Implementation Date: 1 July 2021
TABLE OF CONTENTS | |||
1. | Introduction | 3 | |
2. | Definitions | 3 | |
3. | Policy Scope | 3 | |
4. | Policy Statement | 3 | |
5. | Appointment of Information Officer | 3 | |
6. | Processing of Personal Information | 4 | |
7. | Access to Personal Information | 5 | |
8. | Implementation Guidelines | 6 | |
9. | Eight Processing Conditions | 6 | |
10. | Direct Marketing | 9 | |
11. | Destruction of Documents | 10 | |
12. | Statutory Retention Periods | 10 | |
ANNEXURES | |||
1. | Annexure 1 – Information Officer’s Registration Form | ||
2. | Annexure 2 – Request for Access to Record of Private Body | ||
3. | Annexure 3 – Notification to Object the Processing of Personal Information | ||
4. | Annexure 4 – Customer Register | ||
5. | Annexure 5 – Notification of Collection of Personal Information | ||
6. | Annexure 6 – Request for Correction, Amendment or Deletion of Personal Information | ||
-
INTRODUCTION
1.1 This protection of Personal Information Policy (“Policy”) describes the way that Bastion Oil and Gas South Africa (Pty) Ltd (Registration Number: 2013 / 053334 / 07) (“the Company”) will meet its legal obligations and the requirements concerning confidentiality and information security of its Data Subjects as defined herein.
1.2 The requirements within the Policy are primarily based upon the Protection of Personal Information Act, No. 4 of 2013 (“POPI”), as that is the key piece of legislation covering security and confidentiality of Personal Information, which aims to give effect to the constitutional rights of privacy and dignity by ensuring that the appropriate measures are in place to protect these rights of Data Subjects.
1.3 This Policy sets out the manner on how Personal Information is stored, regulated, promoted, enforced and Processed. Further, it seeks to ensure compliance with relevant South African and international standards.
1.4 Contact Details:
Managing Director: Barrisford Petersen
Information Officer: Barrisford Petersen
Office Address: 23 Hofmeyr Street, Welgemoed, 7530
Telephone Number: 072 392 4044
Email Address: barrisford@bastionoil.com
-
DEFINITIONS
2.1 Consent means the voluntary, specific and informed expression of will;
2.2 Data Subject means the natural or juristic person to whom the Personal Information relates;
2.3 Direct Marketing means offering the Data Subject oil and gas exploration services in accordance with the scope of the Company’s services;
2.4 POPI means the Protection of Personal Information Act, No. 4 of 2013;
2.5 Personal Information means information relating to an unidentifiable, living, natural person, or an identifiable, existing juristic person, as defined in POPI; and
2.6 Processing means an operation or activity, whether or not by automatic means, concerning Personal Information.
-
POLICY SCOPE
This Policy applies to all the Company’s employees, directors, agents, clients, service providers and consultants. The provisions of the Policy are applicable to both on and off-site Processing of Personal Information.
-
POLICY STATEMENT
The Company collects and uses, from time to time, the Personal Information of the Data Subjects with whom it engages, receives and renders oil and gas exploration services: this is in order to operate and carry out its business effectively. The Company regards the lawful and appropriate Processing of all Personal Information as an essential aspect to successfully service and maintain confidence between the Company and its Data Subjects. The Company therefore fully endorses and adheres to the principles of POPI.
-
APPOINTMENT OF INFORMATION OFFICER
5.1 The duly appointed Information Officer at the Company is set out below:
Information Officer: Barrisford Petersen
Contact Number: 072 392 4044
Email address: barrisford@bastionoil.com
5.2 We confirm that the Information Officer duly completed the registration form as set out in Annexure 1.
-
PROCESSING OF PERSONAL INFORMATION
6.1 Purpose of Processing
The Company uses Personal Information in its possession in the following ways:
6.1.1 Compliance with the Financial Intelligence Centre Act for client-onboarding;
6.1.2 Providing and conducting oil and gas services for the exploitation of natural resources in the African continent;
6.1.3 Complying with oil and gas regulatory requirements as required by the appropriate legislation;
6.1.4 Keeping of accounts and records;
6.1.5 Detecting and prevention of fraud, crime, money laundering and other malpractice;
6.1.6 Administration of agreements;
6.1.7 Staff administration; and
6.1.8 Profiling Data Subject for the purposes of Direct Marketing.
6.2 Categories of Data Subjects and their Personal Information
6.2.1 The Company records comprise of Personal Information of the following types of Data Subjects:
Entity Type | Personal Information Processed |
Natural Persons | Names; contact details; physical and postal addresses; date of birth; ID numbers; tax-related information; nationalities; genders; and confidential correspondences. |
Juristic Persons / Entities | Names of contact persons; names of entities; physical and postal addresses and contact details; financial information; registration numbers; founding documents; tax-related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information. |
Service Providers | Names of contact persons; names of entities; physical and postal address and contact details; financial information; registration numbers; founding documents; tax-related information; authorised signatories; beneficiaries; ultimate beneficial owners; shareholding information; BBBEE information. |
Employees / Consultants/ Director | Genders; pregnancies; marital statuses; colours, races; ages; languages; education information; financial information; employment histories; ID numbers; physical and postal addresses; contact details; opinions; criminal records; well-being. |
6.3 Categories of Recipients For Processing The Personal Information
6.3.1 The Company may share the Personal Information with its shareholders, directors, employees, consultants, agents, affiliates, and associated companies, who may use this information to send the Data Subject information on products and services. The Company may supply the Personal Information to any party to whom the Company may have assigned or transferred any of its rights or obligations under any agreement, and/or to service providers who render the following services:
6.3.1.1 Capturing and organising of data;
6.3.1.2 Storing of data;
6.3.1.3 Sending of emails and other correspondence to clients; and
6.3.1.4 Conducting due diligence checks.
6.4 Actual or Planned Transborder Flows of Personal Information
Personal Information may be transmitted transborder and may be stored in data servers which are hosted outside of South Africa, which may not have adequate data protection laws. The Company will endeavour to ensure that its dealers and suppliers will make all reasonable efforts to secure said data and Personal Information.
6.5 Retention of Personal Information Records
The Company may retain Personal Information records indefinitely unless the Data Subject objects thereto. If the Data Subject objects to indefinite retention of its Personal Information, the Company shall retain the Personal Information records to the extent permitted or required by law as detailed under paragraph 12.
6.6 General Description of Information Security Measures
The Company employs up to date technology to ensure the confidentiality, integrity and availability of the Personal Information under its care is appropriately secured, these measures include:
6.6.1 Firewalls;
6.6.2 Virus protection software and update protocols;
6.6.3 Logical and physical access control;
6.6.4 Secure setup of hardware and software making up the IT infrastructure; and
6.6.5 Outsourced Service Providers who Process Personal Information on behalf of the Company are contracted to implement security controls.
-
ACCESS TO PERSONAL INFORMATION
All individuals and entities may request access to Personal Information held by the Company. Any requests should be directed to the Information Officer in accordance with the prescribed form, as per Annexure 2.
7.1 Remedies available if request for access to Personal Information is refused
7.1.1 Internal Remedies
The Company does not have internal appeal procedures. As such, the decision made by the Information Officer pertaining to a request is final, and requestors will have to exercise such external remedies at their disposal if a request is refused, and the requestor is not satisfied with the response provided by the Information Officer.
7.1.2 External Remedies
A requestor that is dissatisfied with the Information Officer’s refusal to disclose information, may within 30 days of notification of the decision, apply to a Court for relief. Likewise, a third party dissatisfied with the Information Officer’s decision to grant a request for information, may within 30 days of notification of the decision, apply to a Court for relief. For purposes of the Act, Courts that have jurisdiction over these applications are the Constitutional Court, the High Court or another Court of similar status.
7.2 Grounds for Refusal
The Company may legitimately refuse to grant access to a requested record that falls within a certain category. Grounds on which the Company may refuse access include:
7.2.1 Protecting Personal Information that the Company holds about a third person (who is a natural person) including a deceased person, from unreasonable disclosure;
7.2.2 Protecting commercial information that the Company holds about a third party or the Company (for example trade secret: financial, commercial, scientific or technical information that may harm the commercial or financial interests of the organisation or the third party);
7.2.3 If disclosure of the record would result in a breach of a duty of confidence owed to a third party in terms of an agreement;
7.2.4 If disclosure of the record would endanger the life or physical safety of an individual;
7.2.5 If disclosure of the record would prejudice or impair the security of property or means of transport;
7.2.6 If disclosure of the record would prejudice or impair the protection of a person in accordance with a witness protection scheme;
7.2.7 If disclosure of the record would prejudice or impair the protection of the safety of the public;
7.2.8 The record is privileged from production in legal proceedings unless the legal privilege has been waived;
7.2.9 Disclosure of the record (containing trade secrets, financial, commercial, scientific, or technical information) would harm the commercial or financial interests of the Company;
7.2.10 Disclosure of the record would put the Company at a disadvantage in contractual or other negotiations or prejudice it in commercial competition;
7.2.11 The record is a computer programme;
7.2.12 The record contains information about research being carried out or about to be carried out on behalf of a third party or the Company; and
7.2.13 Records that cannot be found or do not exist after a search has been conducted. The requester will be notified by way of a confirmatory affidavit.
The notice of the Company’s refusal shall be provided in accordance with the prescribed form as per Annexure 3.
-
IMPLEMENTATION GUIDELINES
8.1 Training and Dissemination of Information
This Policy has been put in place throughout the Company, training on the Policy and POPI will take place with all affected employees. All new employees will be made aware at induction, or through training programmes, of their responsibilities under the terms of this Policy and POPI. Modifications and updates to data protection and information sharing policies, legislation, or guidelines will be brought to the attention of all staff.
8.2 Employee Contracts
8.2.1 Each new employee will sign an Employment Contract containing the relevant Consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring there are no breaches of confidentiality in relation to any Personal Information, however, it is stored. Failure to comply will result in the instigation of a disciplinary procedure.
8.2.2 Each employee currently employed within the Company will sign an addendum to their Employment Contract containing the relevant Consent clauses for the use and storage of employee information, and a confidentiality undertaking as part and will be personally responsible for ensuring that there are no breaches of confidentiality in relation to any Personal Information, however, it is stored. Failure to comply will result in the instigation of a disciplinary procedure.
-
EIGHT PROCESSING CONDITIONS
POPI is implemented by abiding by 8 Processing conditions. The Company shall abide by these principles in all its possessing activities of Personal Information. In addition to the above, the Company maintains for its own internal records a customer register in accordance with Annexure 4.
9.1 Accountability
The Company shall ensure that all Processing conditions, as set out in POPI, are complied with when determining the purpose and means of Processing Personal Information and during the Processing itself. The Company shall remain liable for compliance with these conditions, even if it has outsourced its Processing activities.
9.2 Processing Limitation
9.2.1 Lawful Grounds
The Processing of Personal Information is only lawful if, given the purpose of Processing, the information is adequate, relevant and not excessive. The Company may only Process Personal Information if one of the following grounds of lawful Processing exists:
9.2.1.1 The Data Subject Consents to the Processing;
9.2.1.2 Processing is necessary for the conclusion or performance of a contract with the Data Subject;
9.2.1.3 Processing complies with an oil and gas exploration responsibility imposed on the Company;
9.2.1.4 Processing protects a legitimate interest of the Data Subject; and
9.2.1.5 Processing is necessary for pursuance of a legitimate interest of the Company, or a third party to whom the information is supplied.
9.2.2 Special Personal Information Includes:
9.2.2.1 Religious, philosophical, or political beliefs;
9.2.2.2 Race or ethnic origin;
9.2.2.3 Trade union membership;
9.2.2.4 Health or sex life;
9.2.2.5 Biometric information (including blood type, fingerprints, DNA, retinal scanning, voice recognition, photographs);
9.2.2.6 Criminal behaviour; and
9.2.2.7 Information concerning a child.
9.2.3 The Company may only Process Special Personal Information under the following circumstances:
9.2.3.1 The Data Subject has Consented to such Processing;
9.2.3.2 The Special Personal Information was deliberately made public by the Data Subject;
9.2.3.3 Processing is necessary for the establishment of a right or defence in law;
9.2.3.4 Processing is for historical, statistical, or research reasons; and
9.2.3.5 If the Processing of race or ethnic origin is in order to comply with affirmative action laws.
All Data Subjects have the right to refuse or withdraw their Consent to the Processing of their Personal Information, and a Data Subject may object, at any time, to the Processing of their Personal Information on any of the above grounds, unless legislation provides for such Processing. If the Data Subject withdraws Consent or objects to Processing then the Company shall forthwith refrain from Processing the Personal Information.
9.2.4 Collection directly from the Data Subject
Personal Information must be collected directly from the Data Subject in accordance with the prescribed form as set out in Annexure 5, unless:
9.2.4.1 Personal Information is contained in a public record;
9.2.4.2 Personal Information has been deliberately made public by the Data Subject;
9.2.4.3 Personal Information is collected from another source with the Data Subject’s Consent;
9.2.4.4 Collection of Personal Information from another source would not prejudice the Data Subject;
9.2.4.5 Collection of Personal Information from another source is necessary to maintain, comply with or exercise any law or legal right;
9.2.4.6 Collection from the Data Subject would prejudice the lawful purpose of collection; and
9.2.4.7 Collection from the Data Subject is not reasonably practicable.
9.3 Purpose Specification
The Company shall only Process Personal Information for the specific purposes as set out and defined above in paragraph 6.1.
9.4 Further Processing
New Processing activity must be compatible with the original purpose of Processing. Further Processing will be regarded as compatible with the purpose of collection if:
9.4.1 Data Subject has Consented to the further Processing;
9.4.2 Personal Information is contained in a public record;
9.4.3 Personal Information has been deliberately made public by the Data Subject;
9.4.4 Further Processing is necessary to maintain, comply with or exercise any law; and
9.4.5 Further Processing is necessary to prevent or mitigate a threat to public health or safety, or the life or health of the Data Subject or a third party.
9.5 Information Quality
The Company shall take reasonable steps to ensure that Personal Information is complete, accurate, not misleading and updated. The Company shall periodically review Data Subject records to ensure that the Personal Information is still valid and correct. Employees should as far as reasonably practicable follow the following guidance when collecting Personal Information:
9.5.1 Personal Information should be dated when received;
9.5.2 A record should be kept of where the Personal Information was obtained;
9.5.3 Changed to information records should be dated;
9.5.4 Irrelevant or unneeded Personal Information should be deleted or destroyed; and
9.5.5 Personal Information should be stored securely, either on a secure electronic database or in a secure physical filing system.
9.6 Openness
The Company shall take reasonable steps to ensure that the Data Subject is made aware of:
9.6.1 Which Personal Information is collected and the source of the information;
9.6.2 The purpose of collection and Processing;
9.6.3 Where the supply of Personal Information is voluntary or mandatory, and the consequences of a failure to provide such information;
9.6.4 Whether collection is in terms of any law requiring such collection; and
9.6.5 Whether the Personal Information shall be shared with any third party.
9.7 Data Subject Participation
Data Subject have the right to request access to, amendment, or deletion of their Personal Information. All such requests must be submitted in writing to the Information Officer in accordance with the prescribed form as set out in Annexure 6.
Unless there are grounds for refusal as set out in paragraph 7.2, above, the Company shall disclose the requested Personal Information:
9.7.1 On receipt of adequate proof of identity from the Data Subject, or requester;
9.7.2 Within a reasonable time;
9.7.3 On receipt of the prescribed fee, if any;
9.7.4 In a reasonable format; and
9.7.5 The Company shall not disclose any Personal Information to any party unless the identity of the requester has been verified.
9.8 Security Safeguards
The Company shall ensure the integrity and confidentiality of all Personal Information in its possession by taking reasonable steps to:
9.8.1 Identify all reasonably foreseeable risks to information security; and
9.8.2 Establish and maintain appropriate safeguards against such risks.
9.9 Written Records
Personal Information records should be kept in locked cabinets or safes:
9.9.1 When in use, Personal Information records should not be left unattended in areas where non-staff members may access them;
9.9.2 The Company shall implement and maintain a “Clean Desk Policy” where all employees shall be required to clear their desks of all Personal Information when leaving their desks for any length of time and at the end of the day;
9.9.3 Personal Information which is no longer required should be disposed of by shredding; and
9.9.4 Any loss or theft of, or unauthorised access to, Personal Information must be immediately reported to the Information Officer.
9.10 Electronic Records
All electronically held Personal Information must be saved in a secure database:
9.10.1 As far as reasonably practicable, no Personal Information should be saved on individual/personal computers, laptops or hand-held devices;
9.10.2 All computers, laptops and hand-held devices should be access protected with a password, fingerprint or retina scan, with the password being of reasonable complexity and changed frequently;
9.10.3 The Company shall implement and maintain a “Clean Screen Policy” where all employees shall be required to lock their computers or laptops when leaving their desks for any length of time and to log off at the end of the day; and
9.10.4 Electronical Personal Information which is no longer required must be deleted from the individual laptop or computer and the relevant database. The employee must ensure that the information has been completely deleted and is not recoverable.
Any loss or theft of computers, laptops or other devices which may contain Personal Information must be immediately reported to the Information Officer who shall notify the IT department who shall take all necessary steps to remotely delete the information, if possible.
-
DIRECT MARKETING
As far as Direct Marketing may apply to the Company, all Direct Marketing communications shall contain the Company’s, and/or the Company’s details, and an address or method for the customer to opt-out of receiving further marketing communication.
10.1 Existing Customers
Direct Marketing by electronic means to existing customers is only permitted:
10.1.1 If the customer’s details were obtained in the context of a sale or service;
10.1.2 For the purpose of marketing the same or similar products; and
10.1.3 The customer must be given the opportunity to opt-out of receiving Direct Marketing on each occasion of Direct Marketing.
10.2 Consent
The Company may send electronic Direct Marketing communication to Data Subjects who have Consented to receiving it. The Company may approach a Data Subject for Consent only once.
10.3 Record Keeping
The Company shall keep a record of:
10.3.1 Date of Consent;
10.3.2 Wording of the Consent;
10.3.3 Who obtained the Consent;
10.3.4 Proof of opportunity to opt-out on each marketing contact; and
10.3.5 Record of opt-outs.
-
DESTRUCTION OF DOCUMENTS
11.1 Documents may be destroyed after the termination of the retention period specified herein, or as determined by the Company from time to time.
11.2 Each department is responsible for attending to the destruction of its documents and electronic records, which must be done on a regular basis. Files must be checked in order to make sure that they may be destroyed and also to ascertain if there are important original documents in the file. Original documents must be returned to the holder thereof, failing which they should be retained by the Company pending such return.
11.3 The documents must be made available for collection by an approved document disposal company.
11.4 Deletion of electronic records must be done in consultation with the IT Department to ensure that deleted information is incapable of being reconstructed and/or recovered.
-
STATUTORY RETENTION PERIODS
Legislation | Applicable Provisions | Period |
COMPANIES ACT |
| 7 years |
| Indefinitely | |
CONSUMER PROTECTION ACT |
| 3 years |
FINANCIAL INTELLIGENCE CENTRE ACT |
| 5 years |
BASIC CONDITIONS OF EMPLOYMENT ACT |
| 3 years |
EMPLOYMENT EQUITY ACT |
| 3 years |
LABOUR RELATIONS ACT |
| 3 years |
| Indefinite | |
UNEMPLOYMENT INSURANCE ACT |
| 5 years |
TAX ADMINISTRATION ACT | Section 29 documents which:
| 5 years |
INCOME TAX ACT |
| 5 years |
VALUE ADDED TAX ACT |
| 5 years |