iTRINITY Consulting (Pty) Ltd

POPI Act Privacy Policy

Purpose of this document is to outline iTRINITY Consulting’s POPI Act Privacy Code of Conduct.

Page Information

Document Name	iTRINITY Consulting POPI Act Privacy Policy
Document Author	iTRINITY Consulting
Document Version	V1.0
Creation Date	1 June 2021

Abbreviations

	Related Documentation
DM	Document Management
RM	Records Management
DRM	Document and Records Management
PI	Personal Information

Policies, Procedures, Guidelines, and Protocols

Related Documentation

POPI-Act – Compliance Policy

POPI-Act – Information Security Policy (ISP)

POPI-Act – Website Cookie Policy

1. INTRODUCTION

2. AMENDMENTS TO THIS POLICY

3. POLICY PURPOSE

4. POLICY FUNCTION

4.1 Key Risks

5. COMPLIANCE TO POPI ACT CONDITIONS

6. COMPLIANCE TO POPI ACT REQUIREMENTS

7. COLLECTION OF PERSONAL INFORMATION (PI)

8. PROCESSING OF PERSONAL INFORMATION (PI)

9. USE OF PERSONAL INFORMATION (PI)

10. SAFEGUARDING PERSONAL INFORMATION (PI)

11. ACCESS TO PERSONAL INFORMATION (PI)

12. CORRECTION AND DE-IDENTIFICATION OF PERSONAL INFORMATION (PI)

13. DISCLOSURE PERSONAL INFORMATION (PI)

14. POLICY ACTIVATION

Tables

Table 1 – Contact Details

Table 2 – POPI Act Conditions

Table 3 – Personal Information (PI) Collected

1. Introduction

At iTRINITY Consulting we are passionate about Information Technology (IT) and our clients, and we strive to consistently provide innovative solutions to make our clients’ business more efficient.

We pride ourselves on our flexibility towards our clients by developing customized solutions to fit their company needs

Our focus is to provide a one stop IT solution inclusive of the following IT services:

Managed IT Services ensuring an IT infrastructure that is reliable and effective;
Networking services that minimize downtime;
Solution Design, including LAN and WAN solutions;
Hardware & Software – we supply, install, and support a wide variety of hardware and software;
Microsoft Office 365 – we offer the full suite of Microsoft Office 365;
Cloud Solutions – iTRINITY Consulting Cloud Solutions offers our clients on-demand services, virtual networks, storage, and much more, via Cloud Computing Infrastructures;
Upgrades – we ensure our client’s infrastructure is always on the highest standard. We enjoy helping and educating our clients on the benefits of upgrading & building their IT infrastructures.
IT Management – we offer our clients effective IT and Project Management, by supplying trusted IT solutions for our clients’ companies.
Security – we provide security services to our client to ensure that IT Security is implemented as business insurance. Our focus is to minimize the risk of digital infiltration and unauthorised access to systems and data.
IT Audits – we examine and evaluate your organization’s IT infrastructure, policies and IT operations. iTRINITY Consulting will then determine how to protect our clients’ corporate assets and ensure data integrity.

iTRINITY Consulting is committed to compliance with the Protection of the Personal Information Act. (POPI Act)

Name & Surname	Terence Holding
Managing Director	Terence Holding
Information Officer	Terence Holding
Physical Address	Unit 5, Willowcrest Office Estate, 655 van Hoof Street, JHB
Postal Address	PO BOX 21439 Helderkruin 1733
Telephone Number	+27 11 664 6219
Cellphone Number	+27 82 787 3338
Email Address	terence@itrinity.co.za
Website	https://itrinity.co.za

Table 1 – Contact Details

This Policy sets out how iTRINITY Consulting deals with their clients’/customers’ Personal Information (PI) and in addition for what purpose said information is to be used. This Policy can be requested from iTRINITY Consulting directly.

According to the POPI Act requirements iTRINITY Consulting, is committed to inform their clients/customers as to how their Personal Information (PI) is used, disclosed and destroyed.

iTRINITY Consulting therefore guarantees its commitment to protect their clients’/customers’ privacy and ensure their Personal Information is used appropriately, transparently, securely and in accordance with applicable laws.

2. Amendments to this Policy

Amendments to, or a review of this Policy, takes place on an ad hoc basis or at least once a year.

3. Policy Purpose

This policy demonstrates iTRINITY Consulting ’s commitment to protecting the privacy rights of the Data Subject in the following manner:

through stating desired behaviour and directing compliance with the provisions of the POPI ACT;
by cultivating an organisational culture that recognises privacy as a valuable human right;
by developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of Personal Information;
by creating business practices that will provide reasonable assurance that the rights of the Data Subject are protected and balanced with the legitimate business needs of iTRINITY Consulting;
by assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary Deputy Information Officers;
by raising awareness through training and providing guidance to individuals who process Personal Information (PI) so that they can act confidently and consistently.

4. Policy Function

This policy establishes general standards for the protection of Personal Information (PI) within iTRINITY Consulting and provides principles regarding the right of individuals to privacy and to reasonable safeguarding of their Personal Information (PI).

The Information Officer at iTRINITY Consulting, Terence Holding, is responsible for:

developing and upkeeping this policy;
ensuring this policy is supported by appropriate documentation;
ensuring that documentation is relevant and kept up to date;
ensuring this policy and subsequent updates are communicated to relevant managers, representatives, staff and associates, where applicable.

All employees, contractors, departments and individuals directly associated with iTRINITY Consulting are responsible for adhering to this policy and for reporting any security breaches or incidents to the Information Officer (IO).

Any Service Provider or Third-Party Operator responsible for providing and managing information technology on iTRINITY Consulting’s behalf must adhere to the same information security principles contained in this policy to ensure security measures are in place in respect of processing of Personal Information (PI).

4.1 KEY RISKS

iTRINITY Consulting identifies the following potential key risks, which this policy is designed to address:

breach of confidentiality (information being given out inappropriately);
insufficient clarity about the range of uses to which information will be put — leading to the Data Subject being insufficiently informed;
failure to offer choice about information use when appropriate;
breach of security by allowing unauthorised access;
harm to individuals if Personal Information is not up to date;
management of Personal Information (PI) by Third Party Operators.

5. Compliance to POPI Act Conditions

iTRINITY Consulting acknowledges the conditions for lawful processing of Personal Information (PI) as stipulated in the POPI Act, Chapter 3, Part A and Part B, and its responsibility to comply with each of the conditions.

iTRINITY Consulting undertakes to implement and maintain reasonable measures to ensure that all employees and persons acting on behalf of the iTRINITY Consulting will always be subject to, and act in accordance with the specific conditions and other requirements as stipulated by the POPI Act.

The following conditions are provided for in the Act:

Condition	Description
Accountability	iTRINITY Consulting as the responsible party will be held accountable for the management/implementation of the items mentioned further in this table.
Processing Limitation	At iTRINITY Consulting Personal Information will be processed in accordance with the law. It will be managed in a proper and reasonable manner so as not to intrude on the privacy of the person/entity whose information is being processed.
Purpose Specific	At iTRINITY Consulting the PI will be collected for a specific purpose, which is properly defined and for legitimate reasons. The PI collected will not be kept for longer than is necessary (i.e., must suit the purpose).
Further Process Limitation	The PI collected will not be processed beyond the initial purpose i.e., which makes it incompatible with the original purpose.
Information Quality	The person collecting the information will take proper steps to ensure that the information is complete, accurate, current, and not misleading in any way.
Openness	The information will only be collected by someone who has given notice to/disclosed the requirements, the purpose and the reason to the person/entity concerned.
Security Safeguards	Appropriate technical and organisational measures will be taken to ensure integrity of the information as well as safeguarding it from unauthorised access.
Individual (Data Subject) Participation	Details of PI collected will be made available to the person/entity, that is the Data Subject. The Data Subject(s) will clearly be informed what information is being collected, why it is being collected and that they have the right to request that it gets discarded after using the information for the initial purpose (within reason).

Table 2 – POPI Act Conditions

6. Compliance to POPI Act Privacy Requirements

iTRINITY Consulting undertakes to implement and maintain reasonable measures to ensure that all employees and persons acting on behalf of iTRINITY Consulting will always be subject to, and act in accordance with, the specific conditions as tabled above, and the privacy requirements as stipulated by the POPI Act

The reasonable measures to be implemented will be instrumental to ensure that security and privacy of Personal Information (PI) are addressed with regards to the following categories:

Collection of Personal Information (PI);
Processing of Personal information (PI);
Use of Personal Information (PI);
Safeguarding Personal Information (PI);
Access to Personal Information (PI);
Correction of Personal Information (PI);
Disclosure of Personal Information (PI).

7. Collection of Personal Information (PI)

iTRINITY Consulting collects Personal Information (PI) to support its core business functions which includes specialist support in IT requirements of businesses and individuals.

iTRINITY Consulting collects Personal Information (PI) of Data Subjects (customers, clients, partners) during the following relevant business scenarios:

from the Data Subject to provide services and support for example, o iTRINITY Consulting receives PI as collected via e-mail from a client requesting support. iTRINITY Consulting will further process this PI in line with the original purpose it has been collected for, namely the completion of the service ticket and allocation to an IT support employee consultant.
indirectly via electronic systems such as iTRINITY Consulting’s website submit form.

Examples of documents and Personal Information (PI) collected are:

identity document including identity number, name, surname, tax number, address, postal code;
description of the clients’/customers’ IT infrastructure, business, code access passwords, banking details, etc.

Tabled below are examples of the Personal Information (PI) collected, the business reasons why it is collected, as well as iTRINITY Consulting documents, systems and platforms where it is collected on or from:

PI Collected	Business Reason
Name	IT support; Invoicing
Surname	IT support; Invoicing
Physical Address	IT support; Invoicing
Cellphone Number	IT support; Invoicing
Email Address	IT support; Invoicing
Postal Address	IT support; Invoicing
Postal Code	IT support; Invoicing
Company Details	IT support; Invoicing
Company Banking Details	IT support; Invoicing
Access Codes & Passwords (IT Support related)	IT support; Invoicing

Table 3 – Personal Information (PI) Collected

Highly Sensitive Personal Information (PI)

iTRINITY Consulting will collect highly sensitive Personal Information (PI) relating to our Data Subjects when necessary for a specific business processes e.g., requirements to comply to Covid 19 regulations.

Indirect Personal Information (PI) Collection Processes

iTRINITY Consulting may automatically collect non-Personal Information about Data Subjects through electronic systems such as iTRINITY Consulting Website browser(s). This information will only be used within the system it has been collected from and for no other business purpose.

Condition of Openness

In support of the Condition of Openness and Informed Consent iTRINITY Consulting, as per business practices, can provide to the Data Subject, with the purpose for which the PI is collected. If the Personal Information (PI) has not been collected directly from the data subject, the source of collection can be provided if so requested, within reason.

Information relating to the following can also be provided where relevant:

Whether the supply of information by the Data Subject is voluntary or mandatory;
The consequences of failing to provide information;
The legislation requiring the collection of information.

Condition of Security Safeguards

In support of the Condition of Security Safeguards iTRINITY Consulting will ensure iTRINITY Consulting has put reasonable measures in place to ensure that the Personal Information (PI) collected is complete, accurate, current and not misleading in any way. iTRINITY Consulting’s data systems have validation controls built in to ensure accuracy during the data capturing process. When required Data Subjects will be contacted either personally or via electronic communication to validate the Personal Information (PI) iTRINITY Consulting has on record.

Condition of Processing Limitation

In the instance where iTRINITY Consulting seeks to process and use Personal Information (PI) it holds for a purpose other than the original purpose for which it was collected, and where this secondary purpose is not compatible with the original purpose, iTRINITY Consulting will first obtain additional consent from the Data Subject.

8. Processing of Personal Information (PI)

iTRINITY Consulting’s management acknowledges that, as the Responsible Party, they are accountable for the lawful processing Personal Information (PI) collected.

iTRINITY Consulting acknowledges as stated in Section 10 of the POPI Act that Personal Information (PI) may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.

iTRINITY Consulting undertakes that Personal Information (PI) will only be processed:

if the Data Subject, or a competent person where the Data Subject is a child, consents to the processing;
processing is necessary to carry out actions for a relevant business process such as the conclusion or performance of property and conveyancing transactions to which the Data Subject is party.

iTRINITY Consulting also realises that the Data Subject or competent person may withdraw his, her or its consent at any time or object to processing of Personal Information (PI).

iTRINITY Consulting will in this instance act accordingly without jeopardizing a legal requirement or process.

Direct Marketing Processes

iTRINITY Consulting undertakes that Data Subjects of which Personal Information (PI) are collected and processed, based on business processes requirements for consent, and who are receiving communications from iTRINITY Consulting, can opt out of receiving communications from iTRINITY Consulting at any time.

Personal Information (PI) Quality

In order to ensure the quality of Personal Information (PI) processed iTRINITY Consulting has put reasonable measures in place to ensure that the Personal Information (PI) processed is complete, accurate, current and not misleading in any way.

Data Subjects will be contacted either personally or via electronic communication when relevant to validate the Personal Information (PI) iTRINITY Consulting has on record.

Condition of Security Safeguards

iTRINITY Consulting not only processes Personal Information (PI) for a specific purpose, but also undertakes to secure the Personal Information (PI) processed during its lifetime.

iTRINITY Consulting undertakes to destroy or delete a record of Personal Information (PI) collected as soon as reasonably practicable based on current business practices, even after iTRINITY Consulting is no longer authorised or required by Law to retain the record.

9. Use of Personal Information (PI)

iTRINITY Consulting’s management acknowledges, as the Responsible Party, they are accountable for the lawful use of Personal Information (PI) collected and processed.

iTRINITY Consulting will use Personal and Non-Personal Information collected only for the purpose for which it was originally collected.

iTRINITY Consulting will use the Personal Information (PI) collected in support of core business processes, such as:

on-demand services, virtual networks, storage, etc. via Cloud Computing Infrastructures;
networking support;
to promote (helping and educating) your company’s infrastructure to a higher standard;
solution design, including LAN and WAN;
effective IT and Project Management;
supply, install and support a wide variety of hardware and software;
provide IT Security as business insurance;
the full suite of Microsoft Office 365 – implementing and supporting;
examine and evaluate your organization’s IT infrastructure, policies and IT operations; determine how to protect your corporate assets and ensure data integrity.

Condition of Further Process Limitation

In the instance where iTRINITY Consulting seeks to process Personal Information (PI) it holds for a purpose other than the original purpose for which it was collected, and where this secondary purpose is not compatible with the original purpose, iTRINITY Consulting will first obtain additional consent from the Data Subject.

10. Safeguarding Personal Information (PI)

iTRINITY Consulting is committed to ensuring that the Personal Information (PI) collected and processed by it is secure. iTRINITY Consulting realises that, as responsible party, it is legally obliged to provide adequate protection for the Personal Information (PI) and to stop unauthorised access and use of such Personal Information (PI).

To prevent unauthorised access or disclosure, iTRINITY Consulting has put in place suitable physical, electronic and managerial procedures to safeguard and secure the information iTRINITY Consulting collects and processes.

iTRINITY Consulting’s Information Security Policy (ISP) is available on request for further reference with regards to:

Access Control to Personal Information (PI);
Computer and network security processes;
Monitoring access and usage of Personal Information (PI);
Physical security processes;
Retention and disposal of PI collected;
Secure communication and distribution of PI collected.

Third Party Operators

The Personal Information (PI) processed and managed via third parties on iTRINITY Consulting behalf, must also be managed based on iTRINITY Consulting privacy processes. In the instance that iTRINITY Consulting contracts with third parties, iTRINITY Consulting imposes appropriate security, privacy and confidentiality obligations on them to ensure that the Personal Information (PI) that iTRINITY Consulting is responsible for, is kept secure.

11. Access to Personal Information (PI)

iTRINITY Consulting acknowledges the condition of the POPI Act that stipulates that Data Subjects have the right to request a copy of the Personal Information (PI) iTRINITY Consulting holds about them.

Data Subjects can contact iTRINITY Consulting’s designated Information Officer for assistance at the numbers/addresses listed on the iTRINITY Consulting’s Website.

iTRINITY Consulting will take all reasonable steps to confirm the Data Subject’s identity before providing details of the Data Subjects’ Personal Information (PI).

12. Correction and De-Identification of Personal Information (PI)

iTRINITY Consulting’s Data Subjects have the right to ask iTRINITY Consulting to update, correct or delete their Personal Information (PI).

If the Data Subject believes that any Personal Information (PI), relating to him, her or it, that iTRINITY Consulting is holding or has collected, is incorrect or incomplete, the Data Subject must inform iTRINITY Consulting as soon as possible so that the PI can promptly be corrected.

iTRINITY Consulting will take all reasonable steps to confirm the Data Subject(s) identity before making changes to Personal Information (PI) iTRINITY Consulting may hold about them.

13. Disclosure of Personal Information (PI)

iTRINITY Consulting will disclose a Data Subjects’ Personal Information (PI) to iTRINITY Consulting’s business partners and other third parties who are involved in the delivery of products or services to the data Subject, on a basis of informed consent as per relevant business practices and processes.

iTRINITY Consulting will disclose the PI collected and processed only to:

iTRINITY Consulting employees, directors and/or business Partners / consultants that require the information to fulfil their work duties;
iTRINITY Consulting suppliers and/or vendors that require the information to assist with the service provided;
iTRINITY Consulting courier partners to perform their courier tasks;
iTRINITY Consulting financial service providers and/or banking partners as required by banking and credit card association rules;
to law enforcement (if required to do so to protect iTRINITY Consulting’s rights);
other third parties from whom Data Subjects have chosen to receive marketing information;
other companies’ entities in iTRINITY Consulting’s industry, that will enhance the services and products iTRINITY Consulting can offer to Data Subjects. This only applies where Data Subjects have not objected to such sharing.

14. Policy Activation

Activation

iTRINITY Consulting hereby declares this policy and all the actions stipulated as part of Business-as-Usual practices.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.