1.Purpose & Overview
• Goal: Ensure compliance with GSS’S Privacy Policy & the Protection of Personal Information Act (POPIA)
• Scope: Covers all GSS employees, third-party providers & affiliates.
2. Definition & Key Terms
• Define terms like Data Subject, Responsible Party & Data Breach for clarity, aligning with both PAIA Manual & Privacy Policy.
3. Collecting Personal Information
• Collect information directly when possible.
• Ensure that all data collection complies with legal requirements & Data Subjects are informed of the purpose.
4. Processing Personal Information
• Process data only when there’s a legal basis & for disclosed purposes – if you need to gather personal information, remember to ensure that consent is given, expressly or implied.
• Allow Data Subjects to withdraw consent if processing is based on consent.
• Use secure systems & workflows to document processing activities.
5. Data Accuracy & minimization
• Accuracy: Follow PAIA guidelines to verify & update personal data regularly,
especially for employment or customer information.
• Minimization: Only collect & retain the minimum amount of data necessary.
Privacy Practices for Data Security
6.6.1 Password Protection & Access Control
• Use unique, strong passwords for all systems & documents containing sensitive data.
• Restrict data access to employees on a “need-to-know” basis, using unique user ID’s for accountability.
6.2 Data Encryption
• Encrypt sensitive data files & emails when sharing or storing them.
• Require password-protected attachments for sensitive information shared by email .
6.3 Devices & Network Security
• Install antivirus data files & emails when sharing or storing them.
• Conduct regularly vulnerability scans & monitor networks as outlined in the PAIA
Manual to detect threats.
6.4 Physical Security Measures
• Restrict physical access to areas where data is stored with keycards or biometric controls.
• Implement a clear-desk policy & lock all sensitive files when not in use.
6.5 Secure disposal of Data
• Shred or securely delete all data no longer needed, according to retention policies outlined in PAIA Manual.
• For digital data, follow secure erasure techniques to prevent data reconstruction.
6.6. Backup & Recovery
• Ensure data backups are stored securely, tested regularly & capable of swift recovery in case of data loss.
6.7 Regular Audits & Monitoring
• Conduct routine audits or access logos & compliance with privacy practices.
• Record & investigate any access irregularities, aligning with PAIA compliance
requirements.
7. Data Breach Response
• Follow established procedures for detecting & addressing breaches, including
notifying affected parties are required by POPIA & the PAIA Manual.
8. Third-Party Data Shipping & Cross-Border Transfers
• Ensure third-party compliance with GSS’s privacy standards by formal agreement,particularly for data storage or processing outside South Africa.
9. Data Subject Rights
• Facilitate secure verification process to protect against unauthorized access requests.
10.Employee Training & Awareness
• Conduct training on privacy best practices, including phishing & social engineering awareness, as outlined in the PAIA Manual.
• Emphasize the importance of reporting security incidents or breaches promptly.
11.Policy Updates & Contact Information
• Regularly update the privacy practices & inform employees of changes.
• Include contact details for the Information Officer for questions & data requests.