The objectives of this CP are to:

1. Establish a compliance framework within SABS and SABS Commercial SOC Ltd regarding the processing of personal information.

2. Recognise and comply with any limitations applicable when processing personal information in possession of SABS and/or SABS Commercial.

This policy applies to any person or entity processing Personal Information for or on behalf of SABS and SABS Commercial SOC Ltd, such as:

1. Employees

2. Contractors

3. Agents

4. Service providers

5. Consultants, etc.

In this policy, any reference to SABS shall be deemed to include SABS Commercial SOC Limited and vice versa.

The following definitions are, where applicable, imported from the POPIA and are being used herein to foster consistency in terminology between this policy and the POPIA:

1. “Data Subject” means either individuals or juristic persons to whom personal information relates such as, recruits, employees, suppliers, customers, etc.

2. “Deputy Information Officer” or “DIO” means an employee of the SABS or SABS SOC Commercial Ltd who has been duly appointed as such with specific roles to assist the Information Officer in executing his/her responsibilities as required by POPIA and PAIA;

3. “Information Officer” means the Chief Executive Officer of the SABS and SABS Commercial SOC Ltd or anyone acting in such position or capacity;

4. “Operator” means a person who processes Personal Information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party, such as suppliers, contractors, etc.

5. “PAIA” means Promotion of Access to Information Act, Act 2 of 2000;

6. “Personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person;

2. Information relating to the education or the medical, financial, criminal or employment history of the person;

3. Any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier, or other particular assignment to the person, etc.

7. “POPIA” or (the Act) shall mean Protection of Personal Information Act, No. 4 of 2013;

8. “Processing” means any operation or activity or any set of operations, whether by automatic means, concerning Personal Information, including: the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restriction, degradation, erasure, or destruction of information.

9. “Responsible Party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing Personal Information.

10. “SABS” means the South African Bureau of Standards;

11. “SABS Commercial” means SABS Commercial SOC Ltd, being a company wholly owned by the SABS.

This document should be read in conjunction with:

CSP 101 — Legal Services of the SABS

CP211 - IT Security and Access Control Policy

CP 211 — ICT Security and Access Control Standard Operating Procedure

CSP 124 - Record Management

CSP 601 - Recruitment and Selection Procedure and Relocation

CPO 610A - Remuneration

CPO 611B — Performance Management

CPO 614 — Recruitment and Selection

CPO 615 — Employee well-being Programme.

The following legislation inform and were considered when developing this policy:

1. The Constitution of the Republic of South Africa, 1996

2. Protection of Personal Information Act, (No. 4 of 2013)

3. Promotion of Access to Information Act, (No. 2 of 2000)

4. Promotion of Administrative Justice Act, (No. 3 of 2000)

5. Standards Act, (No. 8 of 2008)

6. Public Finance Management Act, (No. 1 of 1999)

7. King IV Code on Corporate Governance

As an entity in possession of Data Subjects' Personal Information, the SABS is required to comply with POPIA. SABS has a legal obligation to ensure the safety, confidentiality, and lawful processing of Personal Information in its custody or under its control. To assist SABS in carrying out this legal obligation, and as is required in terms of POPIA, the SABS has appointed an Information Officer (“IO”) and Deputy Information Officers (DIO) from each Business Unit. SABS acknowledges that it is a Responsible Party where it uses the services of third parties, and it is also an Operator when it is being employed as a service provider.

To ensure compliance with POPIA the following procedure must be followed when processing personal information:

1. Obtain consent to process Personal Information.

2. Only the minimum amount of Personal Information necessary to allow a decision to be taken should be obtained/requested;

3. All Personal Information must be treated as confidential and must be safely kept.

4. Any unlawful or unauthorised access to the Personal Information under the control of SABS must immediately be reported to the appointed DIO in the affected BU/Department who must as soon as possible report same to the IO;

5. Personal Information of Data Subjects may only be retained for the amount of time as permitted by the law or by way of contractual agreement;

6. Destruction or deletion of Personal Information under the control of SABS must be done with the permission of the IO;

7. A list of appointed DIO shall be published and updated as and when necessary.

The following explains the process for the implementation of 8 conditions laid down in Section 8 of POPIA for lawful processing of Personal Information and the measures to be implemented to give effect to these conditions:

1. 1. Accountability — SABS is accountable for the Personal information it Processes or allows to be Processed on its behalf. SABS is therefore committed to ensure that the Personal Information of all Data Subjects in its possession or under its control is collected, stored, used, applied, shared and/or destroyed appropriately, securely and without compromising the privacy rights of Data Subjects.

   2. Processing limitation — SABS as an organ of state, an employer and through its commercial activities shares information (Data Subjects' Personal Information) with external entities (the Operators). SABS also collects Personal Information. Accordingly, SABS is also a primary source of personal information. For this reason, SABS shall ensure that personal information is processed lawfully, reasonably and in a manner that does not infringe the rights of the data subject. SABS shall ensure that it collects Personal Information, which is adequate, relevant and not excessive, given the purpose in respect of which the Personal Information is processed.

      ALL SABS' employees, contractors, consultants, etc., must when Processing Information:

      1. Uphold, as far as is reasonably possible, the principle of minimality — where only adequate, relevant, and necessary data and/or information is processed to achieve the purpose for which the information was obtained.

      2. Develop and communicate processes and enhance the developed processes, where feasible, to enable Data Subjects to: Object, where reasonable and lawful, to the processing of their Personal Information, request that their Personal Information be updated or corrected, and request and facilitate, where legally feasible, the deletion of Personal Information or restrict processing and access to the Personal Information. The SABS is committed to collect and process Personal Information in a reasonable way that does not infringe on the privacy rights of the Data Subjects. While in terms of the Act the Data Subject has the right to withdraw his/her/its consent, it is advisable that legal advice be sought in instances where there might be a need to still process the information despite the withdrawal.

   3. Purpose Specification — Only Personal information that relates to a specific, explicitly defined and lawful purpose related to a function or activity of the SABS may be collected. It is the responsibility of every department within SABS to develop a checklist of Personal Information that is required in their execution of duties. This is necessary to ensure that only relevant, explicit and fit for purpose Personal Information is obtained for each departmental need.

      1. Any medium used within or from SABS to collect Personal Information from Data Subjects, e.g., contracts, forms or websites must contain a consent by the Data Subject for collection and processing of Personal Information, except where the Act prescribes otherwise.

   4. Retention and restriction of records: Personal Information shall not be retained any longer than is necessary to achieve the purpose for which the information was collected and processed or as otherwise permitted in law, or by way of contractual agreement. All Personal information in possession of SABS or under its control must be retained for a maximum period prescribed by law, e.g., five years from expiry or termination of the transaction, or as prescribed in terms of the contract or as per operational requirements.

      1. Personal Information under the control of the SABS shall be destroyed or deleted in a manner that prevents its reconstruction in an intelligible form.

      2. It is recognised that documents and records can either be in electronic or hard copies format. Each Department or Business Unit of SABS shall, with guidance from Legal Department, classify its records and keep a classification list of records and reasonable security safeguards shall be employed in the storage and retention of internal information.

      3. Together with record classification, the Business Units shall define the life cycle of their documents and records within the SABS as part of the measures implemented to give effect to the conditions of processing Personal Information.

      4. The following mechanism regarding documents and records retention and deletion shall be implemented by all Business Units within SABS:

         • Records requested by Operators must contain only the minimum amount of content necessary to allow a decision to be taken;

         • Documents and records must always be safely secured and stored in such a way as to maintain confidentiality and the integrity of the content;

         • Documents may not be shared, communicated or transmitted, unless authorised, in writing by employees with delegated authority;

         • Only the “final" draft of documents will be stored and retained;

         • Documents will not be duplicated or retained indefinitely, unless authorised by the Information Officer; and

         • Issue directives that do not conflict with the Act, but advance the purpose of the Act, on how to process Personal Information.

   5. Further processing

      It is the responsibility of every employee of SABS to ensure that any additional processing of Personal Information by itself is compatible with the original purpose for which Personal Information was collected. The adopted measures must apply to Operators.

   6. Information quality

      In obtaining Data Subjects' Personal Information, every SABS employee, consultant, etc., shall ensure that s/he or it obtains Personal Information that is up to date, accurate, complete and not misleading.

   7. Openness

      In order to be able to respond to requests for information in terms of PAIA, the SABS has developed a PAIA Manual with detailed information regarding:

      1. The categories of record by the SABS which are available without a person having to request access in terms of PAIA;

      2. A description of the records of the SABS which are available in accordance with any other legislation;

      3. Sufficient detail to facilitate a request for access to a record in possession or under the control of the SABS;

      4. A description of the subjects on which the SABS holds records and the categories of records held on each subject; and

      5. Such other information as may be prescribed therein.

   8. Security safeguards

      The ICT department of SABS shall ensure continuous implementation of reasonable technical and organisational measures, having regard to generally accepted information security practices and procedures which applies to it generally or as required in terms of specific industry rules or professional rules and regulations, to prevent loss of, damage to or unauthorised destruction of Personal Information and unlawful access to or processing of personal information. All SABS's employees, consultants, interns, etc., shall comply with CP 211 - IT Security and Access Control Policy and CP 211 — ICT Security and Access Control Standard Operating Procedure.

PARTIES IN POPIA

1. The implementation of the procedure will be monitored through the assistance of the appointed DIO.

2. Any unlawful or unauthorised access (breach) to Personal Information under the control of SABS shall be reported to the Information Regulator by the Information Officer.

This document is new, and it does not replace any SABS policy.