2.1.1

Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person (in this instance a juristic person includes companies-private bodies)

2.1.2

Information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person

2.1.3

Information relating to the education or the medical, financial, criminal or employment history of the person

2.1.4

Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person

2.1.5

The biometric information of a person

2.1.6

The personal opinions, views, or preferences of the person

2.1.7

Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence

2.1.8

The views or opinions of another individual about the person

2.1.9

The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person

2.2.1

A person or juristic person to whom the personal information relates

2.3.1

A public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information.

2.3.2

The head of the public or private body.

2.4.1

A person who processes personal information for a Responsible Party in terms of a contract or mandate, without coming under the direct authority of that party

2.5.1

The appointed person responsible for compliance with POPIA within Prestige Metering Services.

2.5.2

Where no Information Officer is appointed, the head of the public or private body is by default the Information Officer and will be responsible for performing the duties of the Information Officer.

2.5.3

The Information Officer must be registered with the Information Regulator once appointed.

2.6.1

Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the following:

a. The collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use.

b. Dissemination by means of transmission, distribution or making available in any other form.

c. Merging, linking, as well as restriction, degradation, erasure, or destruction information.

2.7.1

Any recorded information regardless of form or medium, including any of the following:

a. Writing on any material.

b. Information produced, recorded, or stored by means of any tape-recorder, computer equipment, whether hardware or software or both, or other device, and any material subsequently derived from information so produced, recorded or stored.

c. Label, marking or other writing that identifies or describes anything of which it forms part, or to which it is attached by any means.

d. Book, map, plan, graph or drawing.

e. Photograph, film, negative, tape or other device in which one or more visual images are embodied so as to be capable, with or without the aid of some other equipment, of being reproduced.

2.7.2

Any above-mentioned record in the possession or under the control of a Responsible Party, whether or not it was created by a Responsible Party, and regardless of when it came into existence.

2.8.1

Any structured set of personal information, whether centralised, decentralised or dispersed on a functional or geographical basis, which is accessible according to specific criteria.

2.9.1

Any identifier that is assigned to a data subject and is used by a Responsible Party for the purposes of the operations of that Responsible Party and that uniquely identifies that data subject in relation to that Responsible Party.

2.10.1

 To delete any information that identifies the data subject, can be used or manipulated by a reasonably foreseeable method to identify the data subject, or that can be linked by a reasonably foreseeable method to other information that identifies the data subject.

2.11.1

 To resurrect any information that has been de-identified, that identifies the data subject, can be used or manipulated by a reasonably foreseeable method to identify the data subject, or can be linked by a reasonably foreseeable method to other information that identifies the data subject.

2.12.1

 Any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

2.13.1

 To approach a data subject, either in person or by mail or electronic communication, for the direct or indirect purpose of promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject, or requesting the data subject to make a donation of any kind for any reason

5.1.1

The Responsible Party is accountable for the information of data subjects in its possession or under its control. The Responsible Party determines the purpose for the processing.

5.1.2

Notwithstanding clause 5.1.1, the protection of personal information for Prestige Metering Services is every employee's (including vendors and contractors with access to Prestige Metering Services information and systems) responsibility.

5.2.1

Processing of personal information must be lawful and performed in a reasonable manner.

5.3.1

Personal information must be collected for a specific, explicitly defined, and lawful purpose related to a function or activity of the Responsible Party.

5.3.2

Prestige Metering Services will inform data subjects of the purpose for which specific information is collected and processed.

5.3.3

Data subjects will also be informed when personal information relating to them will be shared to a relevant third party, for what reason and in what manner. Data subjects will also be informed of who the third party is.

5.4.1

Further processing of personal information must be in accordance or compatible with the purpose for which it was initially collected.

5.4.2

Prestige Metering Services will obtain further consent should personal information be processed for any other reason than the initial purpose of processing.

5.5.1

Prestige Metering Services must take reasonably practicable steps to ensure that personal information is complete, accurate and not misleading and that it is updated where necessary.

5.5.2

Any data subject must notify Prestige Metering Services of any change in their personal information applicable to Prestige Metering Services.

5.6.1

Prestige Metering Services must inform the data subject that information is being collected, why it is being collected and what the Responsible Party plans to do with it.

5.6.2

The Responsible Party must inform the data subject of the following:

a. Purpose for which personal information is collected.

b. Name & Address of the Responsible Party (private body).

c. Consequences of failure to provide information.

d. Level of protection if information will be sent to a third party.

e. The likely recipients of the information.

f. The right of the data subject to request what information the Responsible Party has of the data subject and to correct or delete information.

5.6.3

Any data subject has the right to enquire whether Prestige Metering Services holds information related to that data subject. Prestige Metering Services is obligated to give a detailed report on all information it contains relating to a specific data subject.

5.6.4

Any data subject has the right to request Prestige Metering Services to change or delete any information relating to that data subject. Prestige Metering Services is obligated to consider the request and to supply the relevant data subject with an outcome of the request and a detailed explanation if the request was refused.

5.6.5

Any data subject has the right to submit a complaint concerning the processing of personal information to Prestige Metering Services. Prestige Metering Services is obligated to investigate the complaint within the prescribed time and to supply a detailed outcome of the complaint.

5.7.1

Prestige Metering Services will take appropriate, reasonable technical and organisational measures to prevent loss of, or damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information.

5.7.2

Prestige Metering Services will take reasonable measures to:

a. Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control

b. Establish and maintain appropriate safeguards against the risks identified

c. Regularly verify that the safeguards are effectively implemented

d. Ensure that safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

5.7.3

Prestige Metering Services will implement and maintain all relevant policies and procedures related to the processing of personal information. All employees (including vendors and contractors with access to Prestige Metering Services information and systems) will be given a copy of all policies and procedures and the policies and procedures will be available for any person to peruse during normal business hours.

5.7.4

Prestige Metering Services will implement and maintain all relevant network, computing device and software safeguards relating to the processing of personal information and in line with the Prestige Metering Services Network Security Policy and General Information Security Policy.

5.7.5

Prestige Metering Services will implement and maintain an appropriate and reasonable filing system to protect any physical information under its control.

5.7.6

Prestige Metering Services will conduct periodic awareness sessions to remind employees (including vendors and contractors with access to Prestige Metering Services information and systems) about the importance of confidentiality when working with personal information and to create awareness on any amendments made to the Act or the Regulations

5.7.7

Prestige Metering Services will take appropriate, reasonable technical and organisational measures to prevent loss of, or damage to, or unauthorised destruction of personal information and unlawful access to or processing of personal information.

5.8.1

The data subject has the following rights:

a. To request a Responsible Party to confirm whether or not the Responsible Party holds personal information of the data subject.

b. To request correction of information.

c. To request from the Responsible Party a record or a description of the personal information relating to the data subject held by the Responsible Party - within the prescribed manner.

d. To request that personal information of the data subject held by the Responsible Party be deleted or destroyed in accordance with Section 24 of the Act.

5.8.2

Prestige Metering Services undertakes to attend to any data subject enquiry or request and to provide a detailed report on the outcome of any enquiry or request.

6.1.1

The right to access information

a. Any data subject has the right enquire whether Prestige Metering Services hold personal information relating to that data subject.

b. Any data subject has the right to request form Prestige Metering Services the record or a description of the personal information about the data subject held by the Responsible Party, including information about the identity of all third parties, or categories of third parties, who have, or have had, access to the information, within a reasonable time, at a prescribed fee, if any, in a reasonable manner and format, and in a form that is generally understandable.

6.1.2

The right to request a correction or deletion of a record

a. Any data subject has the right to request that the Prestige Metering Services make a correction to a record relevant to that data subject or to delete a record relevant to that data subject.

6.1.3

The right to object to the processing of personal information

a. Any data subject has the right to object to the processing of personal information by Prestige Metering Services.

b. Prestige Metering Services will consider any objection by a data subject in accordance with the requirements of POPIA.

c. Prestige Metering Services may cease to process the information relating to the specific data subject and in relation with relevant legislation either retain or destroy any information already processed.

6.1.4

The right to complain to the Information Regulator

a. Any data subject has the right to lodge a complaint to the Information Regulator regarding a security compromise or breach in relation to POPIA.

6.1.5

The right to be informed

a. Any data subject has the right to be informed and notified that their personal information is being processed.

b. Any data subject has the right to be informed when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.

6.1.6

Any requests made by the data subject may be made via email, addressed to the Information Officer, or may be handed to the Information Officer in person. The Information Officer will provide the data subject with a 'Personal Information Request Form'.

6.1.7

The Information Officer will verify the identity of the data subject upon receiving a completed form and then only proceed to the outcome of the request.

6.1.8

All requests will be processed in accordance with the Prestige Metering Services PAIA Manual and Policy.

6.1.9

All requests will be processed within a reasonable time.

8.1.1

The Responsible Party will be accountable for all information in its possession or under its control at all times.

8.1.2

The Responsible Party has the responsibility to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organizational measures to prevent loss of, or damage to, or unauthorised destruction of personal information, and unlawful access to or processing of personal information.

8.1.3

The Responsible Party must take reasonable measures to:

a. Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.

b. Establish and maintain appropriate safeguards against the risks identified.

c. Regularly verify that the safeguards are effectively implemented.

d. Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

8.1.4

The Responsible Party will appoint an Information Officer for Prestige Metering Services and where necessary a Deputy Information Officer. When the Responsible Party chooses not to appoint an Information Officer, the Responsible Party will then take on the duties of the Information Officer.

8.1.5

The Responsible Party will provide the Information Officer with all the necessary and reasonable financial means, resources, and existing employees to enable the Information Officer to perform his/her duties.

8.1.6

The Responsible Party will ensure that it involves the Information Officer in all matters relating to the personal information in the Responsible Party's possession or under its control.

8.2.1

The Information Officer will encourage compliance, by the body, with the conditions for the lawful processing of personal information.

8.2.2

The Information Officer will deal with requests made to the body pursuant to this act.

8.2.3

The Information Officer will work with the regulator in relation to investigations conducted.

8.2.4

The Information Officer will ensure that a compliance framework is developed, implemented, and monitored.

8.2.5

The Information Officer will ensure that adequate measures and standards exist in order to comply with the conditions of lawful processing of personal information.

8.2.6

The Information Officer will conduct preliminary assessments.

8.2.7

The Information Officer will develop a PAIA Manual for Prestige Metering Services in accordance with the Promotion of Access to Information Act and POPIA. The details contained in the Manual will be in accordance with the provisions set out in the Promotion of Access to Information Act.

8.2.8

The Information Officer will ensure that internal measures are developed together with adequate systems to process requests for information and access thereto.

8.2.9

The Information Officer will deal with any POPIA related complaints in the prescribed manner.

8.2.10

 The Information Officer will ensure that awareness sessions are conducted regarding the Provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Information Regulator.

8.2.11

 Additional specific duties of the Prestige Metering Services Information Officer may be detailed within the Prestige Metering Services Information Officer Appointment Letter.

8.3.1

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) have the responsibility the adhere to the following:

a. To maintain all Prestige Metering Services safeguarding procedures and policies.

b. To ensure protection of their user identifications and passwords.

c. To inform the Information Officer of any security compromise or breach.

d. To assist the Information Officer with any security compromise or breach investigation.

e. To ensure that all computer systems used to perform business functions for Prestige Metering Services are backed-up in the prescribed manner that mitigates the risk of loss and cost of recovery.

f. To be especially aware of the risks involved with remote access and to be aware of their obligation to report intrusions and possible security compromises or breaches.

g. To ensure the utmost confidentiality when processing, safeguarding, and transmitting Prestige Metering Services information as part of the business functions of Prestige Metering Services.

8.3.2

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) have the responsibility to follow all prescribed technical and organizational measures, including but not limited to, the following:

a. Enabling a password-protected screen saver with a short timeout period to ensure that workstations that were left unsecured will be protected.

b. Ensuring that monitors are positioned away from public view. If necessary, install privacy screen filters or other physical barriers to public viewing.

c. Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).

d. If wireless network access is used, ensure access is secure by following the Network Security policy.

e. Ensuring that the required ant-virus/firewalls/anti-malware protection software is installed throughout the company systems and updated as required.

f. Ensuring that an approved destruction software is installed on Prestige Metering Services systems to ensure verification and certification of destruction can be implemented and maintained.

g. Restricting physical access to workstations to only authorized employees (including vendors and contractors with access to Prestige Metering Services information and systems).

h. Securing workstations (screen lock or logout) prior to leaving the area to prevent unauthorised access.

i. Complying with all applicable password policies and procedures.

j. Ensuring workstations are used for authorized business purposes only.

k. Never installing unauthorised software on workstations.

l. Storing all confidential information on network servers.

m. Keeping food and drink away from workstations in order to avoid accidental spills.

n. Securing laptops that contain sensitive information by using cable locks or locking laptops up in drawers or cabinets.

o. Ensuring workstations are left on but logged off in order to facilitate after-hours updates. Exit running applications and close open documents.

8.3.3

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) must be aware that the processing of any personal information may only take place under the following scenarios:

a. Where the data subject, or competent person where data subject is a child, consents to the processing.

b. Where the processing is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party.

c. The processing complies with an obligation imposed by law on the Responsible Party.

d. The processing protects a legitimate interest of the data subject.

8.3.4

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) must ensure that information is ONLY safeguarded in specified places as prescribed and that no additional unnecessary records and filing systems should be created without obtaining authorisation from the Information Officer.

8.3.5

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) should take note that the email system is inherently insecure and individuals other than the intended recipients may be able to read messages.

8.3.6

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) should take note that confidential information may only be sent as part of, or attached to, an email message if the information is encrypted.

8.3.7

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) must implement and maintain encryption or equally strong measures that protects the information of Prestige Metering Services while it is being stored and/or transmitted on any portable computing devices and portable electronic storage media that contains confidential personal information of Prestige Metering Services.

8.3.8

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) with remote access privileges to Prestige Metering Services' corporate network has the responsibility to ensure that their remote access connection is given the same consideration as the user's on-site connection

8.3.9

All employees (including vendors and contractors with access to Prestige Metering Services information and systems) must obtain authorisation by the Information Officer or Deputy Information Officer prior to the disposal or physical destruction of any storage media. The disposal and/or physical destruction of any storage media may only take place once written approval has been received from the Information Officer or Deputy Information Officer.

8.3.10

 All employees (including vendors and contractors with access to Prestige Metering Services information and systems) have the responsibility to maintain the utmost confidentiality when working with Prestige Metering Services information on any Prestige Metering Services owned or personally owned documents, devices, systems and/or networks.

8.3.11

 Any information collected, processed and safeguarded by Prestige Metering Services is to be treated as confidential information.

8.3.12

 All employees (including vendors and contractors with access to Prestige Metering Services information and systems) have the responsibility to adhere to the following additional Prestige Metering Services policies to ensure the confidentiality, integrity, and availability of Prestige Metering Services information:

a. Password Policy

b. Network Security Policy

c. Encryption Policy

d. General Information Security Policy

e. Surveillance Security Policy

8.3.13

 All employees (including vendors and contractors with access to Prestige Metering Services information and systems) will be required to sign a confidentiality agreement, undertaking to preserve complete and strict confidentiality with regards to any Prestige Metering Services information.

9.2.1

Identify and define the purpose for information that is collected and processed.

9.2.2

To identify the processes used to collect, process, safeguard, share, and destroy the information.

9.2.3

To determine the flow of information throughout Prestige Metering Services - how information is transmitted to various departments within Prestige Metering Services.

9.2.4

To ensure that processing limitation is applied when collecting, processing, safeguarding, and sharing information.

9.2.5

To ensure that any new data subjects are aware of the purpose for the collection of information and that new data subjects are made aware when personal information is being processed relating to that data subject.

9.2.6

To establish the further processing of personal information and to ensure that the further processing of information is in line with the initial purpose of processing.

9.2.7

To ensure that all personal information in Prestige Metering Services' possession or under its control is accurate.

9.2.8

To ensure that all security safeguards are implemented and maintained.

9.2.9

To identify the extent of compliance with POPIA for Prestige Metering Services and this policy.

9.2.10

 To manage all technical and organisational measures implemented to ensure compliance with POPIA.

10.2.1

 Any POPI Complaint must be submitted to Prestige Metering Services in writing and addressed to the Information Officer. A POPI Complaint Form is available from the Information Officer.

10.2.2

  Where any person other than the Information Officer receives a POPI Complaint, that person is obligated to hand over the request to the Information officer within 1 working day after having received the complaint.

10.2.3

 The Information Officer will provide the complainant written acknowledgement of receipt within 2 days after having received the complaint.

10.2.4

 The Information Officer will duly consider the complaint and address the complainant's concerns in an amicable manner. The Information Officer will strive to resolve the complaint in a reasonably fair manner and pursuant to the provisions of POPIA.

10.2.5

 The Information Officer is obligated to determine whether the complaint is a result of a security compromise or breach within Prestige Metering Services and whether it poses a greater risk to Prestige Metering Services and its data subjects.

10.2.6

 Where the Information Officer has reason to believe that the complaint is a result of personal information being accessed or acquired by an unauthorised person, the Information Officer will consult with the Responsible Party and duly notify the affected data subject and Information Regulator.

10.2.7

 The Information Officer will respond to the complainant with a proposed solution to the complaint within 7 working days after having received the complaint. Prestige Metering Services will provide reasons for any decisions taken with regards to the complaint and will communicate any anticipated delay in specified timelines.

10.2.8

 Identify and define the purpose for information that is collected and processed.

 a. A suggested remedy for the complaint.

 b. A dismissal of the complaint and a detailed report of why it was dismissed.

 c. An apology where applicable and the details of any disciplinary action taken against any employee(including vendors and contractors with access to Prestige Metering Services information and systems) involved.

10.2.9

  Should the data subject not be satisfied with the outcome of the complaint, the data subject may complain to the Information Regulator.

10.2.10

   The Information Officer is obligated to review all complaints received to determine the effectiveness of the relevant procedures taken. Any improvements or amendments to any relevant procedure must be recorded and reiterated to all relevant role players.

10.2.11

   The Information Officer is obligated to review all reasons for complaints to establish any security risks within Prestige Metering Services and to mitigate the occurrence of POPI related complaints.