- SPECIAL SAFETY CONSIDERATIONS
- ASSOCIATED PROCEDURES AND POLICIES
- ASSOCIATED FORMS
I acknowledge that this document may be subject to modification and replacement from time to time and that it is the employee’s responsibility to keep abreast of company policies and/or procedures and contact management should he / she have any queries.
Purpose of Policy
The purpose of the policy is to enable Medequip to:
- Comply with the law in respects of the date it holds about individuals;
- Follow codes of good practise;
- Protect Medequip’s staff, customers and other individuals
- Protect the organisation from the consequences of a breach of its responsibilities.
This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPI Act).
- comply with both the law and good practice.
- respect individuals’ rights
- be open and honest with individuals whose data is held.
- provide training and support for staff who handle personal data, so that they can act confidently and consistently.
Medequip recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
- keeping information securely in the right hands, and retention of good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Medequip will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Medequip has identified the following potential key risks, which this policy is designed to address:
- Breach of confidentiality (information being given out inappropriately)
- Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
- Failure to offer choice about data use when appropriate
- Breach of security by allowing unauthorised access
- Harm to individuals if personal data is not up to date
Information Officer Responsibilities
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and Chapter 5, Part B.
Information Officer Responsibilities
The Information Officer has the following responsibilities:
- Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
- Reviewing the POPI Act and periodic updates as published
- Ensuring that POPI Act induction training takes place for all staff
- Ensuring that periodic communication awareness on POPI Act responsibilities takes place
- Ensuring that Privacy Notices for internal and external purposes are developed and published
- Handling data subject access requests
- Approving unusual or controversial disclosures of personal data
- Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
- Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
- Handling all aspects of relationship with the Regulator as foreseen in the POPI Act Provide direction to any Deputy Information Officer.
The appointment of the Medequip information officer is the head of the organisation as per the regulations within the act. Mr Quenton Greene.
Consideration has been given for the appointment of the Deputy to assist the Information officer and has been filled by Nicole’ Hendry Operations Manager.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
Medequip undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
Forms of consent
Medequip undertakes to gain written consent where appropriate; alternatively, a recording must be kept of verbal consent.
Nature of Personal Information
Medequip has used the POPI-Personal Information Diagnostic tool to identify all instances of personal information in the organisation.
Purpose specification Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 3.
Medequip undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).
Medequip will establish retention periods for at least the following categories of data:
Detailed coverage of the relevant retention periods has been documented in the Personal Information Diagnostic tool.
Further processing limitation Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 4.
Further processing limitation
Medequip undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, section 15.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 5.
Medequip will comply with all of the aspects of Condition 5, section 16.
Medequip will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
- ICT systems will be designed, where possible, to encourage and facilitate the entry of accurate data.
- Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
- Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
- Staff who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Archived electronic records of Medequip are stored securely off site in cloud-based servers held by Microsoft and Hertzner.
Paper record archiving takes place at our premises and are held in a secure location.
Documents passed the validity in paper form archived documents destroyed.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 6.
In line with Conditions 6 and 8 of the Act, Medequip is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
- for what purpose it is being processed;
- what types of disclosure are likely; and
- how to exercise their rights in relation to the data.
Data Subjects will generally be informed in the following ways:
- Staff: through this policy
- Customers and other interested parties: through the Medequip Privacy Notice Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 7, section 19 to 22.
This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.
Medequip has identified the following risks:
- Staff with access to personal information could misuse it.
- Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone, through “social engineering”.
Setting security levels
Access to information on the main Medequip computer system will be controlled by function.
Medequip has used the POPI-Personal Information Diagnostic tool to identify security levels required for each record held which contains Personal Information.
Medequip will ensure that all necessary controls are in place in terms of access to personal information.
Medequip will ensure that adequate steps are taken to provide business continuity in the event of an emergency.
Please see the disaster management recovery policy for further guidance.
Data Subject participation Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 8, sections 23 to 25.
Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.
Procedure for making request.
Subject access requests must be in writing. All staff are required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay.
Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined in the Medequip PAIA Manual.
Provision for verifying identity.
Where the individual making a subject access, request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.
Fees for access to personal information will be handled in compliance with the PAIA Act.
Procedure for granting access
Procedures for access to personal information will be handled in compliance with the PAIA Act.
Processing of Special Personal Information Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.
Processing of Special Personal Information
Medequip has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.
Special personal information includes criminal behaviour relating to alleged offences or proceedings dealing with alleged offences.
Unless a general authorisation, alternatively a specific authorisation relating to the different types of special personal information
applies, a responsible party is prohibited from processing special personal information.
Prior Authorisation Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 6.
Medequip has the policy of adhering to the process of Prior Authorisation in terms of sections 57 to 59.
Direct Marketing, Directories and Automated Decision Making Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 8.
Direct Marketing, Directories and Automated Decision Making Opting in
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
Medequip does not share data subject information with any 3rd parties.
Whenever e-mail addresses are collected, any future use for
marketing will be identified, and the provision of the address made optional.
Trans-border information flows Scope
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Chapter 9.
Trans border information flows
Medequip will ensure that the POPI Act Chapter 9, section 72 is fully complied with. Medequip has used the POPI-Personal Information Diagnostic tool to identify Trans border flows which contain Personal Information. Compliance with section 72 will be achieved using the necessary contractual commitments from the relevant third parties.
Staff training & acceptance of responsibilities Scope
The scope of this aspect of the policy is written in support of the provisions of the POPI Act, Chapter 5, Part B.
Information for staff is contained in this policy document and other materials made available by the Information Officer.
The Medequip Information Officer will ensure that all staff who have access to any kind of personal information will have their responsibilities outlined during their induction procedures.
Medequip will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions.
Procedure for staff signifying acceptance of policy.
Medequip will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.
Policy review Responsibility
The Medequip Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.
The Medequip Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.
APPENDIX A: MEDEQUIP CUSTOMER PRIVACY NOTICE
We respect the privacy of everyone who visits this website. As a result we would like to inform you regarding the way we would use your Personal Information. We recommend you to read this Customer Privacy Notice and Consent so that you understand our approach towards the use of your Personal Information. By submitting your Personal Information to us, you will be treated as having given your permission – where necessary and appropriate – for disclosures referred to in this policy. By using this web site, you acknowledge that you have reviewed the terms of this Customer Privacy Notice and Consent to Use of Personal Information (the “Customer Privacy Notice and Consent”) and agree that we may collect, use and transfer your Personal Information in accordance therewith. If you do not agree with these terms, you may choose not to use our site, and please do not provide any Personal Information through this site.
This Customer Privacy Notice and Consent forms part of our Site Terms and Conditions of Use and such shall be governed by and construed in accordance with the laws of South Africa. This Notice explains how we obtain, use and disclose your personal information, as is required by the Protection of Personal Information Act, 2013 (POPI Act). At Medequip we are committed to protecting your privacy and to ensure that your Personal Information is collected and used properly, lawfully and openly.
Who we are
Medequip is an established company that specialises in supply delivery and installation of capital medical equipment and instruments.
The primary objective of Medequip is to create customer relationships for the supply and support of our equipment.
The information we collect. Collection of Personal Information
We collect and process your Personal Information mainly to assist in the quotation, purchase, delivery, and ongoing support of our equipment, to help us improve our offerings to you and for certain other purposes explained below. The type of information we collect will depend on the purpose for which it is collected and used. We will only collect information that we need for that purpose.
We collect information directly from you where you provide us with your personal details, for example when you purchase a product or services from us or when you submit enquiries to us or contact us. Where possible, we will inform you what information you are required to provide to us and what information is optional.
Examples of information we collect from you are:
- email address
- telephone/cell number
- user-generated content, posts and other content you submit to our web site We also collect information about you from other sources as explained below.
Collection of Non-Personal Information
You cannot be identified from this information and it is only used to assist us in providing an effective service on this web site. We will never share your details with 3rd parties with out your consent.
We use the term “cookies” to refer to cookies and other similar technologies covered by the POPI Act on privacy in electronic communications.
- What is a cookie?
Cookies are small data files that your browser places on your computer or device. Cookies help your browser navigate a website and the cookies themselves cannot collect any information stored on your computer or your files. When a server uses a web browser to read cookies they can help a website deliver a more user-friendly service. To protect your privacy, your browser only gives a website access to the cookies it has already sent to you.
rate pages and fill in comment forms. Some of the cookies we use are session cookies and only last until you close your browser, others are persistent cookies which are stored on your computer for longer. For further details on the various types of cookies that we use.
- How do I reject and delete cookies?
How we use your information
We will use your Personal and Non-Personal Information only for the purposes for which it was collected or agreed with you, for example:
- Analyse the effectiveness of our advertisements, competitions and promotions
- Collect information about the device you are using to view the site, such as your IP address or the type of Internet browser or operating system you are using, and link this to your Personal Information so as to ensure that the site presents the best web experience for you
- Evaluate the use of the site, products and services
- For audit and record keeping purposes
- For market research purposes
- For monitoring and auditing site usage
- Help speed up your future activities and experience on the site. For example, a site can recognise that you have provided your Personal Information and will not request the same information a second time.
- In connection with legal proceedings
- Make the site easier to use and to better tailor the site and our products to your interests and needs.
- Offer you the opportunity to take part in competitions or promotions
- Personalise your website experience, as well as to evaluate (anonymously and in the aggregate) statistics on website activity, such as what time you visited it, whether you’ve visited it before and what site referred you to it
- Suggest products or services which we think may be of interest to you
- To assist with business development
- To carry out our obligations arising from any contracts entered into between you and us
- To conduct market or customer satisfaction research or for statistical analysis
- To confirm and verify your identity or to verify that you are an authorised customer for security purposes
- To contact you regarding products and services which may be of interest to you, provided you have given us consent to do so or you have previously requested a product or service from us and the communication is relevant or related to that prior request and made within any timeframes established by applicable laws.
- To notify you about changes to our service
- To respond to your queries or comments
- We will also use your Personal Information to comply with legal and regulatory requirements or industry codes to which we subscribe or which apply to us, or when it is otherwise allowed by law.
- Where we collect Personal Information for a specific purpose, we will not keep it for longer than is necessary to fulfil that purpose, unless we must keep it for legitimate business or legal reasons. In order to protect information from accidental or malicious destruction, when we delete information from our services, we may not
immediately delete residual copies from our servers or remove information from our backup systems.
- You can opt out of receiving communications from us at any time. Any direct marketing communications that we send to you will provide you with the information and means necessary to opt out.
Disclosure of Personal Information
We may disclose your Personal Information to our business partners who are involved in the delivery of products or services to you. We have agreements in place to ensure that they comply with these privacy terms.
We may also disclose your information:
- Where we have a duty or a right to disclose in terms of law or industry codes;
- Where we believe it is necessary to protect our rights.
Personal Information Security
We are legally obliged to provide adequate protection for the Personal Information we hold and to stop unauthorised access and use of personal information. We will, on an on-going basis, continue to review our security controls and related processes to ensure that your Personal Information is secure.
Our security policies and procedures cover:
- Acceptable usage of personal information;
- Access to personal information;
- Computer and network security;
- Governance and regulatory issues;
- Investigating and reacting to security incidents.
- Monitoring access and usage of personal information;
- Physical security;
- Retention and disposal of information;
- Secure communications;
- Security in contracting out activities or functions;
When we contract with third parties, we impose appropriate security, privacy and confidentiality obligations on them to ensure that Personal Information that we remain responsible for, is kept secure.
We will ensure that anyone to whom we pass your Personal Information agrees to treat your information with the same level of protection as we are obliged to.
Access to your Personal Information
You have the right to request a copy of the Personal Information we hold about you. To do this, simply contact us at the numbers/addresses listed on our home page and specify what information you would like. We will take all reasonable steps to confirm your identity before providing details of your personal information.
Please note that any such access request may be subject to a payment of a legally allowable fee, as laid down in our POPI Act Policy.
Correction of your Personal Information
You have the right to ask us to update, correct or delete your personal information. We will take all reasonable steps to confirm your identity before making changes to Personal Information we may hold about you. We would appreciate it if you would take the necessary steps to keep your Personal Information accurate and up to date by notifying us of any changes, we need to be aware of.
Definition of Personal Information
According to the POPI Act ‘‘Personal Information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. The POPI Act, which has more specific examples if you need them, can be found at the following link: www.gov.za/documents/download.php?f=204368
Changes to this notice
Please note that we may amend this notice from time to time. Please check our website periodically to inform yourself of any changes.
How to contact us
If you have any queries about this notice or believe we have not adhered to it or need further information about our privacy practices or wish to give or withdraw consent, exercise preferences or access or correct your personal information, please contact us at the numbers/addresses listed on our website.
APPENDIX B: MEDEQUIP POLICY
FOR OBTAINING CONSENT FROM CUSTOMERS / MEMBERS
Medequip collects personal information from when you register with us for business purposes. We will only use this information to carry out the processes for the purpose for which you registered with us.
We will protect your personal information in accordance with our Customer Privacy Notice and the provisions of the Protection of Personal Information Act, 2013 (South Africa). If you agree, we will use your information to send marketing information to you.
Medequip will not share your personal information with external companies. Personal information will be protected in accordance with the conditions contained in Protection of Personal Information Act, No 4 2013 (South Africa).
The specific details of the Personal Information we process are contained in the Medequip application form.
APPENDIX C: MEDEQUIP POLICY
FOR CONDITION FOR SPECIFIC PURPOSE
Medequip will only collect personal information from you when the purpose for collection been explicitly defined and agreed. We undertake to ensure that as the data subject, you are aware of the purpose for collecting your personal information. Where reasons for processing for further purposes arise, these will be explicitly defined and agreed.
APPENDIX D: MEDEQUIP POLICY FOR ENSURING INFORMATION QUALITY
Medequip will take reasonable steps to ensure that information is complete, accurate, not misleading and, where necessary, updated. Medequip will ensure that appropriate information security measures are established to ensure that personal information is protected in line with industry practices and standards.
APPENDIX E: MEDEQUIP CONSENT NOTICE FOR NOTIFICATION TO DATA SUBJECT (POLICY)
Medequip will ensure that you, as the data subject, are made aware of information being collected. If the data has not been collected directly from the data subject, the source of collection will be provided together with name and address of the party. The purpose of collection will be provided.
Information relating to the following will also be provided where relevant:
- Whether the supply of information by the data subject is voluntary or mandatory.
- The consequences of failing to provide information.
- The legislation requiring the collection of information.
- If information is to be transferred to another country, information relating to the laws that will protect the information.