Privacy policy & Terms and Conditions
CHOC CHILDHOOD CANCER FOUNDATION SA
(Registration Number 001-338 NPO)
CHOC
PRIVACY POLICY
In this policy the following words and expressions shall, in addition to their respective ordinary meanings, bear the following meanings assigned to each of them respectively:
“Act” means the Protection of Personal Information Act, 2013.
“CHOC” means CHOC Childhood Cancer Foundation SA, registration number 001-338 NPO
“Device” means any computer used to access the Service, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device.
“Service” means the business of receiving funding to attend to the education, awareness, community, family and beneficiary funding for homecare, medical intervention in respect of cancer and specifically in relation to childhood cancer.
This Privacy Policy provides CHOC’s policies and procedures of for collecting, using, processing and disclosing your information. Users can, in part, access the Service through CHOC’s website either as a donor, beneficiary, volunteer, employee, supplier or third party. This Privacy Policy governs the access of the Service through the website, regardless of how it is accessed, and by using the Services you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy on these terms and conditions. All the different forms of data, content, and information described below are collectively referred to as “Information”.
- The Information We Collect and Store
We may collect and store the following information when running the Service:
Information Provided by You
When you register on the Website, you are required to provide us with certain personal information, such as your name, phone number, billing information, email address and business postal addresses.
Log Data
When you use the Service and/or website, we automatically record information from your Device, its software, and your activity using the Services and/or website. This may include the Device’s Internet Protocol (“IP”) address, browser type, the web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Service.
Cookies
We may also use “cookies” to collect information and improve our Services. A cookie is a small data file that we transfer to your Device. We may use “persistent cookies” to save your registration ID and login password for future logins to the Service. We may use “session ID cookies” to enable certain features of the Service, to better understand how you interact with the Service and to monitor aggregate usage and web traffic routing on the Service. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use all aspects of the Service.
- How We Use Personal Information
Personal Information
In the course of using the Service, we may collect personal information that can be used to contact or identify you (“Personal Information”). Personal Information is or may be used: (i) to provide and improve our services and/or products and/or the website, (ii) to administer your use of the Service, (iii) to better understand your needs and interests, (iv) to personalize and improve your experience, and (v) to provide or offer software updates and product announcements. If you no longer wish to receive communications from us, please follow the “unsubscribe” instructions provided in any of those communications or update your Profile information.
Analytics
We also collect some information (ourselves or using third party services) using logging and cookies, such as IP address, which can sometimes be correlated with Personal Information. We use this information for the above purposes and to monitor and analyse use of the Service, for the Service’s technical administration, to increase our Service’s functionality and user-friendliness, and to verify users have the authorization needed for the Service to process their requests.
- Information Sharing and Disclosure
Your Use
We do not display your information to other users of the Service. You can review and revise your information at any time. We do not sell your Information to any third party.
Service Providers, Business Partners and Others
We may use certain trusted third-party companies and individuals to help us provide, analyse, and improve the Service (including but not limited to data storage, maintenance services, database management, web analytics, payment processing, and improvement of the Service’s features). These third parties may have access to your information only for purposes of performing these tasks on our behalf and under obligations similar to those in this Privacy Policy.
Compliance with Laws and Law Enforcement Requests; Protection of CHOC’s Rights
We may disclose to third parties’ files stored in your account and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary in order to:
comply with any law, including the Act;
protect the safety of any person from death or serious bodily injury;
prevent fraud or abuse; or
protect CHOC’s property rights.
Non-private or Non-Personal Information
We may disclose your non-private, aggregated, or otherwise non-personal information, such as usage statistics of our Service.
- Changing or Deleting Your Information
If you are a registered user, you may review, update, correct or delete the Personal Information provided in your registration or account profile by changing your “account settings.” If your personally identifiable information changes, or if you no longer desire our service, you may update or delete it by making the change on your account settings. In some cases, we may retain copies of your information if required by law. For questions about your Personal Information on our Service, please contact [email protected].
- Data Retention
We will retain your information for as long as your account is active or as needed to provide you services. If you wish to cancel your account or request that we no longer use your information to provide you services, you may delete your account. We may retain and use your information in order to comply with our legal obligations, resolve disputes, and enforce our agreements. Consistent with these requirements, we will try to delete your information quickly upon request. Please note, however, that there might be latency in deleting information from our servers and backed-up versions might exist after deletion.
- Security
The security of your information is important to us. When you enter sensitive information (such as a credit card number) on our order forms, we encrypt the transmission of that information using secure socket layer technology (SSL).
We follow generally accepted standards to protect the information submitted to us, both during transmission and once we receive it. No method of electronic transmission or storage is 100% secure, however. Therefore, we cannot guarantee its absolute security. If you have any questions about security on our website, contact us at [email protected].
- Contacting Us
If you have any questions about this Privacy Policy, please contact us at:
Email: [email protected]
Phone: 086 111 3500
- Compliance with the Act
The whole of this Privacy Policy is subject to – and shall be interpreted in compliance with – the Act.
- Changes to our Privacy Policy
This Privacy Policy may change from time to time. If we make a change to this privacy policy that we believe materially reduces your rights, we will provide you with notice (for example, by email). And we may provide notice of changes in other circumstances as well. By continuing to use the Service after those changes become effective, you agree to be bound by the revised Privacy Policy.
COMPLIANCE FRAMEWORK & Manual in terms of the Protection of Personal Information Act, 2013
1. DEFINITIONS AND INTERPRETATION
1.1. “CHOC” means CHOC Childhood Cancer Foundation SA, (registration number 001-338 NPO);
1.2. “Constitution” means the Constitution of the Republic of South Africa, 1996;
1.3. “Client” refers to any natural or juristic person that received or receives services from CHOC;
1.4. “Data Subject” has the meaning ascribed thereto in terms of section 1 of POPIA;
1.5. “Information Officer” means the duly authorised Information Officer, in terms of POPIA, as per the Information Officer Appointment Document, attached hereto;
1.6. “Manual” means this manual prepared in accordance with POPIA;
1.7. “Personal Information” has the meaning ascribed thereto in section 1 of POPIA;
1.8. “POPIA” means the Protection of Personal Information Act 4 of 2013;
1.9. “POPIA Regulations” means the regulations promulgated in terms of section 112(2) of POPIA;
1.10. “Processing” has the meaning ascribed thereto in section 1 of POPIA;
1.11. “Responsible Party” has the meaning ascribed thereto in section 1 of POPIA;
1.12. “SAHRC” means the South African Human Rights Commission.
1.13. Capitalised terms used in this Manual have the meanings ascribed thereto in section 1 of POPIA as the context specifically requires, unless otherwise defined herein.
2. INTRODUCTION
2.1. POPIA
2.1.1. POPIA was assented to on 26 November 2013. Broadly, the purpose of POPIA is to give effect to section 14 of the Constitution, being the constitutional right to privacy by protecting Personal Information and regulating the free flow and Processing of Personal Information.
2.1.2. POPIA sets minimum conditions which all Responsible Parties must comply with so as to ensure that Personal Information is respected and protected. These minimum conditions are the Conditions for Lawful Processing and are more fully described in paragraph 4.1 this Manual.
2.2.1. The purpose of this Manual is to give effect to the constitutional right to privacy in relation to the protection of Personal Information.
2.2.2. POPIA recognises that the right to privacy may be limited in accordance with section 36 of the Constitution to the extent that such limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality, and freedom.
2.2.3. This Manual, amongst other things, details the purpose for which Personal Information may be processed; a description of the categories of Data Subjects for whom CHOC Processes Personal Information as well as the categories of Personal Information relating to such Data Subjects; and the recipients to whom Personal Information may be supplied.
2.2.4. This Manual has been complied by the Information Officer:
2.2.4.1. as an integral part of CHOC’s compliance framework in terms of Regulation 4(1)(a) of the POPIA Regulations; and
2.2.4.2. following the completion of a personal information impact assessment as envisaged by section 4(1)(b) of the POPIA Regulations.
3. CHOC CONTACT DETAILS
3.1. Name of Information Officer:
3.2. Address:
3.3. Postal address:
3.4. Telephone:
3.5. E-mail:
4. PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY CHOC
4.1. Conditions for Lawful Processing
4.1.1. Chapter 3 of POPIA provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA. Below is a description of the eight Conditions for Lawful Processing as contained in POPIA:
4.1.1.1. Accountability – the Responsible Party has an obligation to ensure that there is compliance with POPIA in respect of the Processing of Personal Information.
4.1.1.2. Processing limitation – Personal Information must be collected directly from a Data Subject to the extent applicable; must only be processed with the consent of the Data Subject and must only be used for the purposes for which it was obtained.
4.1.1.3. Purpose specification – Personal Information must only be processed for the specific purpose for which it was obtained and must not be retained for any longer than it is needed to achieve such purpose.
4.1.1.4. Further processing limitation – further processing of Personal Information must be compatible with the initial purpose for which the information was collected.
4.1.1.5. Information quality – the Responsible Party must ensure that Personal Information held is accurate and updated regularly and that the integrity of the information is maintained by appropriate security measures.
4.1.1.6. Openness – there must be transparency between the Data Subject and the Responsible Party.
4.1.1.7. Security safeguards – a Responsible Party must take reasonable steps to ensure that adequate safeguards are in place to ensure that Personal Information is being processed responsibly and is not unlawfully accessed.
4.1.1.8. Data Subject participation – the Data Subject must be made aware that their information is being processed and must have provided their informed consent to such processing.
4.2. Purpose of the Processing of Personal Information by CHOC
4.2.1. As outlined in paragraph 4.1.1.3 above, Personal Information may only be Processed for a specific purpose. The purposes for which CHOC Processes or will Process Personal Information is as follows:
4.2.2. to provide accounts and/or services to the Client in accordance with terms agreed to by the Client;
4.2.3. to undertake activities related to the provision of accounts and/or services to the Client;
4.2.4. to verify the identity of the Client;
4.2.5. for risk assessment, information security management, statistical, trend analysis and planning purposes;
4.2.6. to monitor and record calls and electronic communications with the Client for quality, training, investigation, and fraud prevention purposes;
4.2.7. for crime detection, prevention, investigation and prosecution;
4.2.8. to enforce or defend CHOC’s rights;
4.2.9. to manage CHOC’s relationship with the Client, which may include providing information to the Client about CHOC’s products and/or service;
4.2.10. any additional purposes expressly authorised by the Client; and
4.2.11. any additional purposes as may be notified to the Client or Data Subjects in any notice provided by CHOC.
4.3. Categories of Data Subjects and Personal Information/special Personal Information relating thereto
CHOC shall Process Personal Information on the following Data subjects:
4.3.1. Juristic persons and suppliers:
4.3.1.1 Name;
4.3.1.2 Registration number;
4.3.1.3 B-BBEE Status;
4.3.1.4 Service/good supplied;
4.3.1.5 Address/Region;
4.3.1.6 Contact details (email address and telephone number);
4.3.1.7 Vat number;
4.3.1.8 Banking details/confirmation letter and payment information;;
4.3.1.9 Contact person name;
4.3.1.10 Contract details;
4.3.1.11 Race (individuals);
4.3.1.12 Gender (individuals);
4.3.1.13 Registration certificate/identity document;
4.3.1.14 Tax clearance certificate;
4.3.1.15 Debit order authorisation; and
4.3.1.16 Supplier information, including to the extent the categories of information relate to individuals or representatives of suppliers (e.g., shareholders, directors, etc.) are required.
4.3.2. Natural person as beneficiary, individual or caregiver, where applicable:
4.3.1.1 name;
4.3.1.2 Identity/Passport Number;
Race;
Gender
Age;
Type of assistance;
Diagnosis
Diagnosis date;
Hospital;
Treating doctor;
Treatment status;
Nationality;
4.3.1.13 Designation (beneficiary caregiver, donor);
4.3.1.14 contact details (telephone number, email address); and
4.3.1.15 photographs and other identification and verification data as contained in images of ID card, passport, and other ID documents.
4.3.3. Donors:
4.3.3.1. Name;
4.3.3.2. Identity/Passport/Registration number;
4.3.3.3. contact details (telephone number and email address);
4.3.3.4. Partial credit card number;
4.3.3.5. Age
4.3.3.6. Date of donations;
4.3.3.7. Value of donations;
4.3.3.8. Type of donation;
4.3.3.9. Birthdate;
4.3.3.10. Type of debit order;
4.3.3.11. Membership joining date;
4.3.3.12. User reference;
4.3.3.13. Contact reference;
4.3.3.14. Website;
4.3.3.15. Fax number;
4.3.3.16. Name of Primary contact;
4.3.3.17. Grantmaking focus; and
4.3.3.18. Region.
4.3.4. Employees/volunteers, where applicable:
4.3.4.1. name;
4.3.4.2. employee ID number;
4.3.4.3. race;
4.3.4.4. age;
4.3.4.5. gender;
4.3.4.6. income tax number;
4.3.4.7. qualifications;
4.3.4.8. Start and termination dates;
4.3.4.9. Job title;
4.3.4.10. Volunteer type;
4.3.4.11. Volunteer status;
4.3.4.12. Volunteer skills;
4.3.4.13. Volunteer manager notes;
4.3.4.14. contact details (address/telephone number/email address); and
4.3.4.15. photographs and other identification and verification data as contained in images of ID card, passport, and other ID documents
4.4. Personal Information relating to Children and Health or Medical Status
4.4.1. CHOC will not knowingly process any Personal Information relating to children or the Health or Medical status of any individual without the prior consent of a legal guardian of such child or the data subject except where the processing of such information is:
necessary for the establishment, exercise or defence of a right or obligation in law;
necessary to comply with an obligation of international public law;
for historical, statistical or research purposes to the extent that—
the purpose serves a public interest and the processing is necessary for the purpose concerned; or
it appears to be impossible or would involve a disproportionate effort to ask for consent,
and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the childto a disproportionate extent; or
of personal information which has deliberately been made public by the childwith the consent of a competent person being a legal guardian or by the data subject concerned personally.
CHOC reserves the right to approach the Information Regulator for an exemption to the processing outlined above in respect of children in the requisite form if it deems such processing to be necessary.
4.5. Recipients of Personal Information
CHOC may provide a Data Subjects Personal Information to suppliers, medical institutions, its affiliates, and their respective representatives.
4.6. Cross-Border flows of Personal Information
Section 72 of POPIA provides that Personal Information may only be transferred out of the Republic of South Africa:
4.6.1. If the recipient country can offer such data an “adequate level” of protection. This means that its data privacy laws must be substantially similar to the Conditions for Lawful Processing as contained in POPIA; or
4.6.2. If the Data Subject consents to the transfer of their Personal Information; or
4.6.3. If the transfer is necessary for the performance of a contractual obligation between the Data Subject and the Responsible Party; or
4.6.4. If the transfer is necessary for the performance of a contractual obligation between the Responsible Party and a third party, in the interests of the Data Subject; or
4.6.5. If the transfer is for the benefit of the Data Subject, and it is not reasonably practicable to obtain the consent of the Data Subject, and if it were, the Data Subject, would in all likelihood provide such consent.
4.7. Information security measures to be implemented by CHOC
CHOC shall implement the following security measured in order to ensure that Personal Information is respected and protected:
4.7.1. Access Control of Persons
CHOC shall implement suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment where the data is processed.
4.7.2. Data Media Control
CHOC undertakes to implement suitable measures to prevent the unauthorized manipulation of media, including reading, copying, alteration or removal of the data media used by CHOC and containing personal data of clients.
4.7.3. Data Memory Control
CHOC undertakes to implement suitable measures to prevent unauthorized input into data memory and the unauthorized reading, alteration, or deletion of stored data of the Data Exporter’s customers.
4.7.4. User Control
CHOC shall implement suitable measures to prevent its data processing systems from being used by unauthorized persons by means of data transmission equipment.
4.7.5. Access Control to Data
CHOC represents that the persons entitled to use CHOC’s data processing system are only able to access the data within the scope and to the extent covered by their respective access permissions (authorisation).
4.7.6. Transmission Control
CHOC shall be obliged to enable the verification and tracing of the locations and/or destinations to which the Personal Information is transferred by utilisation of CHOC’s data communication equipment and devices.
4.7.7. Transport Control
CHOC shall implement suitable measures to prevent Personal Information from being read, copied, altered, or deleted by unauthorized persons during the transmission thereof or during the transport of the data media.
4.7.8. Organisation Control
CHOC shall maintain its internal organisation in a manner that meets the requirements of this Manual.
A preliminary assessment of the suitability of the information security measures implemented or to be implemented by CHOC may be conducted in order to ensure that the Personal Information that is processed by CHOC is safeguarded and Processed in accordance with the Conditions for Lawful Processing.
4.8. Objection to the Processing of Personal Information by a Data Subject
Section 11(3) of POPIA and regulation 2 of the POPIA Regulations provides that a Data Subject may, at any time object to the Processing of his/her/its Personal Information, in the prescribed form, subject to exceptions contained in POPIA.
The prescribed form is available on request from CHOC.
4.9. Request for Correction or Deletion of Personal Information
4.9.1. Section 24 of POPIA and regulation 3 of the POPIA Regulations provides that a Data Subject may request for their Personal Information to be corrected/deleted in the prescribed form.
4.9.2. The prescribed form is available on request from CHOC.
PROMOTION OF ACCESS TO INFORMATION ACT NO. 2 OF 2000
1. INTRODUCTION
1.1. The aim of the manual is to assist potential requestors as to the procedure to be followed when requesting access to information / documents from CHOC as contemplated in terms of the Act.
1.2. The manual may be amended from time to time and as soon as any amendments have been finalised, the latest version of the manual will be made public.
1.3. Any requestor is advised to contact the Information Officer should he / she require any assistance in respect of the utilization of this manual and / or the requesting of information / documents from CHOC.
1.4. The following words will bear the following meaning in this manual:
-
“the Act” means the Promotion of Access to Information Act, No. 2 of 2000, together with all relevant regulations published;
-
“CHOC” means CHOC Childhood Cancer Foundation SA, registration number 001-338 NPO;
-
“Manual” shall mean this manual together with all annexures thereto, as available at the offices of CHOC and on CHOC’s website;
-
“SAHRC” shall mean the South African Human Rights Commission;
-
“Information Officer” means the Information Officer appointed by CHOC from time to time, whose details are included under clause 2 below, to which requests for information in terms of the Act should be addressed.
2. INFORMATION OFFICER CONTACT DETAILS
2.1. CHOC hereby appoints, in terms of Section 51(1)(a) of the Act the below named individual as the information officer:
2.1.1. Name of Information Officer: Hedley Lewis
2.1.2. Address: The Avenues Office Park, Syringa Building, 45 Homestead Road, Rivonia, Johannesburg 2128
2.1.3. Postal address: PostNet Suite 105, Private Bag X2600, Houghton 2041
2.1.4. Telephone: 011 326 1717
2.1.5. E-mail: [email protected]
3. GUIDE IN TERMS OF SECTION 10 OF THE ACT
3.1. In terms of Section 10 of the Act, a guide will be compiled by the South African Human Rights Commission containing such information as may be required by a person who wishes to exercise any right contemplated in the Act. The guide will be made available in all official languages by the SAHRC and is obtainable from the SAHRC.
-
Contact details of the South African Human Rights Commission are as follows:
PAIA Unit
3.2.1. Address: 33 Hoof Street, Braamfontein
3.2.2. Telephone: +27 11 877 3600
3.2.3. Fax: +27 11 403 0625
3.2.4. Website: www.sahrc.org.za
3.2.5. E-Mail: [email protected]
4. NOTICE(S) IN TERMS OF SECTION 52(2) OF THE ACT
(Section 51(1)(c) of the Act)
-
At this stage, no notice(s) has / have been published.
5. INFORMATION / DOCUMENTS AVAILABLE IN ACCORDANCE WITH OTHER LEGISLATION
-
CHOC shall keep information / documents in accordance with the following legislation (please note that this is not an exhaustive list):
5.1.1. Insolvency Act, No. 24 of 1936 (Section 134 and155);
5.1.2. Income Tax Act, No. 58 of 1962 (Section 75);
5.1.3. Companies Act, No. 71 of 2008;
5.1.4. Copyright Act, No. 98 of 1978;
5.1.5. Value Added Tax Act, No. 89 of 1991 (Section 65);
5.1.6. Occupational Health and Safety Act, No. 85 of 1993;
5.1.7. Compensation for Occupational injuries and Diseases Act, No. 130 of 1993 (Section 97);
5.1.8. Labour Relations Act, No. 66 of 1995;
5.1.9. Basic Conditions of Employment Act, No. 75 of 1997 (Section 31);
5.1.10. Employment Equity Act, No. 55 of 1998 (Section 26);
5.1.11. Skills Development Act, No. 97 of 1998;
5.1.12. Medical Schemes Act, No. 131 of 1998;
5.1.13. Skills Development Levies Act, No. 9 of 1999;
5.1.14. Unemployment Insurance Act, No. 63 of 2001;
5.1.15 Protection of Personal Information Act, No4 of 2013; and
5.1.16 Non-Profit Organisations Act, No 71 of 1997.
-
The above records, insofar as it being of a public nature are available automatically without a person having to request access thereto in term of the Act, as envisaged in Section 52.
6. DOCUMENTS / INFORMATION HELD BY CHOC IN TERMS OF (Section 51(1)(e) of the Act)
6.1. CHOC holds the information / documents listed herein below:
6.1.1. details relating to the operational, commercial, and financial interests of CHOC;
6.1.2. commercial contracts;
6.1.3. client data base (personal information of clients, commercial and financial information, information on contemplated, existing, and past business transactions, information on agreements, proposals, and intellectual property of such clients);
6.1.4. employment contracts;
6.1.5. personnel records for CHOC’s employees;
6.1.6. human resources (personal information of past, present and prospective employees, and partners / directors); and
6.1.7. insurance policies.
6.2. It is recorded that any and all documents / information requested pertaining to the aforesaid shall only be made available to a requestor subject to the provisions of the Act.
6.3. None of the information held by CHOC is automatically available without a person having to request access in terms of and subject to the provisions of the Act.
6.4. A request for information should be in the prescribed form, addressed to the Information Officer and submitted against payment of the prescribed fee.
7. OTHER INFORMATION (Section 51(1)(f) of the Act)
The Minister of Justice and Constitutional Development has to date not published any regulations in terms of this Section.
8. AVAILABILITY OF THE MANUAL (Section 51(3) of the Act)
8.1. This manual is available for inspection at the offices of CHOC and on CHOC website, free of charge.
8.2. It should be noted that the manual accessible on the website of the SAHRC and in the Government Gazette, does not include the request forms or fee structure. The request forms and fee structure can be obtained on the SAHRC website (www.sahrc.org.za) or the website of the Department of Justice and Constitutional Development (www.doi.gov.za) (under “regulations”).