Privacy Policy

1. INTRODUCTION

The right to privacy is an integral human right recognized and protected in the South African Constitution and enforced by the Promotion of Access to Information Act 2 of 2000 and Protection of Personal Information Act 4 of 2013 (POPIA). These ACTs are the primary instrument regulating personal data protection in South Africa.

2. PURPOSE OF THE PAIA ACT

The purpose of the PAIA Act is to actively promote a society in which the people of South Africa have effective access to information to enable them to more fully exercise and protect all of their rights. The promotion of Access to Information Act, 2000 (the “Act”) gives third parties the right to approach private bodies and the government to request information held by them, which is required in the exercise and/or protection of any rights. On request, the private body or government is obliged to release such information unless the Act expressly states that the records containing such information may or must not be released. This manual informs requestors of procedural and other requirements that a request must meet as prescribed by the Act.

3. PURPOSE OF THE PROTECTION OF PERSONAL INFORMATION ACT, 2013

The purpose of this Act is to —

1. give effect to the constitutional right to privacy, by safeguarding personal information when processed by a responsible party, subject to justifiable limitations that are aimed at—
   1. balancing the right to privacy against other rights, particularly the right of access to information; and
   2. protecting important interests, including the free flow of information within the Republic and across international borders;
2. regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
3. provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
4. establish voluntary and compulsory measures, including the establishment of an Information Regulator, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

Through the scope of products and services that CyberAntix (CAX) renders, CAX is by default involved in the collection, use and disclosure of certain aspects of personal information of clients, employees, suppliers and other stakeholders.  

A person’s right to privacy entails having control over his/her personal information and therefore CAX is committed to effectively manage that information in accordance with POPIA’s provisions.

4. PURPOSE OF THIS MANUAL

The purpose of this manual is to facilitate requests for access to records (including records containing Personal Information). A person requesting access to records from CAX (“the Requester”) is advised to familiarise themselves with the provisions of PAIA before making any requests to CAX in terms of PAIA.

5. POLICY APPLICATION

This Policy will apply to:

• CyberAntix (CAX)
• Any joint ventures or business organisations owned or controlled by CAX who receives and process personal information for or on behalf of CAX
• Employees and contractors of CAX
• Personal information of external Customer and/or Suppliers processed and stored by CAX – Personal Information of Employees

6. NATURE OF OUR BUSINESS

CyberAntix Security Operations Centre as-a-Service (SOCaaS) is a state-of-the-art implementation of managed cybersecurity services, focusing on managed detection and response with associated advanced services (proactive hunting, forensics, code reviews, vulnerability assessment, etc.).

7. INFORMATION OFFICER CONTACT DETAILS

Information Officer Morne Terblanche mterblanche@cyberantix.co.za  Deputy Information Officers Pierre Jacobs pierre.jacobs@cyberantix.co.za

                   Postal Address:                         P.O. Box 5687, The Reeds, 0158

Street Address: Waterfall Office Park, Corner Bekker and Montrose Street, Vorna Valley, Midrand, 1686

                   Telephone Number:                  087 004 2220

8. INFORMATION REGULATOR CONTACT DETAILS

The contact details of the Commission are: 

                    Postal Address:                     P.O Box 31533, Braamfontein, Johannesburg, 2017

                    Physical Address:                  JD House, 27 Stiemens Street, Braamfontein, Johannesburg

                    Website:                               https://www.justice.gov.za/inforeg

                    Complaints:                          complaints.IR@justice.gov.za

                    General Enquiries:                inforeg@justice.gov.za

9. PROCESSING OF PERSONAL INFORMATION IN TERMS OF THE POPI ACT

1. CAX can only collect personal information for a specific, explicitly defined and lawful purpose and the data subject must be aware of the purpose for which the information is being collected. (section 13)
2. Once the personal information is no longer needed for the specific purpose, it must be disposed of (the subject must be “de-identified”), unless there is a need to keep it (or are allowed to keep it) by law, or a need to keep the record for own lawful purpose or in accordance with the contract between CAX and the subject, or the subject has consented to CAX keeping the records. (section 14)
3. Records must be destroyed in a way that prevents them from being reconstructed.
4. CAX is entitled to keep records of personal information for historical, statistical or research purposes if safeguards are in place to prevent the records from being used for any other purposes.
5. CAX can only use personal information for the purpose for which it was collected for. (section 15) Documentation relating to personal information and how it has been processed must be maintained as referred to in section 14 or 51 of the Promotion of Access to Information Act.

10. THE PURPOSE OF PROCESSING PERSONAL INFORMATION WITHIN CAX

1. Staff Administration
2. Marketing
3. Registering and managing complaints
4. Keeping of accounts and records
5. Complying with tax laws
6. Collecting visitor data for the purpose of physical security and asset protection
7. Statistical data to be able to report on Strategic business achievements.
8. Ability to fulfil contractual obligations with Customers, Suppliers, Employees, Contractors, Consultants and other third parties.
9. Verification of creditworthiness of Customers and Suppliers.
10. Criminal Records checks for employees as contractually prescribed.
11. Processing of personal data during the employment or tender process for possible candidates.

11. CATEGORIES OF DATA SUBJECTS WHOSE DATA CAN BE PROCESSED

1. Existing and former Employees and Job Applicants
2. Customer, Supplier, Service Provider Data which include Employees, representatives, contractors and Service Providers of such suppliers.
3. Directors and Shareholders of CAX
4. Visitors to CAX premises
5. Complaints and Enquiry contact information

12. CATEGORIES OF RECORDS HELD BY CAX

Type	Personal Information Processed
Employees and Directors	Identity, Race, Language, Financial Information, Gender Telephone Numbers, Physical and Postal Addresses Banking Details, Biometric Data, Credit Check Information (Information Received), Date of Birth Education Information, Employment History Marital Status, Email addresses, Contact Details Bank Account Numbers, SAPS Clearance information (Information Received), Next of Kin Details Medical Records
Clients –  Persons / Entities	Names and surname of contact persons,  Identity Number, Date of Birth, Email Addresses, Contact Telephone numbers,  Name of Legal Entity, Physical and Postal address, Banking Details, Company VAT number,  Financial statements, Registration Number,  Founding documents, authorised signatories, Landlord Postal Address, Credit Check Information (Information Received), Trade References Names and Telephone Numbers
Service Providers/Suppliers	Names of surname of contact persons, Email Addresses, Contact Telephone numbers, Name of Legal Entity, BBEEE Rating,  Physical and Postal address, Banking Details, Company VAT number , Financial information, Registration Number, Founding documents, Tax related information, Product Certification, Credit Check Information (Information Received), Skills Certification Records, OHS Training Records, CIPC documents confirming company registration & active directors

13. CATEGORIES OF RECIPIENTS FOR PROCESSING THE PERSONAL INFORMATION

CAX may supply Personal Information to the following recipients: 

• Employees of CAX
• Hosting Partners – Storing of data
• Shareholders
• Sending of emails and other correspondence to clients and suppliers
• Conducting due diligence checks
• Third-party verification services doing security checks and credit bureaus
• Suppliers, service providers, vendors, agents and representatives of CAX
• Collection agencies
• Management of Employee Provident Funds
• Management of Employee Group Risk Funds – Regulatory, statutory and government bodies; –           Banks and other financial institutions.

14. GENERAL DESCRIPTION OF INFORMATION SECURITY MEASURES

CAX employs up-to-date technology to ensure the confidentiality, integrity and availability of the Personal Information under its care. This is also verified by being ISO27001 – Information Security Management certified.

Some measures include: 

• Physical Security (Server/DC rooms/Biometric Access)
• Network Security Controls
• Virus & Malware protection
• Software Updates
• Password Controls
• Disaster Recovery and Backup policy and measures
• Service Provider and OEM Agreements
• Software License Management

15. APPLICABLE LEGISLATION

Records are kept in accordance with legislation as applicable to CyberAntix, which includes but not limited to:

NO	REFERENCE	ACT
1	No 75 of 1997	Basic Conditions of Employment Act
2	No 53 of 2003	Broad-Based Black Economic Empowerment Act
3	ISO22301	Business Continuity Management System
4	No 71 of 2008	Companies Act
5	No 68 of 2008	Consumer Protection Act
6	No 130 of 1993	Compensation for Occupational Injuries and Diseases Act
7	108 of 1996	Constitution of the Republic of South Africa Act
8	98 of 1978	Copyright Act
9	No 32 of 2014	Customs and Excise Amendment Act
NO	REFERENCE	ACT
10	No 25 of 2002	Electronic Communications and Transactions Act
11	GNR 242 of 6 March 2009	Electrical Installation Regulations
12	No 55 of 1998	Employment Equity Act
13	38 of 2001	Financial Intelligence Centre Act
14	No 95 of 1967	Income Tax Act
15	No 66 of 1995	Labour Relations Act
16	2002	Ministry for Provincial & Local Government Disaster Management Act
17	No 34 of 2005	National Credit Act
18	No 93 of 1996	National Road Traffic Act
19	No 85 of 1993	Occupational Health and Safety Act
20	121 of 1998	Prevention of Organised Crime Act
21	No 2 of 2000	Promotion of Access of Information Act
22	26 of 2000	Protected Disclosures Act
23	No 4 of 2013	Protection of Personal Information Act
24	No 12 of 2004	Prevention and Combating Corrupt Activities Act
25	1999 – Draft Treasury Relations	Public Finance Management Act
26	70 of 2002	Regulation of Interception of Communications and Provision of Communication Related Information Act
27	97 of 1998	Skills Development Act
28	2019	The King 4 Report of Governance of South Africa
29	83 of 1993	Tobacco Products Control Act
30	No 63 of 2001	Unemployment Insurance Act
31	No 4 of 2002	Unemployment Contributions Act
32	No 89 of 1991	Value Added Tax Act

16. SCHEDULE OF RECORDS HELD BY CAX

16.1. Corporate Governance (Request in terms of PAIA)

• Documents of incorporation
• Memorandum and Articles of Association
• Board of Directors and Board Committee Terms of Reference
• Minutes of Board of Directors meetings
• Attendance registers
• Minutes of Executive Committee Management Meetings
• Minutes of Operational Meetings
• Records relating to the appointment of directors/ auditor/ secretary/ public officer and other officers
• Share Register and other statutory registers
• Share Certificates
• Shareholder Agreements
• Strategic plans
• Personnel Guidelines, Policies and Procedures
• Information relating to Health and Safety Regulations
• Policies and Procedures – Sales, Product Management, Fulfilment, Logistics, Maintenance & Support, Finance, HR, Corporate Development, Facilities, SHE
• Annual Reports
• Legal Compliance Records
• Memoranda of Incorporation
• Statutory Returns to Relevant Authorities

16.2. Financial Records (Request in terms of PAIA)

• Annual Financial Statements
• Bank Statements
• Tax Returns
• Accounting Records
• Electronic Banking Records
• Asset Register
• Stock Records
• Rental Agreements
• Creditor/Debtors Invoices & Statements
• Contracts
• Insurance Information
• Budgets
• Purchase and Order Information
• Details of Auditors

16.3. Income Tax Records (Request in terms of PAIA)

• VAT Returns
• Income Tax Returns
• Employee’s Tax Returns (PAYE, SDL & UIF)
• Return of Earnings Form

16.4. Personnel Documents and Records (Request in terms of PAIA)

• Employee Information Records
• Employee Medical Records (where applicable)
• Study assistance scheme/s
• Employment contracts
• Employment Equity Records
• Staff recruitment policies
• Provident Fund Records
• Disciplinary Records
• Salary Records
• SETA Training Records
• Leave Records
• Training Records
• Workplace Skills Plan
• BBBEE Statistics
• Performance Appraisals
• Labour relations records

16.5. Public Affairs (Freely available on website https://www.cyberantix.co.za)

• Product and Services Information
• Public Corporate Records
• Media Releases
• Newsletters and Publications
• Social Investment

16.6. Intellectual Property

• Trademark applications
• Agreements relating to intellectual property
• Copyrights

16.7. Legal

• Complaints, pleadings, briefs and other documents pertaining to any actual or pending litigation, arbitration or investigation
• Material licenses, permits and authorizations

16.8. Sales and Fulfilment

• Correspondence
• Service Agreements and Contracts
• Client Information such as Name, contact details, company information,
• Supplier/Service Provider Information
• Marketing Brochures
• Marketing Strategies
• Product Brochures
• Market Place Portal

17. REQUEST TO ACCESS INFORMATION INCLUDING PERSONAL INFORMATION

There are two types of requesters:

• Personal Requester

This is someone who requests access to records containing personal information about him/herself.

• Other Requester

This person can request access to information pertaining to third parties. The requester must fulfil the requirements for access in terms of the Act.

The prescribed fee for the reproduction of the information will be charged by CAX.

17.1. Request Procedure Including Disclosure, Change and Removal of Information

Request for access, change or removal of information can be made by email, addressed to the Information Officer at data.protection@cyberantix.co.za.

The Information Officer will provide the data subject with a “J752 PAIA Form C” herewith in Annexure A.

The requester must complete the form and submit it with a payment of a request fee and a deposit if applicable. The prescribed form must be completed in such a way that the Information Officer can identify:

• The record/s requested
• The Identity of the requester
• What form of access is required and
• The postal address and email of the requester

17.2. Verify the Individual’s Identity

The Information Officer must ensure that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, a legal guardian, power of attorney or authorised agent.

The individual will be required to provide any evidence to confirm their identity. However, sufficient flexibility should be provided to enable individuals who may not have a particular form of identification to be able to access their own personal information.

No personal information will be made known if there is any doubt of the requestor individual’s identity. 

17.3. Documents to be Submitted with Request for Disclosure

To make a request for disclosure, fill out all designated items on the request form, and mail it with the required documents.

1. Personal Information Request Form
2. Documents for identity verification
   1. Driver’s license
   2. Passport
   3. Identity Document
   4. Other official government documents to verify identity

Once the completed form has been received, the Information Officer will verify the identity of the data subject before handing over any information. All requests will be processed and considered against the PAIA Act.

Internal employee requests will be logged through Zendesk.

The Information Officer will process all requests within 30 days unless the requestor has stated special reasons that circumstances dictate an expedited process.

17.4. Employee Personal Information

17.4.1. Correct or change employee personal information

The Company Personnel system accommodates changes of personal information. Should the information to be changed be of such a nature where the system does not accommodate for self-service, the Employee’s personal information could be changed by logging a change of personal information through the Zendesk.

17.4.2 Delete or destruct personal information

Employee’s Personal Information will only be deleted after termination of employment according to the retention period stated on the records register and according to legal requirements.

18. REFUSAL TO GIVE ACCESS TO PERSONAL INFORMATION

The Act provides that any request for access to information shall be refused on the following grounds:

1. Protecting the privacy of a third party

An Information Officer is obliged to refuse access to a record if disclosure thereof involves the unreasonable disclosure of personal information about a third party, including “deceased individuals”. The principle is that a third party him/herself should decide on disclosure of such information.

1. Protecting the commercial records of a third party in terms of an agreement The Information Officer may refuse disclosure on the following grounds:
   • Trade secrets of the business or a third party;
   • Financial, commercial, scientific or technical information of the business or a third party which, if disclosed, is likely to cause harm to the commercial or financial interest(s) of the body or third party; or
   • Information supplied in confidence by a third party and where disclosure of such information could reasonably be expected to put the business at a disadvantage in contractual or other negotiations, or prejudice the business in commercial competitions.
2. Protecting confidential information in terms of an agreement

An Information Officer must refuse a request for access to a record if the disclosure will amount to a breach of a duty of confidence owed to a third party in terms of an agreement or contract.

1. Protecting the safety of a person or Juristic person

The Information Officer must refuse to disclose the information if such disclosure could compromise the safety of an individual or property. This also relates to the POPI Act, where information is seen as property.

1. Protecting information in legal proceedings

Concerning other legislation relating to the management and disclosure of information, PAIA will supersede such legislation when the right to access is unjustifiably limited. For example, any record subject to the relationship between an attorney and their client is protected under this Act.

1. National security

An Information Officer may refuse a request for access to records if their disclosure could reasonably be expected to prejudice the defence, security or international relations of the Republic.

1. Research Information

An Information Officer may refuse a request for access to records if the record relates to research that is, or will be, undertaken by the body in question and its release expose them to a serious disadvantage.

19. DECISION

The requester shall be informed within 30 days, in writing, if the request is approved or denied.  The 30 days can be extended to another 30 days if the request is of such a nature that the information cannot be reasonably be obtained within the original 30 days. The requester will be notified in writing if an extension is necessary.

20. LOCATING THE REQUESTED PERSONAL INFORMATION

The owner of the information will search the records that they possess and control, including hard copy records and electronic databases including emails, calendars, etc.

This also extends to situations where the storage of personal information has been outsourced to a third party. Enquiries will also be made to staff with relevant knowledge.

21. PRESCRIBED FEES

A requestor (other than personal requests), is required to pay the prescribed fees (R57.50) including VAT before a request will be processed.

• A requestor may lodge an application with a court against the tender/payment of the request fee and/or deposit.

21.1. Payment of Prescribed Fees

Payment details can be obtained from the Information Officer and payment can be made via a direct deposit.  Proof of payment must be supplied. 

Four types of fees are provided for in terms of the Act:

• Request fee: An initial, non-refundable R57.50 (incl. VAT) is payable on submission. This fee does not apply to Personal Requesters, referring to any person seeking access to records that contain their personal information.
• Reproduction fee: This fee is payable with respect to all automatically available records.
• Access fee: If the request for access is successful, an access fee may be required to reimburse CAX for the costs involved in the search, reproduction, and/or preparation of the record and will be calculated based on the Prescribed Fees.
• Deposit: A deposit of one third (1/3) of the amount of the applicable access fee, is payable if CAX receives a request for access to information held on a person other than the requester himself/herself and the preparation for the record will take more than six (6) hours. In the event that access is refused to the requested record, the full deposit will be refunded to the requester.

21.1.1. Reproduction and Access Fees

The applicable fees (excluding VAT) for reproduction and access as referred to above are:

CATEGORY	RAND
For every photocopy of an A4–size page or part thereof	R	1.10
For every printed copy of an A4-size page or part thereof held on a computer or in electronic form	R	0.75
For a copy in a computer-readable form: Compact disc	R	70.00
A transcription of visual images, for an A4-size page or part thereof	R	40.00
For a copy of visual images	R	60.00
A transcription of an audio record, for an A4-size page or part thereof	R	20.00
For a copy of an audio record	R	30.00
To search for the record for disclosure per hour spend or part of an hour reasonably required for such a search	R         30.00

21.1.2. Postal Fees

The actual postal fee is payable when a copy of a record must be posted to a requester in addition to the applicable fees.