

5. To ensure that information is processed in a fair and transparent manner

Schools are to ensure that Data Subjects are aware of the specific personal information held about them by the school and the purpose to which the information is being collected.

6. Information Security^[10]

The school must take reasonable security steps to protect the integrity of the information and safeguard personal information collected by it against:

1. damage;
2. loss;
3. loss of access;
4. unauthorised destruction;
5. unauthorised access; and
6. unauthorised use.

7. Store the information only as long as required

The retention of all personal information by the school will be guided by all relevant and applicable laws, regulations and policies. Furthermore, all personal information may only be kept for as long as it is required to fulfil the purpose for which it was collected.

The school will ensure that all personal information is destroyed, deleted or de-identified as soon as it is becomes irrelevant, outdated and/or upon the request of a Data Subject. This process shall render the data irretrievable.

8. Uphold data subjects' rights by providing access and corrections to the information

The school is to ensure that there are accessible processes in place to ensure that properly identified data subjects have the right to access related personal information and/or request the correction or deletion of any personal information held about them that may be inaccurate, misleading or outdated.

4. PROCESSING SPECIAL PERSONAL INFORMATION AND THE INFORMATION OF CHILDREN

1. The school undertakes to lawfully process ‘special personal information’

Special personal information is information that relates to:

1. religious beliefs;
2. philosophical beliefs;
3. race;
4. ethnicity;
5. trade union membership;
6. political persuasion;
7. health;
8. biometric information; or
9. allegations of criminal behaviour or information that relates to criminal proceedings; or
10. Personal information about children is also a special category of information.

For the processing of ‘special personal information’ to be lawful, the processing must be justified on one of the grounds discussed in part C, above, and a ground set out in this section below.

2. General justifications for the processing of special personal information:

1. The establishment, exercise or defence of a right in law;
2. International public law;
3. Historical, statistical, or research purposes;
4. The information has deliberately been made public by the data subject;
5. The data subject gave consent; and
6. The information may be processed for health reasons.

3. Processing the information of children must be justified

     Personal information of children may be processed by the school only if:

1. the parent or guardian consents to the processing of the child’s personal information;^[11]
2. processing is necessary for compliance with an obligation imposed by law;
3. processing is necessary to comply with an obligation imposed in terms of international public law;
4. processing is for historical, statistical, or research purposes; or
5. personal information was deliberately made public by the child with the consent of the child’s parent(s) or guardian(s).

5. DATA SUBJECT PARTICPATION

1. Rights of the Data Subject

In order to ensure that Data Subjects are made aware of the rights conferred upon them by POPIA^[12] the school notes for the purposes of this Policy that Data Subjects have, amongst others, the right to:

1. be notified that personal information about them is being collected;^[13]
2. request access to, the correction of, or the deletion of any Personal Information held by the school using the form attached hereto as Annexure “A” to this Policy;^[14] 
3. withdraw consent to process their personal information in terms of the Form attached hereto as Annexure “B”;
4. lodge a complaint concerning the processing of their personal information in terms of the Form attached hereto as Annexure “C”;
5. object, on reasonable grounds, to the processing of their personal information;^[15] 
6. object to the processing of their personal information at any time for purposes of direct marketing;^[16]
7. be notified that their personal information has been accessed or acquired by an unauthorised person;^[17] 
8. submit a complaint to the Information Regulator regarding the alleged interference with the protection of their personal information; and
9. institute civil proceedings regarding the alleged interference with the protection of his, her or its personal information.^[18]

2. Processes to vindicate the rights of Data Subject

The school will uphold the rights of the Data Subject by ensuring that it:

1. does not collect data unnecessarily;
2. implements this Policy in respect of processing personal information;
3. does not retain records of personal information longer than it is necessary for achieving the purpose for which the personal information was collected, or as may be prescribed in terms of a law or contract, or with the consent of the data subject;
4. trains staff on the obligations imposed by POPIA when they process personal information;
5. ensures that personal information is securely stored;
6. has complete control over personal information kept at the school;
7. keeps a catalogue system to assist the school to address requests for access to personal information by Data Subjects;
8. destroys and / or deletes Personal Information this will be conducted in a manner that prevents its reconstruction or reidentification;
9. informs Data Subjects about the use of a CCTV on the premises;
10. informs the Data Subject if it collects personal information for marketing or advertising purposes and provides an opportunity for them to object;
11. In the case of an access breach to the personal information under the control of the School the School will notify the Data Subject and the Information Regulator in writing as soon as reasonably possible after the discovery of the access breach to the personal information via either:

1. mail at the last known physical or postal address;
2. e-mail to the last known e-mail address;
3. publishing a notice on the school website; or
4. publishing a notice in the news media, and

12. where applicable, AL GHAZALI COLLEGE will include a link to unsubscribe from any of its electronic newsletters or related marketing activities.

3. Rights of the School

Please note that the school may lawfully process personal information without obtaining consent from a Data Subject if the processing of the personal information:

1. is necessary for pursuing the legitimate interest of the school or of a third party to whom the information is given;
2. protects a legitimate interest of a Data Subject;
3. is necessary to conclude or perform a contract to which a Data Subject is a party; or
4. complies with an obligation imposed by law.

6. SECURITY SAFEGUARDS

The school, in order to ensure that all personal information is adequately protected, shall takes steps to:

1. implement security controls in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction;
2. apply Security measures in a context-sensitive manner;
3. continuously review its security controls which will include regular testing of protocols and measures put in place to combat cyber-attacks on the school’s IT network;
4. ensure that all paper and electronic records comprising personal information are securely stored and made accessible only to authorised individuals;
5. ensure that all new employees will be required to sign employment contracts containing contractual terms for the use and storage of employee information;
6. ensure that all existing employees will, after the required consultation process has been followed, be required to sign an addendum to their employment containing the relevant consent and confidentiality clauses; and
7. ensure that all the school’s operators and third-party service providers will be required to enter into service level agreements with the organisation where both parties pledge their mutual commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.

7.  SPECIFIC DUTIES AND RESPONSIBILITIES OF SCHOOL’S POPIA TEAM

1. Information Officer (and/or Deputy Information Officer/s)

The school’s Information Officer (or delegated Deputy Information Officer/s) is responsible for:

1. keeping the Management Team and/or Board of Governors and/or Board of Trustees of the School updated about the school’s responsibilities under POPIA;
2. continually analysing POPIA regulations and/or notices issued by the Information Regulator in order to align these with this Policy and procedures thereto;
3. ensuring that POPIA Audits are scheduled and conducted on a quarterly basis;
4. ensuring that the school has accessible processes in place makes it convenient for data subjects who want to update their personal information or submit POPIA related complaints to the school;
5. approving any contracts entered into with operators, employees and other third parties which may have an impact on the Personal Information held by the school;
6. oversee the amendment of the school’s employment contracts and other service level agreements;
7. ensure that employees and other persons acting on behalf of the school are fully aware of the risks associated with the processing of personal information and that they remain informed about the school’s security controls.
8. organising and overseeing the awareness training of employees and other individuals involved in the processing of personal information on behalf of the school;
9. addressing employees’ POPIA related questions;
10. addressing all POPIA related requests and complaints; and
11. working with the Information Regulator in relation to any ongoing investigations. The Information Officers will therefore act as the contact point for the Information Regulator authority on issues relating to the processing of personal information and will consult with the Information Regulator where appropriate, with regard to any other matter.

2. Employees and other persons acting on behalf of the school

Employees and other persons acting on behalf of the school will, during the course of the performance of their services, gain access to and become acquainted with the personal information of certain pupils, parents, suppliers and other employees. Employees and other persons acting on behalf of the school are required to treat personal information as a confidential business asset and to respect the privacy of Data Subjects in the following manner:

1. employees and other persons acting on behalf of the school may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the school or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties;
2. employees and other persons acting on behalf of the school must request assistance from their line manager or the Information Officer if they are unsure about any aspect related to the protection of a Data Subject’s personal information;
3. employees and other persons acting on behalf of the school will only process Personal Information where:

1. the data subject, or a competent person where the data subject is a child, consents to the processing; or
2. the processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or
3. the processing complies with an obligation imposed by law on the responsible party; or
4. the processing protects a legitimate interest of the Data Subject; or
5. the processing is necessary for pursuing the legitimate interests of the school or of a third party to whom the information is supplied.

Employees and other persons acting on behalf of the school will under no circumstances:

1. process or have access to Personal Information where such processing or access is not a requirement to perform their respective work-related tasks or duties;
2. save copies of Personal Information directly to their own private computers, laptops or other mobile devices like tablets or smartphones. All personal information must be accessed and updated from the school’s administrative system and central database on dedicated servers;
3. share personal information informally. In particular, personal information should never be sent by email, as this form of communication is not secure; or
4. transfer personal information outside of South Africa without the express permission from the Information Officer.

Employees and other persons acting on behalf of the school are responsible for:

1. keeping all personal information that they come into contact with secure, by taking sensible precautions and following the guidelines outlined within this policy;
2. ensuring that personal information is held in as few places as is necessary. No unnecessary additional records, filing systems and data sets should therefore be created;
3. ensuring that all computers, laptops and devices such as tablets, flash drives and smartphones that store personal information are password protected and never left unattended. Passwords must be changed regularly and may not be shared with unauthorised persons;
4. ensuring that their computer screens and other devices are switched off or locked when not in use or when away from their desks.
5. ensuring that where personal information is stored on removable storage media such as external drives, CDs or DVDs that these are kept locked away securely when not being used.
6. ensuring that where personal information is stored on paper, that such hard copy records are kept in a secure place where unauthorised people cannot access it. For instance, in a locked drawer of a filing cabinet;
7. ensuring that where personal information has been printed out, that the paper printouts are not left unattended where unauthorised individuals could see or copy them. For instance, close to the printer;
8. taking reasonable steps to ensure that personal information is kept accurate and up to date. For instance, confirming a data subject’s contact details when the parent or customer phones or communicates via email;
9. taking reasonable steps to ensure that personal information is stored only for as long as it is needed or required in terms of the purpose for which it was originally collected. Where personal information is no longer required, authorisation must first be obtained from the relevant line manager or the Information Officer to delete or dispose of the personal information in the appropriate manner;
10. undergoing POPIA Awareness training from time to time; and
11. reporting any suspicious activity, security breach, interference, modification, destruction or the unsanctioned disclosure of personal information, immediately to the Information Officer.

8. POPIA AUDIT

The school’s Information Officer will schedule periodic POPIA Audits.

The purpose of a POPIA audit is to:

1. identify the processes used to collect, record, store, disseminate and destroy personal information;
2. determine the flow of personal information throughout the school. For instance, the transfer of information from one section of the school to another;
3. redefine the purpose for gathering and processing personal information;
4. ensure that the processing parameters are still adequately limited;
5. ensure that new data subjects are made aware of the processing of their personal information;
6. re-establish the rationale for any further processing where information is received via a third party;
7. verify the quality and security of personal information;
8. monitor the extent of compliance with POPIA and this policy; and
9. monitor the effectiveness of internal controls established to manage the School’s POPIA related compliance risk; and
10. liaise with line managers in order to identify areas within the school’s operation that are most vulnerable or susceptible to the unlawful processing of personal information.

9. REQUEST TO ACCESS PERSONAL INFORMATION PROCEDURE

Access to information requests can be made by email, addressed to the Information Officer in a form substantively similar to Annexure “A”. Once the completed form has been received, the Information Officer will verify the identity of the Data Subject prior to handing over any Personal Information. All requests will be processed and considered against this Policy. The Information Officer will process all requests within a reasonable time.

10. POPIA COMPLAINTS PROCEDURE

Data subjects have the right to lodge a written complaint with the school in instances where there is any reason to believe that their rights under POPIA have been infringed upon. AL GHAZALI COLLEGE takes all complaints very seriously and will address all POPIA related complaints in accordance with the following procedure:

1. POPIA complaints must be submitted to the school in writing in a form substantively similar to Annexure “B”;
2. where the complaint has been received by any person other than the Information Officer, that person will ensure that the full details of the complaint reach the Information Officer within 3 working days;
3. the Information Officer will provide the complainant with a written acknowledgement of receipt of the complaint within 2 working days;
4. the Information Officer will carefully consider the complaint and address the complainant’s concerns in an amicable manner;
5. in considering the complaint, the Information Officer will endeavour to resolve the complaint in a fair manner and in accordance with the principles outlined in POPIA;
6. the Information Officer must also determine whether the complaint relates to an error or breach of confidentiality that has occurred and which may have a wider impact on the School’s Data Subjects;
7. where the Information Officer has reason to believe that the personal information of Data Subjects has been accessed or acquired by an unauthorised person, the Information Officer the affected data subjects and the Information Regulator will be informed of this breach; and
8. the Information Officer will revert to the complainant with a proposed solution with the option of escalating the complaint to the school’s Information Officer within 7 working days of receipt of the complaint;  
9. in all instances, the school will provide reasons for any decisions taken and communicate any anticipated deviation from the specified timelines;
10. the Information Officer’s response to the data subject may comprise any of the following:

1. a suggested remedy for the complaint;
2. a dismissal of the complaint and the reasons as to why it was dismissed; or
3. an apology (if applicable) and any disciplinary action that has been taken against any employees involved; and

11. the Information Officer will review the complaints process to assess the effectiveness of the procedure on a periodic basis and to improve the procedure where it is found wanting. The reason for any complaints will also be reviewed to ensure the avoidance of occurrences giving rise to POPIA related complaints.

Where the data subject is not satisfied with the Information Officer’s suggested remedies, the Data Subject has the right to lodge a complaint with the Information Regulator.

11. DISCIPLINARY ACTION

Where a POPIA complaint or a POPIA infringement investigation has been finalised, AL GHAZALI COLLEGE may recommend any appropriate administrative, legal and/or disciplinary action to be taken against any employee reasonably suspected of being implicated in any non-compliant activity outlined within this policy. In the case of ignorance or minor negligence, the school will undertake to provide further awareness training to the employee. Any gross negligence or the willful mismanagement of personal information, will be considered a serious form of misconduct for which the school may summarily dismiss the employee. Disciplinary procedures will commence where there is sufficient evidence to support an employee’s gross negligence.

Examples of immediate actions that may be taken subsequent to an investigation include:

1. A recommendation to commence with disciplinary action.
2. A referral to appropriate law enforcement agencies for criminal investigation.
3. Recovery of funds and assets in order to limit any prejudice or damages caused.

12. CAUTION TO PARENTS/GUARDIANS/CAREGIVERS

1. While laws apply to what the school and third parties can disclose about learners, they do not apply to what learners or their parents might disclose publicly, which means the parent and the child also have a responsibility to protect the child’s privacy. What a parent and or his/her child posts on social media, for example, could be used by others, including private companies and law enforcement in some cases, and is not protected by POPIA.
2. Parents and learners must understand and use the privacy tools on any website or app that the school or they use for school or at home to limit who can view or access their information (that includes having strong, secure and unique passwords and be sure to never post anything online that they wouldn’t want to be shared with others, including law enforcement, the school, tertiary institutions and current or future employers).

ANNEXURES ATTACHED:

1. PERSONAL INFORMATION REQUEST FORM

2. POPIA COMPLAINT FORM

3. PARENTAL CONSENT FORM

4. EMPLOYEE CONSENT AND CONFIDENTIALITY CLAUSE

5. SERVICE LEVEL AGREEMENT CONFIDENTIALITY CLAUSE

AL GHAZALI COLLEGE

PROTECTION OF PERSONAL INFORMATION POLICY

Please be aware that we may require you to provide proof of identification prior to processing your request. There may also be a reasonable charge for providing copies of the information requested.

AL GHAZALI COLLEGE

PROTECTION OF PERSONAL INFORMATION POLICY

Where we are unable to resolve your complaint to your satisfaction you have the right to complain to the Information Regulator who can be contacted at http://www.justice.gov.za/inforeg/index.html

AL GHAZALI COLLEGE

PROTECTION OF PERSONAL INFORMATION POLICY

PROTECTION OF PERSONAL INFORMATION

By signing this form, and unless you at any time instruct the school expressly and in writing to the contrary, your consent is given for the school to:

• collect, store and process credit information;
• collect, store and process names, contact details and information relating to yourself and your Child, and to such information being made available to staff or responsible persons engaged or authorised by the School for School-related purposes to the extent required for the purpose of managing relationships between the school, parents/guardians, and current learners as well as providing references and communicating with the body of former learners;
• include photographs, with or without name, of your Child in School publications, on the school’s website or in press releases to celebrate the School's or your Child's activities, achievements or successes;
• supply information and a reference in respect of your Child to any educational institution which you propose your Child may attend. We will take care to ensure that all information that is supplied relating to your Child is accurate and any opinion given on his ability, aptitude and character is fair.
• The school cannot be liable for any loss you or your Child is alleged to have suffered resulting from opinions reasonably given, or correct statements of fact contained, in any reference or report given by us including informing any other school or educational institution to which you propose to send your Child of any outstanding fees.

The school may not distribute or otherwise publish any of your personal information in its possession, unless you give your consent, in writing, to the school that it may do so. Should this be the case, the school may only distribute or otherwise publish the information specified in your consent to the people and for the purpose stated in your written consent.

Name of Parent:                 

    Name of Learner:         _________________________________________________________

    Grade:                          ___________

Signature:                 

Date:         __________________________        

AL GHAZALI COLLEGE

PROTECTION OF PERSONAL INFORMATION ACT

“Personal Information” (PI) shall mean the race, gender, sex, pregnancy, marital status, national or ethnic origin, colour, sexual orientation, age, physical or mental health, disability, religion, conscience, belief, culture, language and birth of a person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; the views or opinions of another individual about the person whether the information is recorded electronically or otherwise.

“POPIA” shall mean the Protection of Personal Information Act 4 of 2013 as amended from time to time.

AL GHAZALI COLLEGE undertakes to process the personal information of the employee only in accordance with the conditions of lawful processing as set out in terms of POPIA and in terms of the employer’s POPIA Policy and only to the extent that it is necessary to discharge its obligations and to perform its functions as an employer and within the framework of the employment relationship and as required by South African law.

The employee acknowledges that the collection of his/her personal information is both necessary and requisite as a legal obligation, which falls within the scope of execution of the legal functions and obligations of the employer.

The employee therefore irrevocably and unconditionally agrees:

1. That they are notified of the purpose and reason for the collection and processing of his or her PI insofar as it relates to the employer’s discharge of its obligations and to perform its functions as an employer.
2. That they consent and authorise the employer to undertake the collection, processing and further processing of the employee’s PI by the employer for the purposes of securing and further facilitating the employee’s employment with the employer.
3. Without derogating from the generality of the aforestated, the employee consents to the employer’s collection and processing of PI pursuant to any of the employer’s Internet, Email and Interception policies in place insofar as PI of the employee is contained in relevant electronic communications.
4. To make available to the employer all necessary PI required by the employer for the purpose of securing and further facilitating the employee’s employment with the employer.
5. To absolve the employer from any liability in terms of POPIA for failing to obtain the employee’s consent or to notify the employee of the reason for the processing of any of the employee’s PI.
6. To the disclosure of his/her PI by the employer to any third party, where the employer has a legal or contractual duty to disclose such PI.
7. The employee further agrees to the disclosure of his/her PI for any reason enabling the employer to carry out or to comply with any business obligation the employer may have or to pursue a legitimate interest of the employer in order for the employer to perform its business on a day-to-day basis.
8. The employer undertakes not to transfer or disclose his/her PI unless it is required for its legitimate business requirements and shall comply strictly with legislative stipulations in this regard.
9. The employee acknowledges that during the course of the performance of his/her services, he/she may gain access to and become acquainted with the personal information of parents, pupils, other employees and suppliers. The employee will treat personal information as a confidential school asset and agrees to respect the privacy of parents, pupils, other employees and suppliers and other employees.
10. To the extent that he/she is exposed to or insofar as PI of other employees or third parties are disclosed to him/her, the employee hereby agree to be bound by appropriate and legally binding confidentiality and non-usage obligations in relation to the PI of third parties or employees.
11. Employees may not directly or indirectly, utilise, disclose or make public in any manner to any person or third party, either within the school community or externally, any personal information, unless such information is already publicly known or the disclosure is necessary in order for the employee or person to perform his or her duties on behalf of the employer.

Name of Employee:                 

Signature:                 

Date:                 

Name of Employer:         AL GHAZALI

COLLEGE

Head of School:

Signature:                 

Date:                 

AL GHAZALI COLLEGE

PROTECTION OF PERSONAL INFORMATION POLICY