SCOPE
This policy applies to the business of S. Alderson Emergency Medical Training, herein SAEMT wherever it is conducted, but based at the registered office. It applies to paid staff.
INTRODUCTION
Purpose of this policy is to enable SAEMT to:
∙ comply with the law in respect of the data it holds about individuals;
∙ follow good practice;
∙ protect SAEMT’ staff and other individuals
∙ protect the organisation from the consequences of a breach of its responsibilities.
PERSONAL INFORMATION
This policy applies to information relating to identifiable individuals, in terms of the Protection of Personal Information Act, 2013 (hereinafter POPI Act).
POLICY STATEMENT
SAEMT will:
∙ comply with both the law and good practice
∙ respect individuals’ rights
∙ be open and honest with individuals whose data is held
∙ provide training and support for staff who handle personal data, so that they can act
confidently and consistently
SAEMT recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
∙ keeping information securely in the right hands, and
∙ retention of good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, SAEMT will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
KEY RISKS
SAEMT has identified the following potential key risks, which this policy is designed to address:
∙ Breach of confidentiality (information being given out inappropriately)
∙ Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects
being insufficiently informed
∙ Failure to offer choice about data use when appropriate
∙ Breach of security by allowing unauthorised access
∙ Harm to individuals if personal data is not up to date
∙ Data Operator contracts
INFORMATION OFFICER RESPONSIBILITIES
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 1, and
Chapter 5, Part B.
INFORMATION OFFICER – RESPONSIBILITIES
The Information Officer has the following responsibilities:
∙ Developing, publishing and maintaining a POPI Policy which addresses all relevant provisions
of the POPI Act, including but not limited to the following:
∙ Reviewing the POPI Act and periodic updates as published
∙ Ensuring that POPI Act induction training takes place for all staff
∙ Ensuring that periodic communication awareness on POPI Act responsibilities takes place
∙ Ensuring that Privacy Notices for internal and external purposes are developed and published
∙ Handling data subject access requests
∙ Approving unusual or controversial disclosures of personal data
∙ Approving contracts with Data Operators
∙ Ensuring that appropriate policies and controls are in place for ensuring the Information Quality
of personal information
∙ Ensuring that appropriate Security Safeguards in line with the POPI Act for personal
information are in place
∙ Handling all aspects of relationship with the Regulator as foreseen in the POPI Act
Provide direction to any Deputy Information Officer if and when appointed.
APPOINTMENT
The appointment of the SAEMT Information Officer will be authorised by the Designated Head.
Consideration will be given an annual basis of the re-appointment or replacement of the Information Officer; the need for any Deputy to assist the Information Officer.
PROCESSING LIMITATION
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Condition 2.
Processing Limitation. SAEMT undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 9 to 12, subject to the following stipulation (Forms of Consent).
FORMS OF CONSENT
SAEMT undertakes to gain written consent where appropriate; alternatively a recording must be kept of verbal consent.
SAEMT undertakes to comply with the POPI Act, Conditions 2 in terms of processing limitation, sections 13 and 14, subject to the following stipulation (Retention periods).
RETENTION PERIODS
SAEMT will establish retention periods for at least the following categories of data:
- Directors
- Staff
- Learners
- Facilitators
- Assessors
- Moderators
- Accrediting bodies
- Suppliers
SAEMT will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
∙ ICT systems will be designed, where possible, to encourage and facilitate the entry of accurate
data.
∙ Data on any individual will be held in as few places as necessary, and all staff will be discouraged from establishing unnecessary additional data sets.
∙ Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
∙ Staff who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
UPDATING
SAEMT will review all personal information on an annual basis in November of each year.
ARCHIVING
Archived electronic records of SAEMT are stored securely off and on site. A certificate of destruction will be obtained for each batch of archived documents destroyed.
OPENNESS
SAEMT is committed to ensuring that in principle Data Subjects are aware that their data is being processed and
∙ for what purpose it is being processed;
∙ what types of disclosure are likely; and
∙ how to exercise their rights in relation to the data.
PROCEDURE
Data Subjects will generally be informed in the following ways:
∙ Staff: through this policy
∙ Customers and other interested parties: through the SAEMT Privacy Policy
Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory and why.
SECURITY SAFEGUARDS
This section of the policy only addresses security issues relating to personal information. It does not cover security of the building, business continuity or any other aspect of security.
SPECIFIC RISKS
SAEMT has identified the following risks:
∙ Staff with access to personal information could misuse it.
∙ Staff may be tricked into giving away information, either about customers / member or colleagues, especially over the phone, through “social engineering”.
SETTING SECURITY LEVELS
Access to information on the main SAEMT computer system will be controlled by function.
SAEMT has used the POPI-Personal Information Diagnostic tool to identify security levels required for each record held which contains Personal Information Security measures SAEMT will ensure that all necessary controls are in place in terms of access to personal information.
DATA SUBJECT PARTICIPATION
Any subject access requests will be handled by the POPI Act Information Officer in terms of Condition 8.
- PROCEDURE FOR MAKING REQUEST
Subject access requests must be in writing. All staff are required to pass on anything which might be a subject access request to the POPI Act Information Officer without delay.Requests for access to personal information will be handled in compliance with the POPI Act and in compliance with the Promotion of Access to Information Act (PAIA), as defined.
- PROVISION FOR VERIFYING IDENTITY
Where the individual making a subject access request is not personally known to the POPI Act Information Officer their identity will be verified before handing over any information.
- CHARGING
Fees for access to personal information will be handled in compliance with the PAIA Act.
Procedure for granting access Procedures for access to personal information will be handled in
compliance with the PAIA Act, as defined
PROCESSING OF SPECIAL PERSONAL INFORMATION
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part B, sections 26 to 33.
PROCESSING OF SPECIAL PERSONAL INFORMATION
SAEMT has the policy of adhering to the process of Special Personal Information which relates to the religious or philosophical beliefs, race or ethnic origin, trade union membership, political
persuasion, health or sex life or biometric information of a data subject. Unless a general authorisation, alternatively a specific authorization relating to the different types of special personal information applies, a responsible party is prohibited from processing special
personal information.
PROCESSING OF PERSONAL INFORMATION OF CHILDREN
The scope of this aspect of the policy is defined by the provisions of the POPI Act, Part C, sections 34 and 35.
SAEMT has the policy of adhering to the process of Special Personal Information of children. This applies to under-18 individuals, so an age check is required for all personal information
records. General authorisation concerning personal information of children only applies where under-18 are involved. SAEMT has used the POPI-Personal Information Diagnostic tool to identify any records held which contain Personal Information of children.
Whenever data is first collected which might be used for any marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
SHARING LISTS
SAEMT has the policy of sharing lists (or carrying out joint or reciprocal mailings) only on an occasional and tightly-controlled basis. Details will only be used for any of these purposes where the Data Subject has been informed of this possibility, along with option to opt out, and has not exercised this option.
SAEMT undertakes to obtain external lists only where it can be guaranteed that the list is up to date and those on the list have been given an opportunity to opt out.
ELECTRONIC CONTACT
Whenever e-mail addresses are collected, any future use for marketing will be identified, and the provision of the address made optional.
DOCUMENTATION
Information for staff is contained in this policy document and other materials made available by the Information Officer.
INDUCTION
The SAEMT Information Officer will ensure that all staff who have access to any kind of personal information will have their responsibilities outlined during their induction procedures.
CONTINUING TRAINING
SAEMT will provide opportunities for staff to explore POPI Act issues through training, team meetings, and supervisions. Procedure for staff signifying acceptance of policy SAEMT will ensure that all staff sign acceptance of this policy once they have had a chance to understand the policy and their responsibilities in terms of the policy and the POPI Act.
POLICY REVIEW
The SAEMT Information Officer is responsible for an annual review to be completed prior to the policy anniversary date.
PROCEDURE
The SAEMT Information Officer will ensure relevant stakeholders are consulted as part of the annual review to be completed prior to the policy anniversary date.
PROTECTION OF PERSONAL INFORMATION ACT 4, 2013
(Herein as POPI Act, as of 1st July 2021)