POPIA Booklet 3 03 July 2023 (Copyedited)

POPI ACT CLEAN DESK CAMPAIGN

Protection of Personal Information Act WHEN Our claimants’ personal information is our most The President of the Republic of important asset. South Africa signed the Protection of Personal Information Act That is why the RAF is (POPI) into law on 27 November required to handle this 2013. The POPI Act came into information with the effect on 01 July 2021. From this utmost care. It must date, all organisations including ensure that the the Road Accident Fund must information is protected demonstrate compliance. and only used for its intended purpose. WHY Maintaining our claimants’ POPI dictates security and privacy trust is vital to the RAF’s policies for data handling. reputation. Claimants expect the RAF to ensure WHO that the necessary safeguards are put in place The Act applies to any information when processing their regarding claimants/employees and personal information. service providers. This includes names, contact details, security This will also: registers, and banking details. • Increase our stakeholder confidence. • Improve our data reliability. • Reduce the risk of data breaches. 1

Eight Principles of POPI 1. Accountability The conditions set out in the Act must be complied with at the time of determining the purpose and means of the processing. 2. Processing Limitation Personal information may only be processed in a fair and lawful manner. 3. Purpose Specification Personal information may only be processed for a specific, explicitly-defined and legitimate reason. 4. Further Processing Limitation Further processing of personal information must be compatible with the purpose it was initially collected and intended for. 5. Information Quality Ensure information is accurate and up to date. 6. Openness Clearly communicate why the information is pro- cessed. 7. Security Safeguards Take reasonable measures to protect personal information. 8. Data Subject Participation Allow the data subjects access to their personal information. 2

Example of a Clean Desk 3

POLICY PURPOSE CLEAN DESK REQUIREMENT POPI SECTION 8.1 The purpose of this policy is To ensure that the workstation is COMPLIANCE Facilities Services, to provide a well maintained tidy, your screen is locked and Section 5.2 Space Management and safe working environ- any personal information is out of and section 5.3 and Building ment for all RAF employees sight. Removal of sticky notes that of the POPI Maintenance and stakeholders. might contain the personal infor- Policy. mation of others is required. Offi- cials are required to clean their desks at the end of each day. SECTION 7.6 The purpose of this policy is RAF employees should not keep Section 7.3.7.6 Records to ensure that records are records of personal information and section Management created, managed, and re- longer than is necessary. 7.3.15 of the tained or disposed of appro- POPI Policy. priately, in accordance with relevant legislation. 4

5 POLICY PURPOSE CLEAN DESK REQUIREMENT POPI SECTION 9.1 COMPLIANCE Information This policy aims to specify the RAF employees must ensure that Section 7.3 of Security measures required to protect personal information is protected the POPI Policy. Framework information from all types of while engaging with internal and threats; internal or external; de- external stakeholders. The RAF liberate or accidental; assist and must guard against the risks of enable the RAF to provide effec- breach of confidentiality and breach tive ICT security. Management of of integrity. information that is measurable and conforms to best practices; ensures that access to RAF in- formation assets is controlled, based on security, business and legislative requirements. SECTION The purpose of this policy is to RAF employees must maintain a Section 7.3.12 6.3.4 address the effective and effi- high level of confidentiality when and section Document cient management of all incom- dealing with incoming and outgoing 7.5.of POPI Services ing and outgoing correspond- mail. ence within the RAF.

THE PURPOSE OF THE CLEAN DESK CAMPAIGN To prevent or minimise unauthorised To demonstrate compliance with access to personal information. POPI and other related legislation. To reduce the risk of confidential To create a culture of responsibility and sensitive information/ relating to the processing of documentation being stolen or personal information amongst accessed by unauthorised employees. individuals, which could damage the integrity of the RAF. To ensure that the office is clutter-free. 6

PRIVACY OFFICE CONTACT DETAILS 1. Privacy Office: [email protected] 2. Privacy Manager: Makgele Tlou [email protected] 3. Deputy Information Officer: Michelle Morgan [email protected]