IRC of South Africa
POPIA Privacy Policy
INTRODUCTION
The Integrated reporting Committee (IRC) of South Africa, a not-for-profit association, (“IRC”) respects your privacy and your personal information. This privacy policy together with the IRC PAIA Manual aims to let you know how the IRC will treat any personal information that it may have about you and how you can access such personal information held. The IRC will take all reasonable measures, in accordance with this policy, to protect your personal information and to keep it confidential.
DEFINITION OF PERSONAL INFORMATION
Personal information is “personal information” as defined in terms of section 1 of the Protection of Personal Information Act 4 of 2013 (“POPIA”). This is information relating to an identifiable, living natural person or existing juristic person. Please refer to POPIA for a detailed definition and various types or categories of personal information.
CATEGORIES OF DATA SUBJECTS AND PERSONAL INFORMATION COLLECTED
The IRC only collects general personal information (some of which may be publicly available) and aims to only collect that personal information which is necessary for it to carry out its services and other facilities provided to you. The IRC collects the following categories of personal information:
- Member and member representatives – such as name, contact details, email addresses, physical and postal addresses, company details, designations, logos and VAT details. Member registration forms provide for other information to be given but this is voluntary information that can be provided at the discretion of the member. In instances where founding and honorary members and corporate and organisation representatives provide individual information to the IRC, it is the responsibility of the member and member representatives to ensure they have consent from such individuals to share their general personal contact information.
- Board members – such as name, contact details and email addresses and biographical details.
- Volunteers and Working Group members – such as name, contact details, email addresses and biographical details
- Presenters – such as name, contact details, email addresses, country, company details, logos and documents (where necessary), dietary requirements and allergies (for physical event catering purposes). Photographs and biographical details of presenters may be used in the information provided prior to and during events.
- Delegates and event attendees – such as name, contact details, email addresses, country, company details, logos, dietary requirements and allergies (for physical event catering purposes).
- Consultants and suppliers – such as company name, physical and postal addresses, logos, contact details, email addresses, logos, banking details and VAT number.
- Website – such as general website page analytics and usage information through the use of cookies (all such information is un-identifiable information for the purposes of POPIA, see IRC Cookie Policy for further detail); as well as in some instances website user (i.e. non-member) name and contact details for access to specific IRC content/services not freely available to the general public.
- IRC Network data base – such as name, email addresses, company details and designation.
HOW PERSONAL INFORMATION IS COLLECTED
Your personal information is obtained directly from you either via online forms on our website, email communications, registration forms, requests for proposals, hard copy forms submitted to the IRC, and on occasion telephonically (only under specific circumstances and at your request).
PURPOSE FOR COLLECTING PERSONAL INFORMATION
The IRC collects personal information for the following purposes:
- To provide you with services offered and requested.
- To understand your specific needs and requirements, and in order to improve the IRC member benefit, service and value offering.
- To provide you with IRC communications in relation to the services being rendered, events and keeping you informed of updates in integrated reporting and related matters.
- To provide you with IRC related marketing material due to your past interaction and use of the IRC services.
- To ensure payment to suppliers for services procured.
- For health and safety purposes.
- For statistical, historical and/or reporting purposes.
The IRC will always ask for your permission before it uses your personal information for any purpose not disclosed above or unrelated to the operations/services of the IRC and its use in the ordinary course of business.
RECIPIENTS OF PERSONAL INFORMATION
The personal information collected is used only by the IRC and its representatives in the rendering of its organisational purpose and services. Only in instances where the sharing of personal information to recipients outside of the IRC is necessary in order to fulfil an IRC obligation or service will such information be provided.
PERSONAL INFORMATION SHARED TO THIRD PARTIES
As part of the member benefits provided to IRC members and IRC Network members and delegates and event attendees, the IRC may be required to provide third-party service providers with minimal member personal information (such as: name, company details and email address) in order to provide these member benefits. Personal information provided to third-party service providers for such purposes, will be limited to only that information which is absolutely necessary in order for the member to enjoy the entitled benefit. No further information will be provided and third-party service providers are prohibited from using member details for any other purpose, other than providing the member benefit or for statistical and historical purposes specifically for the IRC. Third-party service providers will delete all member information once the service for which the information was required, has been delivered.
Your privacy is important to us. The IRC will therefore not sell, rent nor provide your personal information to unauthorised entities or to third parties for their independent use without your consent. The IRC will release your personal information to a party if it believes that the IRC is required by law or by a court or statutory body to do so. The IRC will also disclose your personal information if the IRC believes that it is necessary to prevent or lessen any unlawful or harmful actions and to protect and defend legitimate business interests, rights or property of the IRC.
PROTECTION OF PERSONAL INFORMATION
The IRC values the information that you choose to provide to us and will therefore take reasonable steps to protect your personal information from loss, misuse or unauthorised alteration. The IRC conducts regular security testing of its information storage and ensures that its representatives are trained around protection of personal information to ensure that your personal information is used correctly and protected.
Upon your request the IRC will provide you with its records of the personal information you provided to us. This information will be provided to the email address on the IRC register of members or in the IRC Network database.
If you wish to object to the IRC processing your personal information, kindly complete Form 1 (Annexure A) in terms of POPIA and send same to the Information Officer at the IRC at admin@integratedreportingsa.org. Objecting to the processing of your personal information, may result in services being stopped, access or implementation issues and/or other service inefficiencies and communications.
STORAGE OF PERSONAL INFORMATION AND RETENTION THEREOF
Personal information is stored by appointed internal IRC representatives using storage located in the cloud (which in this case may be hosted outside of South Africa, see below) and which is accessed by IRC internal representatives only. Personal information will only be retained for so long as necessary to carry out the function, services required and/or for historical and statistical use by the IRC.
Personal information no longer required for the purposes of rendering services to you or after completion of services, will be destroyed. The IRC undertakes to ensure that personal information shall not be stored for longer than 5 years, unless required to do so by law or other regulatory obligations and/or for historical record purposes. The IRC however may maintain de-identified information for statistical purposes.
SECURITY
We take information security seriously and have policies and procedures in place to ensure the information we hold on you remains safe. We limit who has access to your information and ensure that those who do are bound by contracts to keep your information availability restricted and safe.
TRANS-BORDER FLOW OF PERSONAL INFORMATION
Your personal information may be stored on servers located outside of South Africa due to the IRC’s cloud storage system. We maintain strict policies to ensure all information that is stored safely and securely.
LINKS ON THE IRC WEBSITE OR EMAIL COMMUNICATIONS
The IRC is not responsible for the content or the privacy policies of websites of other institutions to which it may link you – mainly for information purposes and access to documents provided by such institutions. The use of other third-party websites and content is at your sole discretion. This policy applies solely to information collected by the IRC.
The IRC is not responsible for any representations or information or warranties or content on any website of any third-party (including websites linked to the IRC website). The IRC does not exercise control over third parties’ privacy policies and you should refer to the privacy policy of any third party to see how such party protects your privacy.
PERSONAL INFORMATION HELD BY OR DISCLOSED BY YOU TO THIRD PARTIES
If you disclose any personal information to a third party, such as one of our business partners or anyone other than the IRC, you must be aware that the IRC does not regulate or control how that third party uses your personal information. You should always ensure that you read the privacy policy of any third party.
YOUR RIGHTS AND RESPONSIBILITY
You have the right to ask us to update, delete or stop processing information we hold about you. However, please note that there are circumstances in which complete erasure of your information or ceasing to process your information will not be possible for operational, legal and business reasons. This may include if we need to provide services to you, or if you wish us to no longer contact you for marketing purposes. In this case we may need to retain some of your details securely in order to facilitate this request by, for example, keeping you on a “do not contact” or suppression list. This will be the only purpose for which your data will be used if this is the case.
It is your responsibility to ensure that the personal information provided to the IRC is true, correct and accurate at all times. You may update and correct your personal information at any time by contacting the IRC, at admin@integratedreportingsa.org.
The IRC does not vet or check the information provided to it, and thus will not be held responsible for any incorrect or outdated information it may have and which may be used to provide you with relevant and important communications.
If you would like your personal information deleted by the IRC, kindly also use Form 2, annexure B and send same to the Information Officer at the IRC at admin@integratedreportingsa.org. Deleting your Personal Information may impact the services being used, offered or access there to.
ACCESS TO PERSONAL INFORMATION HELD BY THE IRC
See the IRC PAIA Manual for detailed information around your rights to access information held by the IRC and applicable steps to follow.
CHANGES TO THIS POLICY
The IRC may change this policy at any time. The most current version of this policy will be displayed on the IRC website. If you use this website or any of the services or facilities offered by the IRC after the IRC has displayed a change to this policy, you will be deemed to have read and agreed to the change.
APPLICABLE LAWS
This policy will be governed by the laws of the Republic of South Africa. Specifically, the IRC undertakes to comply with the provisions of POPIA and the Promotion of Access to Information Act No.2 of 2000 (“PAIA”).
JURISDICTION
You consent to the jurisdiction of the South African courts for any dispute which may arise out of this privacy policy.
Contact information
Please contact the Chief Information Officer by sending any requests to admin@integratedreportingsa.org.
FORM 1 and FORM 2 may be obtained from the following link: https://justice.gov.za/inforeg/legal/InfoRegSA-RegulationsDraft-Aug2017.pdf