South Africa
Block A, Third Floor,
Irene Link Commercial,
5 Impala Avenue, Doringkloof, Centurion, 0157
United Kingdom
130 Wood Street
London
EC2V 6DL
USA
+1 (347) 285-0784
TABONO
POPIA
In terms of Section 51 of the Promotion of Access to Information Act, No. 2 of 2000 (“PAIA”), and Section 18 of the Protection of Personal Information Act, No. 4 of 2013 (“POPI”).
Compiled for:
Tabono Holdings (Pty) Ltd
Registration Number: 2014/089904/07
With application to all Tabono subsidiary companies (“the Private Body”).
Table of Contents
- Introduction
- Definitions and Interpretation
- Contact Details of the Private Body – Section 51(1)(a)(i) of PAIA and section 18(1)(b) of the POPI Act
- Guide on How to Exercise Rights in terms of PAIA – Section 51(1)(b)(i)
- Records Available in terms of Legislation other than PAIA and POPI – Section 51(1)(b)(iii) of PAIA
- Description of Subjects and Categories of Records – Section 51(1)(b)(iv) of PAIA
- Form of Request for Records
- Fees Prescribed in terms of the Regulations – Section 51(1)(f) of PAIA
- Protection of Personal Information – Section 51(1)(c)(i)-(iii) of PAIA read with section 18 of the POPI Act
- Transborder Flows of Personal Information – Section 51(1)(iv) of PAIA and section 18(1)(g) of the POPI Act
- Security Measures to Protect Personal Information – Section 51(1)(v)
- Updates to the Manual – Section 51(2)
1. Introduction
This Information Manual is published in terms of section 51 of PAIA, as amended by the POPI Act, as well as section 18 of the POPI Act. PAIA gives effect to section 32 of the Constitution (right of access to information), while the POPI Act gives effect, inter alia, to section 14 (right to privacy). This manual discloses the contact details of the Head of the Private Body; describes the PAIA Section 10 guide; lists records available under other legislation; describes subjects and categories of records and personal information; sets out purposes of processing, recipients, transborder flows (if applicable), security measures; and provides sufficient information to facilitate a request for access to a record of the Private Body.
The reference to any information in addition to that specifically required in section 51 of PAIA and section 18 of the POPI Act does not create any additional right or entitlement. The manual aims to: (i) disclose types of records and facilitate access requests (Part A); and (ii) make data subjects aware of information collection and processing (Part B). The manual may be updated from time to time and made available on the website and/or at the principal place of business, subject to any applicable fee.
2. Definitions and Interpretation
Clause headings are for convenience; expressions denoting gender include other genders; a natural person includes a juristic person and vice versa; singular includes plural and vice versa.
“Data subject” means the person to whom personal information relates. “Personal Information” means information relating to an identifiable living, natural person, and where applicable, an identifiable existing juristic person. “This manual” means this information manual (with annexures), as amended. “The Private Body” means the private body to which this manual applies. “Requester” means a person or entity requesting access to a record that is under the control of the Private Body.
References to legislation are to such legislation as amended or substituted from time to time. Substantive provisions within definitions are given full effect. Where a term is defined within a specific clause, it bears that meaning where used. Day calculations exclude the first day; if the last day falls on a non-business day, the next business day applies. “Including” is not limiting; eiusdem generis does not apply. In any conflict between this manual and PAIA/POPI, PAIA/POPI prevails. The manual is not exhaustive of PAIA/POPI procedures or rights.
3. Contact Details of the Private Body – Section 51(1)(a)(i) of PAIA and section 18(1)(b) of the POPI Act
- Head of the Private Body: Willem Reon Barnard
- Postal Address: Block A, Third Floor, Irene Link Commercial, 5 Impala Avenue, Doringkloof, Centurion, 0157
- Street Address: Block A, Third Floor, Irene Link Commercial, 5 Impala Avenue, Doringkloof, Centurion, 0157
- Telephone: 0101010600
- Email: info@tabono.com
PART A: PROMOTION OF ACCESS TO INFORMATION
4. Guide on How to Exercise Rights in terms of PAIA – Section 51(1)(b)(i)
The Human Rights Commission (HRC) compiled a guide (section 10 PAIA) to assist persons wishing to exercise any right in PAIA. Contact details:
- Postal: Private Bag 2700, Houghton, 2041
- Tel: +27 11 484 8300
- Fax: +27 11 484 0582
- Website: www.sahrc.org.za
- Email: paia@sahrc.org.za
The guide is available electronically at: https://www.sahrc.org.za/home/21/files/Section%2010%20guide%202014.pdf
With effect from 1 July 2021, the Information Regulator (IR) updates and makes available the guide. IR contact details:
- Physical: Braampark, Forum 3, 33 Hoof Street, Braampark, Johannesburg, 2017
- Postal: P.O. Box 31533
- Tel: +27 10 023 5200
- Fax: +27 86 500 3351
- Website: www.justice.gov.za/inforeg/contact.html
- Email: inforeg@justice.gov.za
5. Records Available in terms of Legislation other than PAIA and POPI – Section 51(1)(b)(iii) of PAIA
Certain records are available in terms of other legislation (access provided in accordance with PAIA and this manual), including (non-exhaustive):
- Companies Act, 71 of 2008
- Income Tax Act, 58 of 1962
- Value Added Tax Act, 89 of 1991
- Labour Relations Act, 66 of 1995
- Basic Conditions of Employment Act, 75 of 1997
- Employment Equity Act, 55 of 1998
- Skills Development Levies Act, 9 of 1999
- Unemployment Insurance Act, 63 of 2001
- Electronic Communications and Transactions Act, 25 of 2002
- Telecommunications Act, 103 of 1996
- Electronic Communications Act, 36 of 2005
- Broad-Based Black Economic Empowerment Act, 53 of 2003
- Any other applicable industry legislation
6. Description of Subjects and Categories of Records – Section 51(1)(b)(iv) of PAIA
The Private Body holds various records. Listing a category/subject does not guarantee access; each request is evaluated case-by-case under PAIA and applicable law. Use the prescribed request form (see Section 7).
| Record Subjects | Categories of Records Held |
|---|---|
| Internal Administration, Compliance & Management | Records of owners; meeting minutes; resolutions; internal arrangements agreements; records relating to creation/registration; internal auditing & risk; legislative compliance; regulatory reports. |
| Human Resources | Employee personal records provided to the Private Body; list of employees; conditions of employment and other contractual/quasi-legal records; employee tax and UIF; group life/disability/income protection; pension/provident fund records; health & safety records; internal evaluations; codes of conduct, disciplinary codes/procedures; internal policies; records received from third parties about employees; other internal records and correspondence relating to employees. |
| Finance | Financial statements and accounting records; accounting reports; taxation records; debtors/creditors; insurance records; banking statements. |
| Client Records | Client-provided records (directly or via third parties); contractual information; personal records of clients; credit information/research; confidential/privileged/contractual/quasi-legal records; client evaluation records; client account numbers; records generated by/within the Private Body relating to clients, including transactional records. |
| Service Providers, Suppliers & Third Parties | Client-provided records (directly or via third parties); lists of service providers and suppliers; suppliers’/service providers’ terms & conditions; records kept in respect of other third parties (including JV partners) which belong to the Private Body but are held by such third parties. |
| Assets | Register of assets (movable/immovable); insurance records relating to assets; register of intellectual property owned by the Private Body. |
| Other Records | Information relating to the Private Body’s commercial activities; research (internal/commissioned); environment and market information; project management; information technology (systems, network security, software licenses, technology assets); support services; internal communication. |
7. Form of Request for Records
Requests must include adequate proof of identity (e.g., certified ID copy) and be made on the prescribed form (Annexure “A”), available from the HRC website (https://www.sahrc.org.za), the Department of Justice (https://www.doj.gov.za), or as advised by the Information Regulator on/after 1 July 2021.
Submit the prescribed form to the Head named in Section 3. This applies to personal requests and requests on behalf of another person (including permanent employees).
The Head will decide within 30 days whether to grant the request. The requester will be notified in the manner indicated in the request. Once granted, actual access will be given as soon as reasonably possible.
If refused, written notice will provide adequate reasons and inform the requester of the right to lodge an appeal with a court of competent jurisdiction (including the period to do so). If the Head fails to respond within 30 days, the request is deemed refused (PAIA s58 read with s56(1)).
8. Fees Prescribed in terms of the Regulations – Section 51(1)(f) of PAIA
For requests other than personal requests:
- A request fee (R50.00) is payable before processing.
- If preparation exceeds 6 hours, a deposit (up to one third of the access fee) is payable.
- A requester may apply to court against the tender/payment of the request fee and/or deposit.
Records may be withheld until fees are paid. The fee structure is prescribed by regulation. In addition to the request fee, the following reproduction/search fees apply:
| Description | Fee |
|---|---|
| Photocopy of an A4-size page or part thereof | R1.10 |
| Printed copy of an A4-size page or part thereof held on computer/electronic form | R0.75 |
| Copy in computer-readable form on compact disc | R70 |
| Transcription of visual images (A4 page or part thereof) | R20 |
| Copy of visual images | R60 |
| Transcription of an audio record (A4 page or part thereof) | R20 |
| Copy of an audio record | R30 |
| Search for the record for disclosure (per hour or part thereof) | R30 |
The request fee (other than for a personal requester) is R50.00. For s54(2): six hours is the threshold before a deposit is payable; one third of the access fee is payable as a deposit. Actual postage is payable when records must be posted.
PART B: PROTECTION OF PERSONAL INFORMATION
9. Protection of Personal Information – Section 51(1)(c)(i)–(iii) of PAIA read with section 18 of POPI
The Private Body processes certain Personal Information of various data subjects. Below is a description of data subjects, Personal Information processed, sources, whether supply is mandatory/voluntary, purposes, recipients, consequences of failure to provide, and whether information is transferred internationally.
Data Subjects: Employees
| Personal Information Processed | Source | Mandatory / Voluntary |
|---|---|---|
| Information relating to race, gender, sex, pregnancy, marital status, national/ethnic/social origin, colour, sexual orientation, age, physical/mental health, well-being, disability, religion, conscience, belief, culture, language, birth | EEA2 | Mandatory |
| Education; medical; financial; criminal; employment history | MIE checks | Mandatory |
| Identifying number; email; physical address; telephone; location information; online identifiers; other assigned particulars | ID document | Mandatory |
| Private/confidential correspondence (and further correspondence revealing contents) | Work emails | Voluntary |
| Views/opinions of another individual about the person | KPIs and performance management | Voluntary |
| Name where it appears with other personal information or disclosure of the name reveals such information | Employee records | Mandatory |
International transfer: No
Purpose: Employment purposes.
Recipients: Internal usage; may be disclosed to the Department of Labour in accordance with statutory requirements; otherwise only under legal obligation or with employee consent.
Consequences of failure to provide: Non-compliance with statutory requirements.
Data Subjects: Clients / Customers
| Personal Information Processed | Source | Mandatory / Voluntary |
|---|---|---|
| Identifying number; email; physical address; telephone; location; online identifiers; other assigned particulars | Company registration details | Voluntary |
International transfer: No
Purpose: Setting up client profile on internal systems.
Recipients: N/A
Consequences of failure to provide: N/A
Data Subjects: Suppliers
| Personal Information Processed | Source | Mandatory / Voluntary |
|---|---|---|
| Identifying number; email; physical address; telephone; location; online identifiers; other assigned particulars | Company registration documents | Mandatory |
International transfer: No
Purpose: Setting up supplier records on internal systems (including banking details) to allow supplier payments.
Recipients: N/A
Consequences of failure to provide: N/A
Data Subjects: Prospective Clients
| Personal Information Processed | Source | Mandatory / Voluntary |
|---|---|---|
| Identifying number; email; physical address; telephone; location; online identifiers; other assigned particulars | Request for information | Voluntary |
International transfer: No
Purpose: Seeking new clients via proposals and/or responding to RFI/RFQ/tender requirements.
Recipients: N/A
Consequences of failure to provide: N/A
Where Personal Information is collected in terms of specific legislation, the Private Body will inform the data subject of that legislation. Data subjects have the right to object to processing. For confirmation of existence or rectification of Personal Information, use the Section 7 access process (PAIA Section 18(1)(h)(iii)).
Personal Information will not be used without consent except as set out above, including: provision of goods/services; informing data subjects of new features/offers/competitions (unless opted out); improving services/website experience; and disclosures to: employees/third-party service providers for communication/delivery; divisions/affiliates/partners (unless opted out) for marketing; law enforcement/government/fraud detection where necessary; contracted service providers (e.g., fraud prevention, marketing, technology) limited to providing services; suppliers for defective goods/services liaison; and third-party sellers for invoicing (limited to email address).
Use/disclosure may be required to comply with law, subpoena, court order, or to protect rights/property. In the event of fraudulent online payment, relevant Personal Information may be disclosed for criminal investigation/legal obligations. Personal Information is not sold, rented, or provided to unauthorised third parties for independent use without consent.
Sensitive categories (beliefs, race, union membership, political persuasion, health/sex life/biometrics, criminal behaviour) are not processed unless consent is provided; necessary for legal rights/obligations; required to comply with obligations of international public law; or for historical/statistical/research purposes serving the public interest where requiring consent would be unreasonable.
Where there are reasonable grounds to believe Personal Information has been accessed/acquired by an unauthorised person, the Information Regulator and data subject (where possible) will be notified (POPI s22). Ratings/reviews may be used (e.g., on website/newsletters/marketing); only first names will be displayed.
We will treat Personal Information as strictly confidential; implement appropriate technical/organisational measures; provide access to view/update details; promptly notify of unauthorised use/disclosure; provide reasonable evidence of compliance on notice; and upon request, promptly return or destroy Personal Information (save where legally required to retain). Personal Information is not retained longer than necessary unless required by law or consented. While protecting privacy rights, liability cannot be guaranteed for unauthorised/unlawful disclosures by third parties not under direct control unless due to gross negligence. Complaints may be raised with us first, then with the Information Regulator:
The Information Regulator (South Africa)
SALU Building, 316 Thabo Sehume Street, Pretoria, 0004
10. Transborder Flows of Personal Information – Section 51(1)(iv) of PAIA and section 18(1)(g) of POPI
The Private Body may transfer authorised Personal Information to another country (e.g., storage; foreign service providers). Any recipient must agree to equivalent protection as required by POPI section 72.
11. Security Measures to Protect Personal Information – Section 51(1)(v)
| Physical Security Measures | Cyber Security Measures |
|---|---|
| Access control to premises/key areas (authorised personnel only); devices/user stations password-protected; security gate; cameras; access control (employee key card); on-site security guards; safe storage of physical documentation; shredding of discarded documentation; protection of information stored on printers | Firewalls; antivirus; regular password changes; data encryption; remote destruction; automatic lock on inactivity; encrypted data transfer channels; backups |
12. Updates to the Manual – Section 51(2)
The Private Body may update this manual every six months or from time to time as deemed necessary.
SIGNED at ________________________ on ________________________________ 20______
____________________________________
THE HEAD OF THE PRIVATE BODY