Data Privacy and Protection Policy

THE MAIN OBJECTIVE

Consulta need to collect and use certain information about individuals in order to runtheir businesses effectively. This information comes from employees, workers, job applicants, customers, suppliers and other individuals with whom Consulta communicates and does business.

Privacy and data protection laws like POPI Act govern the way in which Consulta may process information that identifies such individuals and also gives those individuals certain rights and remedies in respect of that information.

Data Protection Laws may also cover “sensitive personal data ” which includes information concerning an individual’s: racial or ethnic group, email address, cellphone number.

In this policy, all types of
information identifying individuals including sensitive personal data is referred to as “Personally Identifiable Information” or “Personally Identifiable Information “.

DATA PROTECTION PRINCIPLES

Consulta will adhere to the data protection principles, which are outlined below, when processing any type of Personally Identifiable Information.

Personally Identifiable Information will be:

  • Processed lawfully, fairly and in a transparent manner;
  • Collected for specified, explicit and legitimate purposes, and not further processed in any manner incompatible with such purposes;
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which being processed;
  • Accurate and, where necessary, kept up to date;
  • Retained only for so long as necessary for the purposes for which the data is processed; and
  • Processed in an appropriate manner to maintain security.

COMPUTER / LAPTOP SECURITY

All IT users are given unique account details. You must not share accounts or passwords. You must not use accounts not assigned to you or disclose your account details to others.

You should always lock, logoff or shut down your computer or laptop or handheld device during periods where you will be leaving them unattended (e.g. to attend meetings or during lunch breaks). Consulta’s IT systems are designed, where possible, to automatically lock or terminate after a designa ed period of inactivity. At the end of each working day you should ensure that your computer is properly shutdown and that your monitor is switched off. If you have a laptop, it should be stored securely.

You must use a strong password (e.g. a mixture of capital and lowercase letters, numbers and special characters) and keep it confidential.

You should change it regularly and if you believe someone knows your password, you must change it immediately.

Alterations to or maintenance of your computer or IT equipment or the installation of any hardware or software on Consulta supported assets is to only be completed by Consulta Information Services.

THIRD PARTY ACCESS

Consulta is responsible for its suppliers and contractors who may access or process Personally Identifiable Information on its behalf. If you are engaging contractors, consultants and temporary employees who have access to Consulta's systems and/or Personally Identifiable Information, they must first sign an agreement containing provisions that adequately protect Consulta’s Personally Identifiable Information, for example, confidentiality and security.

In particular, any project involving the connection by a third party/supplier to Consulta’s systems will require a specific assessment of the risks and additional contractual terms relating to security.

All changes to third party/supplier access to Consulta's network must be reviewed and documented to ensure that security is maintained.

If a third party/contractor access is no longer required, connectivity must be terminated and any Personally Identifiable Information obtained by the third party/contractor returned or destroyed in accordance with the contractual terms.

BACKUP PERSONALLY IDENTIFIABLE INFORMATION

Wherever possible data should be held in networked storage as this can be easily backed up using automated processes. Removable media such as USB flash drives and CD’s should not be used for storing business critical information as it will not be backed up and therefore will not be recoverable if lost, corrupted, or accidentally deleted.

CUSTOMER DATA PROTECTION REQUIREMENTS

You must adhere to customer data protection requirements including their policies.

CUSTOMER CONTACT DETAILS

When storing customer contact details you must be aware that for certain of our customers storing a name with contact details and a role, title or rank will be sensitive information and must be appropriately protected. Accordingly, you should only store the minimum amount of information necessary and considerwhether you need to store all or parts of someone’s contacts before doing so.

  • You must either not leave any hard copy address books or other documents or devices containing business contacts unattended or keep them under lock and key.
  • If you store business contacts electronically, you must store them in a secure area on the Consulta network – for example, on your Consulta outlook contacts or if you have a list of contacts then you must make sure that the list is password protected.
  • If you access your Consulta outlook contacts from a mobile device, you must only do so from a secure area of the device or through an encrypted app approved by Consulta Information Services. You may synchronise just the name and the phone number into an unencrypted area if this is necessary and appropriate.
  • You must not store customer contact details directly on any mobile device unless you store it in an area of the device which Consulta Information Services have approved as secure. If you have no alternative, you must store the minimum information possible (for example, a name with a phone number but without a postal or email address or job title). As soon as you can store the customer contact details in a secure area, you must do so, whilst erasing the customer contact details from your mobile device.

RETENTION OF RECORDS

Consulta may keep certain records for a minimum period of time. In other cases Consulta shall not keep Personally Identifiable Information for longer than is necessary. A retention period of 5 years is normally acceptable in South Africa.

REPORT SUSPECTED DATA SECURITY BREACHES

A data security breach may occur in relation to or as a result of any of the following events (this list is not exhaustive):

  • Theft of data (including physical copies) or equipment (laptops, mobile phones, memory sticks, CD-ROMs, etc.) on which data is stored;
  • User ignorance/lack of training;
  • Unauthorised access/copying;
  • Incorrect security classification/marking/labelling;
  • Insecure mode of transmission;
  • Use of uncontrolled or unauthorised media;
  • Loss, or possible loss, of media, devices or equipment;
  • Loss or possible loss of backup media;
  • Inappropriate retention of information;
  • Misdirection/misrouting of Personally Identifiable Information;
  • Incorrect method of disposal of data or media;
  • Hacking/interception;
  • Eavesdropping/espionage;
  • Inappropriate release to the public domain;
  • Access by unsupervised maintainers/contractors;
  • Inappropriate access controls allowing unauthorised use by employees or others; or information is obtained by deceiving Consulta

If you become aware of a Personally Identifiable Information (or other) data security breach, you must immediately report it to the IT Operations Manager, your line manager and/or IT Support.

It is your responsibility to ensure that the report is received and that the IT Operations Manager is actively aware that it has been sent (sending an email or leaving a voice message may be insufficient if you cannot be sure the recipient has picked up the message – always check). Consulta could be subject to significant financial penalties if such incidents are not reported in very tight timescales to the relevant data protection supervisory authority.

You should try to provide as much of the following information as possible (including but not limited to the following):

  • The type of data involved (whether sensitive or otherwise);
  • When did the security breach happen;
  • How did the breach occur, (e.g. if data has been stolen or lost or whether unauthorised access is suspected);
  • If the data has been damaged, in what way has it been damaged or corrupted;
  • How many individuals’ Personally Identifiable Information are likely to be affected by the breach;
  • Who are the individuals whose data has been lost (i.e. are they staff, customers, clients or suppliers);
  • Steps taken or to be taken to prevent further issues, whether the breach is a repeat occurrence or if further data is being affected; and
  • Any known contractual commitments given to third parties regarding the security of the Personally Identifiable Information (e.g. to Consulta's customers).

All suppliers to Consulta should also be required to carry out the above steps.

ENSURE THAT PERSONALLY IDENTIFIABLE INFORMATION IS PROCESSED FAIRLY AND LAWFULLY

To prevent the unfair and unlawful processing of others' Personally Identifiable Information, you must refrain from the following conduct (this list is not exhaustive):

  • Selling (or attempting to sell) an individual's Personally Identifiable Information;
  • Collecting, using, disclosing or permitting unauthorised access to Personally Identifiable Information about an individual to a third party outside of Consulta without that individual's consent. There are certain circumstances where consent will be required and guidance will be issued to those who need to know when consent should be obtained;
  • Disclosing or permitting unauthorised access to details of a derogatory nature about customers, clients or suppliers or any other third party; and
  • Using another's Personally Identifiable Information for non-business-related reasons without their consent.

ENSURE THAT PERSONALLY IDENTIFIABLE INFORMATION IS ACCURATE AND KEPT UP TO DATE

Any inaccuracies in Personally Identifiable Information held by Consulta should be corrected by staff across all the relevant systems. Any updates or changes to information provided by an individual at any time should also be made on Consulta's records.

SECURELY DISPOSE OF PERSONALLY IDENTIFIABLE INFORMATION (PII) ONCE IT IS NO LONGER REQUIRED

If Personally Identifiable Information is no longer required you must ensure that it is disposed of carefully and securely. In most cases, Personally Identifiable Information relating to employees and customers should be kept for at least five years, though relevant local requirements must always be checked and considered.

PROTECT INFORMATION WHEN RESPONDING TO EXTERNAL REQUESTS FOR INFORMATION.

Telephone enquiries

Any member of staff dealing with telephone enquiries should be careful about disclosing any Personally Identifiable Information held by Consulta, unless you are confident that you know the caller's identity or can check it using information that Consulta holds about them, then you should pass the message on to the colleague they are requesting information about so they can call them back or ask the caller to put their request in writing. You should refer any difficult situations to Human Capital Business Partner or your line manager.

Complaints

If you receive an external complaint relating to the use of Personally Identifiable Information (for example, from a customer or supplier), you should: refer the complaint to your Head of ICT, be courteous and request further details of the complaint; and if the complaint relates to inaccurate Personally Identifiable Information, inform the complainant that it shall be investigated and any inaccuracies will be rectified immediately.

If any member of staff receives a request for information referencing any Data Protection Law please contact your Head of ICT immediately to ensure that it is properly dealt with within the prescribed time limits.

Carry out a Data Protection/Privacy Impact Assessment in certain circumstances

If you are establishing new processes, policies or procedures, embarking on a new project or purchasing new systems: (i) which involve handling or transferring large volumes of Personally Identifiable Information ; or (ii) that could present special risks to the rights and freedoms of data subjects or have a material impact on personal privacy; or (iii) the security of Personally Identifiable Information processed by or on behalf of Consulta, then you should carry out a Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA). This could also occur if you are outsourcing a particular function or service or in the context of a significant procurement. DPIAs/PIAs are most effective when they are started at an early stage of a project so that changes can be made before the processes, policies, procedures or systems are finalised and in particular before it becomes too costly or could delay the project to do so. You should record your assessment in writing.

DPIAs/PIAs are mandatory in certain circumstances where processing of Personally Identifiable Information may result in a high risk to individuals. You should define and use the screening questions to determine whether the processing is of high risk.

Policy Governance

The following table identifies who within Consulta (Pty) Ltd is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply:

  • Responsible – the person(s) responsible for developing and implementing the policy.
  • Accountable – the person who has ultimate accountability and authority for the policy.
  • Consulted – the person(s) or groups to be consulted prior to final policy implementation or amendment.
  • Informed – the person(s) or groups to be informed after policy implementation or amendment.

Review and Revision

This policy, and all related appendices, will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.

Policy review will be undertaken by the Head of ICT.

References

This policy should be read in conjunction with all other Consulta (Pty) Ltd policy documents and legal documents including the Electronic Communications Policy.

Key Messages

If you are unsure of anything in this policy you should ask advice from the Head of ICT.