Privacy Policy

  1. Introduction
    The right to privacy and access of personal information is endorsed by the Protection of Personal Information Act 4 of 2013 (POPIA) and the Promotion of Access to Information Act 2 of 2000 (PAIA) as amended from time to time. A person’s right to privacy entails having control over his/her personal information and being able to conduct his/her affairs free from unwanted intrusions. POPIA aims to promote the protection of privacy through guiding principles that are intended to be applied to the processing of personal information. It is through the provision of Accounting and tax services as well as financial planning services to our clients that the company is involved in the collection, use and disclosure of certain aspects of personal information of prospective and existing clients, employees and other stakeholders. Considering the importance of privacy, the company is committed to effectively managing personal information in accordance with POPIA and PAIA.
  2. Purpose of this policy
    The purpose of this Policy is to protect the company and its clients by adhering to the protection of personal information which includes to:
  • Give effect to the constitutional right to privacy by safeguarding personal information against breaches of confidentiality where personal information of data subjects is shared or disclosed inappropriately through for example data breaches and hacking;
  • Prevent reputational damage and financial loss that the company may suffer
    following an adverse data breach incident; and
  • Offer choice, where required; as all data subjects have the free will to choose how and for what purpose the company uses information relating to them during and after their contractual relationship.

This Policy demonstrates the company’s commitment to protecting the privacy rights of data subjects by:

  • Stating desired behaviour and directing compliance with the provisions of POPIA including best practice;
  • Developing and implementing internal controls for the purpose of managing the compliance risk associated with the protection of personal information;
  • Creating business practices that will provide reasonable assurance that the rights of data subjects are protected and balanced with the legitimate business needs of the company;
  • By assigning specific duties and responsibilities to control owners, including the appointment of an Information Officer and where necessary, Deputy Information Officers in order to protect the interests of the company and data subjects;
  • By raising awareness and providing guidance to employees and any other authorised individuals who process personal information when carrying out their duties or in terms of a scope of contract in order to ensure that they act confidently and consistently; and
  • Cultivating a culture within the company that recognises privacy as a valuable human right.
  1. Scope of this policy

    This Policy is relevant to the company, specifically:
    – The board of directors, and all other company officials;
    – the company’s employees
    – Services providers to the company such as the external auditor, insurers, and any external counsel that may be appointed for expert opinion from time to time.

    POPIA does not apply in situations where the processing of personal information is concluded in the course of purely household or personal activities; or where the personal information has been de-identified (anonymised data).

  2. Policy statement
    The company is committed to protecting the data subjects’ privacy and ensuring their personal information is used appropriately, transparently, securely and in accordance with applicable laws.
  3. Key definitions in this policy:
    Biometrics” means a technique of personal identification that is based on physical,
    physiological or behavioural characterisation including blood typing, fingerprint, DNA analysis, retinal scanning and voice recognition;
    Child” means a person under the age of 18 years;
    Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;
    Data subject” means the natural or juristic person to whom personal information relates, such as an individual member, employee or an entity that provides the company with products or services;
    De-identify” in relation to personal information of a data subject, means to delete any information that—
    a) identifies the data subject;
    b) can be used or manipulated by a reasonably foreseeable method to identify the data
    subject; or can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘‘de-identified’’ has a corresponding meaning;
    Filing system” means any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria;
    Information Officer” means the director of the company. Once appointed, the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties. Deputy Information Officers can also be appointed to assist the Information Officer;
    Deputy Information Officer” means the person to whom any power or duty conferred or imposed on an Information Officer in terms of POPIA has been delegated; “Information Regulator” means the Regulator established in terms of section 39 of POPIA;
    Operator” means a person processing personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party e.g. a third party service provider that has contracted with the company to shred documents containing personal information.
    Processing” means any operation or activity or any set of operations, whether by automatic means or not, concerning personal information, including
    a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
    b) dissemination by means of transmission, distribution or making available in any other form; or products and legal matters relating to those products; or
    c) merging, linking, as well as restriction, degradation, erasure or destruction of information.
    Record” means any recorded information-
    a) regardless of form or medium, including any of the following;
    – writing of any material;
    – information produced, recorded or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored;
    – label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means;book, map, plan, graph or drawing; photograph, film, negative, tape or other device in which one or more visual
    images are embodied to be capable, with or without the aid of some other
    equipment, of being reproduced;
    b) in the possession or under the control of a responsible party;
    c) whether or not it was created by a responsible party and regardless of when it came
    into existence.
    Responsible party” means a public or private body or any other person which, alone or in conjunction with others determines the purpose of and means for processing personal information.
    Person” means a natural person or a juristic person;
    Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to-
    a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health,
    wellbeing, disability, religion, conscience, belief, culture, language and birth of the
    person;
    b) information relating to the education or the medical, financial, criminal or
    employment history of the person;
    c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment to the person;
    d) the biometric information of the person;
    e) the personal opinions, views or preferences of the person;
    f) correspondence sent by the person that is implicitly or explicitly of a private or
    confidential nature or further correspondence that would reveal the contents of the
    original correspondence;
    g) the views or opinions of another individual about the person and;
    h) the name of the person if it appears with other personal information relating to the
    person or if the disclosure of the name itself would reveal information about the
    person.
    Private body” means-
    a) natural person who carries on or has carried on any trade, business or profession, but only in such capacity;
    b) a partnership which carries on or has carried on any trade, business or profession;
    c) any former or existing juristic person but excludes a public body.
    Public body’’ means-
    a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
    b) any other functionary or institution when-
    (i) exercising a power or performing a duty in terms of the constitution ; or
    (ii) exercising a public power or performing a public function in terms of any
    legislation.
    Special personal information” means personal information concerning –
    a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or
    b) the criminal behaviour of a data subject to the extent that such information relates
    to-
    (iii) the alleged commission by a data subject of any offence; or
    (iv) any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
  4. Principles
    All employees and persons acting on behalf of the company will always be subject to, and act in accordance with, the following principles:

    Principle 1: Accountability and open communication
    The company upholds and maintains an approach of transparency of operational procedures that controls its collection and processing of personal information. The company is committed to complying with all applicable regulatory requirements related to the collection and processing of personal information. Reasonable measures will be taken to ensure that data subjects are notified (are at all times aware) that their personal information is being collected (directly from the data subject or from an external source e.g. media). The company is responsible for ensuring that the data subjects are aware that-
    – Their personal information is being collected; and
    – The company is the responsible party collecting the personal information by providing the necessary details; including specific reasons for the collection of such information.
    The company will establish and maintain a platform for data subjects who want to:
    – Enquire whether the company holds related personal information; or
    – Request the company to update or correct related personal information; or
    – Make a complaint concerning the processing of personal information.

    Principle 2: Processing limitation
    The company will ensure that personal information under its control is processed:
    – In a fair, lawful and non-excessive manner; and
    – In a reasonable manner that does not infringe the privacy of the data subject.
    The company will inform the data subject of the reasons for collecting his/ her or its personal information and obtain written consent, where required, prior to processing personal information.

    Where applicable, the data subject will be informed of the possibility that their personal information will be shared with other entities acting on behalf of the company and be provided with reasons for doing so.

    Principle 3: Purpose specification
    The company will process personal information only for specific, explicitly defined and legitimate reasons. Data subjects will be informed of these reasons when collecting or recording the data subject’s personal information.

    Principle 4: Further processing limitation
    Personal information will not be processed for a secondary purpose unless that processing is compatible with the original purpose. Therefore, where the company seeks to process personal information it holds for purpose other than the original purpose for which it was collected, and where this secondary purpose is not compatible with the original purpose, the company will first obtain consent from the data subject.

    Principle 5: Information quality
    The company undertakes to take reasonable steps to ensure that personal information collected is complete, up to date, accurate and not misleading. This means that it may be necessary to request data subjects from time to time to update their information and confirm that it is still relevant. Where personal information is collected or received from third parties, the company will take reasonable steps to confirm that the information is correct by requesting the third party to
    confirm the accuracy of the information.

    Principle 6: Security safeguards
    The company undertakes to secure the integrity and confidentiality of persona information in its possession as personal information is at great risk of loss, breach of confidentiality, corruption, hacking or theft when it is accessed or used. The company will provide the necessary reasonable security of data and keep it in accordance with prescribed legislation.

    The company will manage the security of its filing system to ensure that personal information is adequately protected and to this end, security controls will be appropriate to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction. The company will regularly review its security controls which will include regular testing of protocols and measures implemented to combat cyber-attacks on the company’s IT network. All hardcopy and electronic records comprising of personal information will be securely stored and made accessible only to authorised persons.

    The company’s operators are required to enter into service level agreements with the company where both parties pledge their mutual understanding and commitment to POPIA and the lawful processing of any personal information pursuant to the agreement.

    Principle 7: Processing of personal information

    Personal Information will only be used for the purpose for which it was collected and agreed upon. This may include, but not limited to:
    – Provide long term, short term, investment and retirement products or services to clients or their beneficiaries and to carry out the transactions requested;
    – Provide services to clients and beneficiaries to carry out the services requested, to maintain and constantly improve the relationship;
    – For underwriting purposes, where applicable;
    – Assess and process claims;
    – Conduct verification, where necessary;
    – Confirm, verify and update client and beneficiary details;
    – For purposes of claims history;
    – For the detection and prevention of fraud, crime, money laundering or any other misconduct;
    – For market or customer satisfaction research;
    – For accounting and tax record keeping purposes;
    – In connection with legal proceedings; and
    – In connection with and to comply with tax, legal and regulatory requirements or when it is otherwise allowed by law.

    Personal Information that is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.

    Principle 8: Data subject participation
    A data subject may request the correction or deletion of his, her or its personal information held by the company. They may contact the company for such requests.

  5. Rights of data subjects
    Where appropriate, the company will ensure that data subjects are made aware of the rights conferred upon them as data subjects. The company will ensure that it gives effect to the following rights:

    7.1 The right to access personal information
    The company recognises that a data subject has the right to establish whether the
    organisation holds personal information related to him or her, including the right to request access to that personal information. In addition, data subjects have the right to:
    – Request what personal information the company holds about them and why;
    – Be informed on how to keep their personal information up to date.

    Access to information requests can be made by email and the prescribed form, addressed to the Information Officer.

    7.2 The right to have personal information corrected or deleted
    A data subject has the right to request the correction or deletion of personal data that is inaccurate, incomplete, unnecessary, and excessive or where the company is no longer authorised to retain such personal information.

    7.3 The right to object to the processing of personal Information
    The data subject has the right, on reasonable grounds to object to the processing of his, her or its personal information. In such circumstances, the company will give due consideration to the request and the requirements of POPIA. The company may cease to use or disclose the data subject’s personal information and may, subject to any statutory and contractual recordkeeping requirements, also approve the destruction of the personal information. Objecting to processing of personal information may in some instances lead to the cancellation of financial products and the company resigning as the data subject’s accountant and tax practitioner.

    7.4 The right to object to direct marketing
    The data subject has the right to object to the processing of his, her or its personal information for purposes of direct marketing by means of unsolicited electronic communications.

    7.5 The right to complain
    The data subject has the right to submit a complaint to the company and to the South African Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non compliance with the protection of his/her or its personal information.

    7.6 The right to be informed
    The data subject has the right to be notified that his, her or its personal information is being collected by the company where reasonable. Furthermore, the data subject has the right to be notified in any situation where the company has reasonable grounds to believe that the personal information of the data subject has been accessed by an unauthorised person.

  6. Personal information of a child
    The company undertakes to ensure that lawful processing of the personal information of a child takes place where the child is under the age of 18 and such processing is limited to the extent that consent is given or authorised by the holder of parental responsibility over the child, or other competent person or where a lawful reason exists.
  7. Special Personal Information
    The company undertakes to maintain processes in place to:
    – Identify special personal information held or requested, on information technology systems or other documents;
    – Ensure that special personal information is processed only when:
    – the data subject has consented to the processing;
    – a competent person has consented to the personal information relating to a child;
    – processing is necessary for the establishment, exercise or defence of a right;
    – the information has deliberately been made public by the data subject; or processing is necessary to comply with an obligation of international public interest.
  8. Information officer
    The company will appoint Information Officer/s and where necessary, Deputy Information Officer/s to assist the Information Officers. The Information Officers and their deputies are responsible for ensuring compliance with POPIA and PAIA which include attending to requests for personal information, related queries and complaints made to the Fund in accordance with the PPS Group Information and Privacy Standard by data subjects and the Information Regulator. Once appointed, the Information Officers will register with the South African Information Regulator established under POPIA.
  9. Complaint’s procedure
    Data subjects have the right to complain in the event where any of their rights in terms of POPIA have been infringed. The company takes all complaints in a serious light and will address all personal information/ privacy related complaints in accordance with its documented procedure.
  10. Publication of the Privacy Policy
    The Policy is published internally and will be made available to all clients via email.
  11. Accountabilities and responsibilities for compliance
    The Board of directors of the company will continually be responsible for ensuring the safeguarding, protection and avoidance of any unauthorised disclosure or breach of personal information in the execution of their duties.

    13.1 The Board of Directors

    Accountabilities
    The Board is ultimately responsible for ensuring that the company meets its legal
    obligations in terms of POPIA, regulations, directives, supervisory requirements and
    internal policies and supporting standards relating to the protection of personal
    information.
    Roles and responsibilities
    – To approve and adopt this Policy;
    – To promote a culture of personal information protection and compliance;
    – Ensure that the risk of unlawful processing of personal information and data breaches are assessed and considered as part of the company’s risk assessment and strategic plans; and
    – Monitor management’s reports on processing of personal information and data breach risks, policies, and control activities, which include obtaining assurance that the controls are effective. The Board should also establish mechanisms to ensure it is receiving accurate and timely information from the staff, service providers and other
    stakeholders regarding potential data breach occurrences.

    13.2 Information Officers and Deputy Information Officers
    Accountabilities
    -Assists the Board in ensuring compliance with the conditions of lawful processing of personal information and data breach risk management across the board and
    – Information Officers and Deputy Information Officers will be appointed according to the legal and regulatory requirements and will fulfil their regulatory obligations.
    Roles and responsibilities
    – Take steps to ensure the company’s compliance with the provisions of POPIA;
    – Review the company’s information protection procedures and related policies;
    – Ensure that privacy notices for internal and external purposes are developed and published;
    – Ensure that the company makes it possible for data subjects to update their personal information or submit POPIA related complaints to the company;
    – Address clients’ POPIA related questions;
    – Provide direction when appointed;
    – Address all POPIA related requests and complaints made by data subjects;
    – Oversee the awareness training of all individuals involved in the processing of personal information on behalf of the company;
    – Liaising and working with the Information Regulator in relation to ongoing investigations, arising issues, reporting and any other related matter;
    – Review and recommend this Policy to the Board for review.
    – Review reports on non-compliance with established policies and procedures and ensure that appropriate plans for corrective action are put in place.
    – Obtain feedback on progress made against action plans and ensure delivery.
    – Encourage compliance with conditions for the lawful processing of personal information.
    – Ensure that personal information impact assessments are done to ensure that adequate measures and standards exist within the Fund,
    – Ensure that a PAIA and POPIA Standard is developed, implemented and maintained;
    – Ensure that adequate IT and operational systems are in place and well-maintained to
    process requests for access to information.

Information and Privacy Standard

as prescribed in terms of the

PROMOTION OF ACCESS TO INFORMATION ACT 2 OF 2000 AND PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013

  1. Introduction
    Section 32 of the Constitution of the Republic of South Africa, No. 108 of 1996 (“the
    Constitution”) provides:
    (1) Everyone has the right of access to – Any information held by the state; and Any information that is held by another person and that is required for the exercise or protection of any rights.
    (2) National legislation must be enacted to give effect to this right and may provide for reasonable measures to alleviate the administrative and financial burden on the state.

    Section 32 of the Constitution affords everyone the right to access information held by the State or any other person. The Constitution requires that national legislation be enhanced to give effect to this right. The Promotion of Access to Information Act, 2 of 2000 (PAIA), gives effect to this constitutional right of access as required in terms of sub-section (2). PAIA provides that a person must be given access to any record of a private body if the record is required for the exercise of any right and the procedural requirements relating to a request have been complied with. PAIA applies to any recorded information, regardless of form or medium, under the control of the private body, and whether or not the private body created it.

    Where a request is made in terms of PAIA, the private or public body to which the request is made is obliged to release the information, except where PAIA expressly provides that the information must not be released. PAIA sets out the requisite procedural issues attached to such request.

    APEX SCIENTIFIC (PTY) LTD (‘the company’), has confirmed its status as a private body in terms of the definition in PAIA as well as a responsible party in terms of the definition in the Protection of Personal Information Act, 4 of 2013 (POPIA). The company respects and values data privacy rights, and ensures that all personal data collected from you is processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

  2. Key definitions
    Biometrics” means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprint, DNA analysis, retinal scanning and voice recognition;
    Conditions for Lawful Processing” means the conditions for the lawful processing of Personal Information as fully set out in chapter 3 of POPIA;
    Consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing personal information;
    Constitution” means the Constitution of the Republic of South Africa, 1996;
    Customer” refers to any natural or juristic person that received or receives services from the company,
    Data Subject” means the natural or juristic person to whom personal information relates, such as an individual client, employee or an entity that provides the company with products or services;
    Information Officer” means the head of a private body. Once appointed the Information Officer must be registered with the South African Information Regulator established under POPIA prior to performing his or her duties which include handling requests for information amongst others. Deputy Information Officers can also be appointed to assist the Information Officer;
    Deputy Information Officer” means the person to whom any power or duty conferred or imposed on an Information Officer in terms of POPIA has been delegated to assist the requester in their information request. PAIA does not provide for private bodies to designate a Deputy Information Officer, however it is recommended by the Information Regulator that they do so for efficiency and convenience;
    Information Regulator” means the Regulator established in terms of section 39 of POPIA;
    Standard” means this Information and Privacy Standard prepared in accordance with section 51 of PAIA and regulation 4(1) (d) of the POPIA Regulations; “Person” means a natural person or a juristic person;
    Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
    a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing,
    disability, religion, conscience, belief, culture, language and birth of the person;
    b) information relating to the education or the medical, financial, criminal or employment history of the person;
    c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other assignment to the person;
    d) the biometric information of the person;
    e) the personal opinions, views or preferences of the person;
    f) correspondence sent by the person that is implicitly or explicitly of a private or
    confidential nature or further correspondence that would reveal the contents of the
    original correspondence;
    g) the views or opinions of another individual about the person and;
    h) the name of the person if it appears with other personal information relating to the
    person or if the disclosure of the name itself would reveal information about the person;
    Personal Requester” means a requester seeking access to a record containing personal information about the requester;
    Personnel” refers to any person who provides services to or on behalf of the company and any other person who assists in carrying out or conducting the business of the company. This includes, without limitation, the directors, employees and contractors of the company;
    POPIA Regulations” mean the regulations promulgated in terms of section 112(2) of POPIA;

    Processing” means any operation or activity or any set of operations, whether by automatic means or not, concerning personal information, including-
    a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
    b) dissemination by means of transmission, distribution or making available in any other form; or products and legal matters relating to those products; or
    c) merging, linking, as well as restriction, degradation, erasure or destruction of
    information;
    Responsible Party” means a public or private body or any other person which, alone or in conjunction with others determines the purpose of and means for processing personal information;
    Record” means any recorded information regardless of the form, including, for example, written documents, video materials etc. A record requested from a public or private body would refer to a record that was in that body’s possession regardless of whether that body created the record;
    Request Fee” means the cost to be paid for making an access to information request;
    Requester” means the natural or juristic person making an access to information request. A requester also refers to the person who is making the information request on behalf of somebody else;
    Request for Access” in relation to a private body, means a request for access to a record of a private body in terms of section 50 of PAIA; and
    Third Party” refers to any natural or juristic person who is not the requester of the
    information, nor the body to whom the information request is made. Capitalised terms used in this Standard have the meanings ascribed thereto in section 1 of POPIA and section 1 of PAIA as the context specifically requires, unless otherwise defined herein.

  1. Purpose
    The purpose of the Standard is to provide an outline of the types of records held by the company, inform you of our data protection and security measures, serve as a guide in exercising rights in terms of POPIA and explain how one may submit requests for access to these records in terms of PAIA. POPIA and PAIA give effect to everyone’s constitutional rights to privacy and access to information held by private sector bodies (e.g. companies) or public bodies (i.e. Government institutions) that is required for the exercise and/or protection of the requester’s rights.
  2. Contact details
    Information Officer: LARENDRA MAHARAJ
    Physical address: 1 TROON PLACE, DURBAN NORTH, 4051
    Postal address: 1 TROON PLACE, DURBAN NORTH, 4051
    E-mail: laren@apexscientific.co.za
    Telephone: 083 783 7437

  3. A guide on how to access information via PAIA
    The South African Human Rights Commission has compiled a guide as required in terms of section 10 of the South African Human Rights Commission Act, 2013 on how to access information. This guide is available to the public at no cost and contains information on:
    – understanding and how to use the Act,
    – the objectives of the Act,
    – particulars of every public and private body,
    – the manner and form for requests, and
    – contents of the Regulations promulgated under the Act.

    Any queries regarding this guide should be directed to:

    The South African Information Regulator:

Postal Address

PO Box 31533,
Braamfontein,
Johannesburg, 2017.

Website

www.justice.gov.za/inforeg/

Complaints Email Address

complaints.IR@justice.gov.za

General Enquiries Email

inforeg@justice.gov.za

  1. Records available in terms of other legislation
    Certain legislation mandates the company to allow any person access to specified information, upon request, irrespective of who that person may be. Access to information may be granted in terms of such other legislation if the manner of request is not more onerous than a request under PAIA and POPIA.

    This would include the following legislation, amongst others:

  2. Companies Act 71 of 2008
    Income Tax Act 58 of 1962;
    Value-Added Tax Act 89 of 1991
    Unemployment Insurance Act 63 of 2001
    Workmen’s Compensation Act 30 of 1941
    Prevention of Organised Crime Act 121 of 1998;
    Financial Intelligence Centre Act 38 of 2001;
    Constitution of South Africa 108 of 1996.
    National credit Act 34 0f 200
  3. Access to records held by private body in question

    I. Records/information which are automatically available to a person without the requirement of a formal request or the person having to request access in terms of this Act:
    Address, email and telephone details of the company’s registered office;
    – Names of board of directors, employees and other company officials:

    II. List of records per subject:
    Information in the categories below is not available without a formal request as per the instructions of the request procedure, and may be declined by the Company to protect the body’s own, commercial or research information.

Category

Description of record kept

Client records

Client details:
o personal details (indicative details);
o financial details (banking details);
o application and transaction forms completed by customers

Company’s
financial
records

o Financial statements of the company;
o Financial documents compiled by the accountants;
o Banking facilities, bank account numbers;
o Tax details.

Company records

o SARS Registration details;
o Policies and procedures;
o Products;
o Strategy;
o Business directives;
o Suppliers’ contracts;
o Minutes of meetings of board of directors;
o Resolutions passed by the board of directors.

Legal records

o Documents compiled by attorneys;
o Records of any legal cases;

Company
official
records

o Any personal records provided to the company by its officials and
employees;
o Employment contracts
o Any records a third party has provided to the company about any of its
officials and employees
o Other internal records and correspondence.

Client-related
records

o Any records a customer has provided to a third party
o Any records a third party has provided to the company;
o Records generated by or within the company pertaining to customers,
including transactional records.

Private body
records

o Financial records;
o Operational records;
o Databases;
o Information technology;
o Marketing records;
o Internal correspondence;
o Statutory records;
o Internal policies and procedures;
o Records held by officials of the
private body and
o Product records.

Records in the
possession of
or pertaining to
other parties

o Personnel, customer or private body records which are held by another
party as opposed to being held by the company; and
o Records held by the company pertaining to other parties, including without
limitation financial records, correspondence, contractual records, records
provided by the other party, and records third parties have provided about
the contractors / suppliers.

The following details are available without a formal request, but must be accompanied by
written consent from the customer:

– Customer personal and financial details;
– Customer Address details;
– Customer Telephone details;
– Customer email details

Granting/declining of information: Within 30 days (normal calendar days) after receipt of a request, the company will advise the requester whether the request has been granted or declined. If declined, reasons will be given. Furthermore, if the record pertains to a third party, the Act requires the company to notify the third party of the request and be given an opportunity to either consent to the release or make representations in favour of or declining the request. A dissatisfied requester or third party is entitled to an appeal process by way of application to court.

  1. Compulsory declining of requests for information
    A request for a record must be declined to protect:
    – The privacy of a third party;
    – Commercial information of a third party;
    – Confidential information of a third party;
    – The safety of individuals and the protection of property;
    – Records privileged from production in legal proceedings;
    – Research information of a third party.
    – Discretionary declining of requests:

    A request may be refused to protect the commercial or research information of the

  2. Request procedure Details of submitting a formal request:
    Submit Request Form (Annexure A) for the attention of the appropriate Information Officer to the address, fax number or electronic mail address provided in this Standard. Ensure that the right you wish to protect or exercise is fully described in the Request Form. If a request is made on behalf of another person, the requester must then submit proof of the capacity in which the requester is making the request.The Information Officer will assess the request and advise the requestor within 30 calendar days of the decision made. The information, if granted, will be supplied to the requester in a format applicable to the request. If declined the requestor will be notified in writing and will be provided with the reasons for the decision. If you have any questions about our use of your Personal Information you can contact the
    appropriate Information Officer of the Fund in accordance with the contact details provided in this Standard.
  3. Fees
    A requester who seeks access to a record containing personal information about that requester is not required to pay the request fee. Every other requester, who is not a personal requester, must pay the required request fee:
    – The Information Officer must notify the requester (other than a personal requester) by notice, requiring the requester to pay the prescribed fee (if any) before further processing the request
    – The fees (if any) that the requester must pay to a private body will depend on the format of the information being requested (The requester may lodge an internal appeal or an application to the court against the tender or payment of the request fee
    – For a complete fee schedule please visit the Information Regulator at www.justice.gov.za/inforeg/
    – After the Information Officer has decided on the request, the requester must be notified in the required form.
    – If the request is granted then a further access fee must be paid for the search, reproduction, preparation and for any time that has exceeded the prescribed hours to search and prepare the record for disclosure