In this document, unless the context indicates otherwise, the words and expressions set out below shall have the meanings assigned to them and cognate expressions shall have a corresponding meaning, namely:

1. Data Subjects means any person providing data to HISP that allows them to be identified;

2. HISP SA means the Health Information Systems Program SA Non-Profit Company (Registration number: 2003/005786/08);

3. Personal Information shall have the meaning ascribed thereto in terms of section 1 of POPI, namely: any information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to – information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth of the person; information relating to the education or the medical, financial, criminal or employment history of the person; any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person; the biometric information of the person; the personal opinions, views or preferences of the person; correspondence sent by the person that would reveal the contents of the original correspondence; the views or opinions of another individual regarding the person; and the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person;

4. Policy means this POPI policy;

5. POPI means the Protection of Personal Information Act No. 4 of 2013;

6. PAIA means the Promotion of Access to Information Act 2 of 2000

7. Responsible Party means the ‘public or private body or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information’.

8. Operator means ‘a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party’.

9. Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
   • the collection receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
   • dissemination by means of transmission, distribution or making available in any other form; and
   • merging, linking as well as restriction, degradation, erasure or destruction of information; and
   • Users shall mean users of electronic systems developed, owned and/or managed by HISP SA.

1. HISP SA designs, develops and implements digital health tools and solutions.

2. HISP SA is committed to complying with POPI and all related regulations and undertakes to comply with such legislation.

3. This Policy deals with the manner in which HISP SA processes Personal Information which is collected from the Data Subjects and the purpose of such Processing.

4. This Policy supersedes any previous documentation implemented by HISP SA related to the protection of Personal Information and declares such documents null and void.

1. HISP SA collects and processes information about its Employees, as a Responsible Party, for the purpose of conducting its business operations, within the parameters of Human Resource Manual.  
2. HISP SA shall endeavour to only collect and process Personal Information relating to Data Subjects which is adequate, relevant, and not excessive in terms of POPI and which is required by HISP SA to conduct its business operations.  

3. HISP SA collects the following information and any documentation and/or information related thereto, including but not limited to:

Personal Information	HISP Staff
Identity and/or passport number
Date of birth and age
Phone number/s
Email address/es
Online/instant messaging identifier
Physical Address
Private Correspondence
Employment history and salary information
Financial Information
Education Information
Special Personal Information
Gender, Race and Ethnic Origin
Photos, voice recordings, video footage (also CCTV), and biometric data
Criminal record
Religious/philosophical beliefs & political opinions
Physical/mental health info, blood type details on your sex life
Membership to organizations/unions
Marital/Relationship status & Family relations

1. HISP-SA functions as an Operator in various contracts with clients and in these instances HISP-SA does not own the data or function as the Responsible Party that decides what personal information will be collected and how the information should be processed. 

2. HISP SA shall endeavour to engage with the Responsible Party to highlight POPI and PAIA issues related to the 8 conditions of processing personal data and engage with the client on clarifying the responsibilities of each party to ensure absolute compliance. 

Personal Information	DHIS2 Users	DHIS2 Tracker
Identity and/or passport number
Date of birth and age
Phone number/s
Email address/es
Physical Address
Private Correspondence
Employment history and salary information
Financial Information
Education Information
Special Personal Information
Gender, Race and Ethnic Origin
Photos, voice recordings, video footage (also CCTV), and biometric data
Criminal record
Religious/philosophical beliefs & political opinions
Physical/mental health info, blood type details on your sex life
Membership to organizations/unions
Marital/Relationship status & Family relations

1. HISP SA shall only process the Data Subject’s Personal Information if the Processing is –
   1. necessary to carry out its obligations in terms of any engagement between HISP SA and the Data Subject in question;
   2. consented to by the Data Subject in question;
   3. required for HISP SA to comply with its obligations imposed by law, in which case the Data Subject shall be informed thereof;
   4. necessary to protect a legitimate interest of the Data Subject; or
   5. necessary to pursue the legitimate interests of HISP SA or of a third party to whom the information is supplied.

2. HISP SA shall only use the Data Subject’s Personal Information for the purpose for which the information was collected, which purpose may include, but will not be limited to –
   1. its business operations, namely, improving decision-making and thereby improving lives;
   2. the purposes stipulated in the relevant contractual agreement entered into between HISP SA and its clients;
   3. in relation to Personal Information pertaining to HISP SA’s staff, management and administrative functions required for routine business operations; and
   4. HISP SA’s recruitment processes, including allowing HISP SA to make informed decisions for HISP SA’s internal recruitment of candidates.

3. HISP SA undertakes to not process Personal Information of Data Subjects’ for purposes other than those initially intended.
4. HISP SA does not own the information we collect, store or transmit on behalf of our clients thus does not have the right to release such information. Access to such information must be requested directly from the Responsible Party.

1. Subject to the provisions of this clause 5, HISP SA undertakes to treat the Data Subject’s Personal Information as confidential and comply with the necessary Processing and privacy standards set out by POPI and this Policy.

2. HISP SA may disclose the User’s Personal Information to any of its affiliates or third-party service providers within the contractual agreements with HISP employees and clients.  

3. HISP SA undertakes to ensure that any affiliates or third-party service providers to which Personal Information is disclosed in terms of clause 5.1 above, comply with the necessary confidentiality, Processing and privacy standards set out by POPI and this Policy.

4. HISP SA further undertakes to enter into the necessary agreements with affiliates or third-party service providers to which Personal Information is disclosed to ensure compliance with the standards set out by POPI and this Policy.

5. HISP SA may obtain information regarding its Data Subjects from third parties for the reasons set out in this Policy.

6. HISP SA may disclose Data Subject’s Personal Information where it is required to do so by law or when it is necessary to protect its rights.

1. HISP SA undertakes to take reasonable steps to ensure that Personal Information obtained from Data Subjects is stored safely and securely.

2. HISP SA shall ensure technical and organisational measures are in place and are continuously reviewed to secure the integrity of Personal Information collected, stored or transmitted through HISP SA electronic systems and take all appropriate measures to guard against the risk of loss, damage, or unauthorised access to the Data Subject’s Personal Information.

3. HISP SA shall have due regard to generally accepted information security practices and procedures.

4. HISP SA shall ensure that Personal Information is only used for legitimate purposes with the Data Subject’s consent, if applicable, and by duly authorised persons.

5. Should any data breach occur in relation to a Data Subject’s Personal Information, HISP SA shall notify the Data Subject thereof and implement the necessary recovery procedures to retrieve such information and mitigate the effect of such data breach.

HISP SA undertakes to ensure that a Data Subject’s Personal Information is complete, up-to-date and accurate before it is processed when it is reasonably practicable to do so. Therefore, Data Subjects may be requested to update their Personal Information from time to time or based on the terms of any engagement with HISP SA.

1. Data Subjects have the right to access their Personal Information which is held by HISP SA.

2. Data Subjects are entitled to request that HISP SA update, correct or delete any Personal Information that is held by HISP SA and HISP SA shall endeavour to comply with the request as soon as reasonably practicable.

3. Should a Data Subject object to the Processing of its Personal Information and inform HISP SA thereof, HISP SA shall no longer process such Personal Information.

4. HISP SA shall request and verify the identity of the requesting party prior to giving effect to any requests made in terms of this clause 8.
5. All requests made by Data Subjects in terms of this clause 8 shall be directed to the Information Officer or Deputy Information Officers (if applicable).

HISP-SA does not currently do any direct marketing or campaigns that require mass communication.

1. HISP SA’s Information Officer is Sean Broomhead (“Information Officer”).

2. The Information Officer is responsible for HISP SA’s compliance with POPI and ensuring the lawful processing of Data Subjects’ Personal Information.

3. The Information Officer’s deputies are Potlaki Moloi and Elmarie Claasen who shall assist the Information Officer with his duties (“Deputy Information Officers”).

4. The duties and responsibilities of the Information Officer and Deputy Information Officers (if applicable) include:
   1. encouraging and enforcing compliance with POPI;
   2. dealing with requests made to HISP SA in relation to POPI (including requests from Data Subjects to update or view their personal information);
   3. working with the information regulator in relation to investigations;
   4. conducting preliminary assessments;
   5. the development, implementation and monitoring of this Policy and compliance framework;
   6. ensuring that this Policy is supported by appropriate documentation;
   7. ensuring that documentation is relevant and is kept up to date; and
   8. ensuring this policy and subsequent updates are communicated to senior managers, their coordinators, and all staff.
5. HISP SA undertakes to ensure that all employees, business units, departments and individuals directly associated with HISP SA adhere to this Policy and report any information security breaches or risks which require notification in accordance with this Policy and HISP SA’s cybersecurity policy.

HISP SA shall put the following internal measures in place to ensure the protection of the Data Subject’s Personal Information –

1. the approval of this Policy by HISP SA’s chief executive officer in his role as the Information Officer, and his duly elected Deputy Information Officers;

2. the appointment of the Information Officer;

3. the appointment of the Deputy Information Officers;

4. training its staff on the provisions of POPI;

5. notifying staff of any changes made to this Policy, POPI and/or legislation related to POPI;

6. making HISP SA’s internal policy binding upon its staff; and

7. conducting regular backups of data.

This Policy is available for inspection on HISP SA’s website by clicking on the following link: https://preprod.hisp.org/privacy-policy/

1. This Policy shall be reviewed annually by HISP SA.

2. Notwithstanding clause 13.1 above, HISP SA may amend this Policy as and when required.