HISP-SA Privacy Policy

Effective Date: 01/07/2021

Date of Last Revision: 25/06/2021

In this document, unless the context indicates otherwise, the words and expressions set out below shall have the meanings assigned to them and cognate expressions shall have a corresponding meaning, namely: 

  1. Data Subjects means persons applying for employment with HISP SA, HISP SA’s staff, staff of HISP SA’s clients and Users;
  2. HISP SA means the Health Information Systems Program SA Non-Profit Company (Registration number: 2003/005786/08);
  3. Personal Information shall have the meaning ascribed thereto in terms of section 1 of POPI, namely: any information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to – information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that would reveal the contents of the original correspondence; the views or opinions of another individual regarding the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;
  4. Policy means this POPI policy;
  5. POPI means the Protection of Personal Information Act No. 4 of 2013;
  6. Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
    • the collection receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
    • dissemination by means of transmission, distribution or making available in any other form; and
    • merging, linking as well as restriction, degradation, erasure or destruction of information; and
    • Users shall mean users of electronic systems developed, owned and/or managed by HISP SA.
  7. Users shall mean users of electronic systems developed, owned and/or managed by HISP SA.
  1. HISP SA designs, develops and implements digital health tools and solutions.
  2. HISP SA is committed to complying with POPI and all related regulations and undertakes to comply with such legislation.
  3. This Policy deals with the manner in which HISP SA processes Personal Information which is collected from the Data Subjects and the purpose of such Processing.
  4. This Policy supersedes any previous documentation implemented by HISP SA related to the protection of Personal Information and declares such documents null and void.
  1. HISP SA collects the following information and any documentation and/or information related thereto, including but not limited to:
  2. HISP SA shall endeavour to only collect and process Personal Information relating to Data Subjects which is adequate, relevant, and not excessive in terms of POPI and which is required by HISP SA to provide Data Subjects with the required digital health tools and solutions.
  3. HISP SA shall endeavour to inform the Data Subject of the information which is required for HISP SA to adequately provide the required health tools and solutions to the Data Subject and which information is optional but may still be useful to HISP SA for the provision of the health tools and solutions.
  1. HISP SA shall only process the Data Subject’s Personal Information if the Processing is –
    • necessary to carry out its obligations in terms of any engagement between HISP SA and the User in question;
    • consented to by the Data Subject in question;
    • required for HISP SA to comply with its obligations imposed by law, in which case the Data Subject shall be informed thereof;
    • necessary to protect a legitimate interest of the Data Subject; or
    • necessary to pursue the legitimate interests of HISP SA or of a third party to whom the information is supplied.
  2. HISP SA shall only use the Data Subject’s Personal Information for the purpose for which the information was collected, which purpose may include, but will not be limited to –
    • its business operations, namely, improving decision-making and thereby improving lives;
    • the purposes stipulated in the relevant contractual agreement entered into between HISP SA and its clients;
    • in relation to Personal Information pertaining to HISP SA’s staff, management and administrative functions required for routine business operations; and
  3. HISP SA’s recruitment processes, including allowing HISP SA to make informed decisions for HISP SA’s internal recruitment of candidates.
  4. HISP SA undertakes to not process Personal Information of Data Subjects’ for purposes other than those initially intended.
  1. Subject to the provisions of this clause 5, HISP SA undertakes to treat the Data Subject’s Personal Information as confidential and comply with the necessary Processing and privacy standards set out by POPI and this Policy.
  2. HISP SA may disclose the User’s Personal Information to any of its affiliates or third-party service providers from which the User requires the health tools and solutions.
  3. HISP SA undertakes to ensure that any affiliates or third-party service providers to which Personal Information is disclosed in terms of clause 1 above, comply with the necessary confidentiality, Processing and privacy standards set out by POPI and this Policy.
  4. HISP SA further undertakes to enter into the necessary agreements with affiliates or third-party service providers to which Personal Information is disclosed to ensure compliance with the standards set out by POPI and this Policy.
  5. HISP SA may obtain information regarding its Users from third parties for the reasons set out in this Policy.
  6. HISP SA may disclose Data Subject’s Personal Information where it is required to do so by law or when it is necessary to protect its rights.
  1. HISP SA undertakes to take reasonable steps to ensure that Personal Information obtained from Data Subjects is stored safely and securely.
  2. HISP SA shall ensure technical and organisational measures are in place and are continuously reviewed to secure the integrity of Personal Information collected, stored or transmitted through HISP SA electronic systems and take all appropriate measures to guard against the risk of loss, damage, or unauthorised access to the Data Subject’s Personal Information.
  3. HISP SA shall have due regard to generally accepted information security practices and procedures.
  4. HISP SA shall ensure that Personal Information is only used for legitimate purposes with the Data Subject’s consent, if applicable, and by duly authorised persons.
  5. Should any data breach occur in relation to a Data Subject’s Personal Information, HISP SA shall notify the Data Subject thereof and implement the necessary recovery procedures to retrieve such information and mitigate the effect of such data breach.

HISP SA undertakes to ensure that a Data Subject’s Personal Information is complete, up to date and accurate before it is Processed, when it is reasonably practicable to do so. Therefore, Data Subjects may be requested to update their Personal Information in terms of any engagement between HISP SA.

  1. Data Subjects have the right to access their Personal Information which is held by HISP SA.
  2. Data Subjects are entitled to request that HISP SA update, correct or delete any Personal Information that is held by HISP SA and HISP SA shall endeavour to comply with the request as soon as reasonably practicable.
  3. Should a Data Subject object to the Processing of its Personal Information and inform HISP SA thereof, HISP SA shall no longer process such Personal Information.
  4. HISP SA shall request and verify the identity of the requesting party prior to giving effect to any requests made in terms of this clause 8.
  5. All requests made by Data Subjects in terms of this clause 8 shall be directed to the Information Officer or Deputy Information Officers (if applicable).
  1. HISP SA’s Information Officer is Sean Broomhead (“Information Officer”).
  2. The Information Officer is responsible for HISP SA’s compliance with POPI and ensuring the lawful processing of Data Subjects’ Personal Information.
  3. The Information Officer’s deputies are Potlaki Moloi and Elmarie Claasen who shall assist the Information Officer with his duties (“Deputy Information Officers”).
  4. The duties and responsibilities of the Information Officer and Deputy Information Officers (if applicable) include:
    • encouraging and enforcing compliance with POPI;
    • dealing with requests made to HISP SA in relation to POPI (including requests from Data Subjects to update or view their personal information);
    • working with the information regulator in relation to investigations;
    • conducting preliminary assessments;
    • the development, implementation and monitoring of this Policy and compliance framework;
    • ensuring that this Policy is supported by appropriate documentation;
    • ensuring that documentation is relevant and is kept up to date; and
    • ensuring this policy and subsequent updates are communicated to senior managers, their coordinators, and all staff.
  5. HISP SA undertakes to ensure that all employees, business units, departments and individuals directly associated with HISP SA adhere to this Policy and report any information security breaches or risks which require notification in accordance with this Policy and HISP SA’s cybersecurity policy.
  • Information Officer: Sean Broomhead
  • Deputy Information Officer: Elmarie Claasen
  • Deputy Information Officer: Potlaki Moloi

Contact via email on io@hisp.org 

HISP SA shall put the following internal measures in place to ensure the protection of the Data Subject’s Personal Information –

  1. the approval of this Policy by HISP SA’s chief executive officer in his role as the Information Officer, and his duly elected Deputy Information Officers;
  2. the appointment of the Information Officer;
  3. the appointment of the Deputy Information Officers;
  4. training its staff on the provisions of POPI;
  5. notifying staff of any changes made to this Policy, POPI and/or legislation related to POPI;
  6. making HISP SA’s internal policy binding upon its staff; and
  7. conducting regular backups of data.

This Policy is available for download by clicking on the following link.

  1. This Policy shall be reviewed annually by HISP SA.
  2. Notwithstanding clause 1 above, HISP SA may amend this Policy as and when required.
  1. In this Policy, unless the context requires otherwise:
    • words importing any one gender shall include the other two genders;
    • the singular shall include the plural and vice versa; and
    • a reference to natural persons shall include created entities (corporate or unincorporated) and vice versa.
  2. In this Policy, the headings have been inserted for convenience only and shall not be used to assist or affect its interpretation.
  3. Where a clause reference is referred to in this Policy and followed by the heading of the clause is referred, if there is any conflict between the two, the word reference to the heading shall prevail.
  4. Words and/or expressions defined in the body of this Policy shall, unless the application of such words and/or expressions is specifically limited to that clause, bear the meaning is assigned to it throughout this Policy.
  5. The eiusdem generis rule shall not apply and accordingly, whenever a provision is followed by the word “including” followed by specific examples, such examples shall not be construed to limit the ambit of the provision concerned.