Privacy Policy

POPI Act: African Karting Cup T/A Rok Cup South Africa

1. INTRODUCTION

African Karting Cup PTY Ltd (“AKC/Rok Cup South Africa”) is entrusted with the processing of personal information. AKC shall process personal information in accordance with the provisions of the Protection of Personal Information Act No. 4 of 2013 (“the Act”) and as may be directed by the Regulator.

2. PURPOSE

The purpose of this Policy is to govern the processing of personal information by AKC staff and/or independent contractors in accordance with the requirements of the Information Officer and the Regulator.

3. SCOPE

This Policy applies to:

• the Information Officer;
• the Deputy Information Officer;
• all AKC staff and/or independent contractors processing personal
• information; and all third parties processing personal information as operators where AKC is the responsible party.

4.   GLOSSARY OF DEFINITIONS AND ABBREVIATIONS

In addition to the definitions and abbreviations the following explanation is provided for ease of reading of this policy:

Ø  The Protection of Personal Information Act has been enacted to, among other things, safeguard the processing of personal information of data users. The Act requires the appointment by AKC of an Information Officer, who will be responsible for ensuring internal compliance with the Act.

Ø  In processing the personal information, where AKC determines the purpose and the means of processing personal information, it is a “responsible party”. Where it provides information to a third party to process on its behalf, that party will be referred to as an “operator”.

Ø  In the context of this policy reference to all parties whose personal information may be processed, referred to in the Act as “Data Subjects / Users”, may be to staff, independent contractors, clients, customers, service providers and data subjects as the context may indicate.

Ø  “data subject(s)” is defined as: the person to whom personal information relates

Ø  “operator(s)” is defined as: a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party

Ø  “personal information” is defined as: information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to—

o   information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

Ø  information relating to the education or the medical, financial, criminal or employment history of the person;

Ø  any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment

to the person;

Ø  the biometric information of the person;

Ø  the personal opinions, views or preferences of the person;

Ø  correspondence sent by the person that is implicitly or explicitly of a private or

Ø  confidential nature or further correspondence that would reveal the contents of

the original correspondence;

Ø  the views or opinions of another individual about the person; and

Ø  the name of the person if it appears with other personal information relating to

the person or if the disclosure of the name itself would reveal information

about the person;

Ø  “responsible party” is defined as: a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information

5.   POLICY STATEMENTS

5.1   General

5.1.1 The basis of this policy is that personal information must be processed in compliance with relevant Protection of Personal Information legislation, governance of AKC and directives of its Information Officer.

5.1.2 The Operations Officer shall by virtue of their position act as the Information Officer of AKC and will be registered as such with the Information Regulator.

5.1.3 The Information Officer shall:

5.1.3.1. encourage and direct compliance by AKC with the Conditions of Lawful Processing of Personal Information;

5.1.3.2. encourage and direct compliance by AKC with requests

made to AKC for access to information;

5.1.3.3. co-operate with the Regulator (appointed in terms of the Act) in any investigations conducted by the Regulator relating to AKC;

5.1.3.4. otherwise ensure compliance by AKC with the provisions of

relevant Protection of Personal Information and Access to Information legislation;

5.1.3.5. where AKC is an operator, ensure that the responsible party is notified where AKC has reasonable grounds to believe the

personal information of a data subject has been accessed or acquired by an

unauthorised person;

5.1.3.6. appoint a Deputy Information Officer as may be required from time to time,

which appointment will be made in writing;

5.1.3.7. develop, implement, monitor and maintain a PoPI Compliance framework;

5.1.3.8. attend to a personal Information impact assessment;

5.1.3.9. develop, implement, monitor and maintain PoPI procedures;

5.1.3.10. develop and implement internal measures to deal with requests in terms of the PoPI Act; and

5.1.3.11. attend to and create Internal Awareness Sessions for all employees.

5.2   Conditions for Lawful Processing of Personal Information

5.2.1      Accountability:

Where AKC:-

• alone or in conjunction with others, determines the purpose of and a means for

processing personal information, it acts as the responsible party;

• processes personal information for a responsible party in terms of a contract or mandate without coming under the direct authority of that party, AKC acts as an operator;

• As a responsible party it shall require operators processing personal information on its behalf to enter into a written contract with AKC, ensuring that the operator processes personal information for AKC with due regard to the Conditions of the Lawful

• Processing of Personal Information, and in particular establishing and maintaining appropriate information security measures to the satisfaction of AKC;

• acts as an operator processing information on behalf of a responsible party, written contracts required by the responsible party shall be considered, negotiated and where necessary amended by the Information Officer prior to the conclusion and signature of the agreement with the responsible party.

5.2.2  Processing Limitation: AKC shall:-

•   process personal information lawfully and in a reasonable manner that does not infringe the privacy of a data subject;

•   process personal information limited to the purpose for which it is to be processed, its adequacy, relevance and ensure that the information collected is not excessive;

•   only process personal information where it has the consent of the data subject, alternatively legitimate justification for processing the information;

•   collect personal information directly from a data subject, unless it has a legitimate justification for collecting the information from another source.

5.2.3  Purpose Specification: AKC shall:-

•   only collect personal information for specific, explicitly defined and lawful purposes relating to its functional activity and shall, unless it is legitimately justified not to, ensure that the data subject is aware of the purpose for collection and processing;

•   not retain personal information any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless required to do so by law, or it is reasonably required for lawful purposes related to AKC functions or activities, or where retention is required by a contract concluded between AKC and the data subject, or the data subject has consented to the retention of his or her personal information.

5.2.4  Further Processing:

AKC shall:-

•   not process personal information contrary to or for a different purpose from the purpose for which it was initially collected.

5.2.5  Information Quality:

AKC shall:-

•   take all reasonably practicable steps to ensure that personal information is complete, accurate, not misleading and updated where necessary.

5.2.6  Openness:

AKC shall:-

•   maintain documentation of all processes and operations that are its responsibility as required by the Promotion of Access to Information Act;

•   will take all reasonably practicable steps to ensure that the data subject is aware of the personal information collected and the personal information that the data subject is entitled to have access to, alternatively receive from AKC.

5.2.7  Security Safeguards:

AKC shall:-

•   Take appropriate, reasonable, technical and organisational measures to prevent the compromise of the integrity or confidentiality of personal information, its loss, damage or unauthorised destruction and the unlawful access to or processing of personal information;

•   In establishing and maintaining appropriate security safeguards, have regard to Generally Accepted Information Security Practices which may apply to it generally, or be required in terms of industry or professional rules and regulations;

•   Establish and maintain appropriate procedures to ensure that in the event of any security breach resulting in the compromise of the integrity or confidentiality of personal information it is able to notify the Regulator and the data subject of the compromise;

•   Conclude in agreements with operators (where AKC is the Responsible Party) and with Responsible Parties (where AKC is the operator) governing the minimum Information Security standards that are to be maintained by the parties to the written contract.

5.2.8  Data Subject Participation:

AKC shall:-

•   establish and maintain procedures that allow a data subject, having provided adequate proof of identity, access to the data subject’s personal information and to request the correction or deletion of personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained.

5.3  Processing of the Personal Information of a Child

5.3.1  AKC shall not process personal information concerning a child (any natural person under the age of 18 years) without the prior consent of a legally competent person.

5.3.2  The Information Officer shall establish the necessary controls for the processing of a child’s personal information.

5.4  Processing of Special Personal Information

In the processing of special information the ISF and Information Officer shall establish the necessary controls for the processing of special personal information which includes personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject, alleged criminal offences or legal proceedings relating to offences allegedly committed by a data subject.

6. ENFORCEMENT OF POLICY

6.1  This policy shall be enforced by those parties appointed by the Information Officer to do so.

6.2  If disciplinary proceedings are appropriate, they will be conducted in terms of the disciplinary procedures in force at AKC from time to time.

7. REVIEW

7.1  The Information Officer shall:

7.1.1 monitor and review the AKC information systems regularly and to the extent necessary, develop new policy and amend existing policy to enhance the information security of the AKC information systems;

7.1.2 ensures that all new policy documents or amendments to existing policy shall be approved in accordance with the provisions of this policy and, where appropriate, made available to subscribers to AKC services.