-
Introduction
1.1 regulations set out by the Protection of Personal Information Act of 2013 in South Africa and the Data Protection Act of 2019 in Kenya which r unlawful collection, retention, dissemination and use of personal information. The purpose of this policy is to assist Nova Pioneer to meet its statutory obligations.
1.2 Nova Pioneer will adhere to the requirements and regulations laid out in this policy across all regions in which it operates (at the time of publication of this version, this includes South Africa and Kenya) in accordance with the abovementioned acts.
1.3 This Policy seeks to protect the personal information of its stakeholders Pioneer Employees, Students and Parents/Guardians.
1.4 Nova Pioneer will work to comply with all regulations stipulated by the Protection of Personal Information Act in South Africa by the prescribed deadline of 1 July 2021.
-
Application
2.1 This Policy applies to and is for the attention of all Nova Pioneer across all regions in which Nova Pioneer operates – Employees, Parents/Guardians, Students and Third Parties acting as operators who process personal information within Nova Pioneer.
2.2 Nova Pioneer will implement educational programmes and training to ensure all stakeholders comply with this Policy.
-
Definitions:
Unless inconsistent with the context, the expressions set out in this policy will have the meanings assigned to them in the glossary of terms applicable to all policies, procedures, standards and guidelines adopted and published by the Nova Pioneer Policy Committee (NPPC). The Glossary of terms shall be available from the NPPC on request.
The following terms should be understood when reading this policy:
3.1 information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. Types of personal information collected is listed per data subject in the policy that follows.
3.2 a public or private body who determines the purpose, and means, of processing personal information in their possession.
3.3 the person to whom the personal information relates, meaning a living person or juristic entity such as a company or institution.
3.4 refers to any act that can be performed when handling personal information. POPI defines processing to include collecting, recording, organising, updating, storing, distributing, destroying or deleting personal information.
3.5 an employee of Nova Pioneer that had been appointed by the CEO to ensure that personal information is processed in terms of the Protection of Personal Information Act.
3.6 special personal information refers to information concerning children or the information about a Data , health, religion, religious or philosophical beliefs, ethnic origin, trade union membership, sexual life, criminal behaviour or biometric information. POPI does not permit the processing of special personal information unless the Data Subject has consented.
3.7 means any voluntary, specific and informed expression to grant permission for the processing of personal information by a Data Subject.
-
Personal Information
4.1 All data subjects of Nova Pioneer have the right to be notified if personal data is being collected; request access to their personal information; object, on reasonable grounds, to the processing of her or his personal information and to submit a complaint to the Information Regulator regarding any violation to their rights to have their personal information protected.
4.2 Nova Pioneer collects and processes personal information for the following stakeholders – Employees, Students and Parents/Guardians:
4.2.1 Employee Information
4.2.1.1 Collection:
Personal information is collected from employees in the form of information and documentation and includes:
4.1.1.1.1 Personal details such as name and contact details
4.1.1.1.2 Name and contact details of next-of-kin in case of emergency,
4.1.1.1.3 Identity information such as race, date of birth, gender, identity number and proof of identification,
4.1.1.1.4 in the case of non-citizens, passport and work permit details,
4.1.1.1.5 original records of application and work record (qualifications, compliance certificates, classes taught, subjects, etc.),
4.1.1.1.6 details of any prior criminal records. Nova Pioneer captures biometric data in the form of fingerprints for submission of a police clearance,
4.1.1.1.7 bank account details,
4.1.1.1.8 information related to employee performance during their tenure with Nova Pioneer including promotions, performance management plans, disciplinary actions, etc,
4.1.1.1.9 survey feedback solicited from employees about school culture, operations, facilities, academic experience, etc.
4.2.1.2 Use/Purpose: Employee records are kept for the purposes of:
4.2.1.2.1 the management and administration of school business,
4.2.1.2.2 to facilitate the payment of employees, and calculate other benefits,
4.2.1.2.3 general human resources management,
4.2.1.2.4 recording promotions made and changes in responsibilities, etc.,
4.2.1.2.5 to enable the school to comply with its obligations as an employer, including the preservation of a safe, efficient working and teaching environment, to enable Nova Pioneer to comply with requirements set down by the Department/Ministry of Education and other regulatory bodies,
4.2.1.2.6 for compliance with legislation relevant to Nova Pioneer.
4.2.1.2.7 improving the Nova Pioneer offering through use of survey results.
4.2.1.3 Location and storage:
All employee data is stored within the HR Management System. Each employee is provided with login access to the system allowing them to view and update their personal details as needed.
4.2.2 Student Information
4.2.2.1 Collection:
Personal information collected from students is in the form of information and documentation. It is sought and recorded during the application and enrolment process and may be collated and compiled during the course of the student’s time at Nova Pioneer.
These records may include:
4.2.2.1.1 Name, address and contact details
4.2.2.1.2 Personal identification details – gender, date and place of birth, ID number and proof of identification.
4.2.2.1.3 Names and addresses of parents/guardians and their contact details (including any special arrangements with regard to guardianship, custody or access, etc.),
4.2.2.1.4 In the case of non-citizens, passport and student permit details.
4.2.2.1.5 Information such as religious belief, racial or ethnic origin, language preferences.
4.2.2.1.6 Medical/health information such as allergies, dietary restrictions, sight or hearing conditions, etc.
4.2.2.1.7 Any relevant special conditions (e.g. special educational needs, health issues, physical disabilities, etc.)
4.2.2.1.8 Information on previous academic record (including reports, references, assessments and other records from any previous school(s) attended by the student
4.2.2.1.9 Psychological, psychiatric and/or medical assessments/forms
4.2.2.1.10 Permission slips/consent forms,
4.2.2.1.11 Attendance records,
4.2.2.1.12 Photographs and recorded images of students (including at school events and noting achievements) are managed in accordance with the Nova Pioneer Student Enrollment Contract.
4.2.2.1.13 Academic record – subjects studied, class assignments, examination results as recorded on official school reports,
4.2.2.1.14 Records of significant achievements,
4.2.2.1.15 Records of disciplinary issues/investigations and/or sanctions imposed,
4.2.2.1.16 Records of any serious injuries/accidents, etc.,
4.2.2.1.17 Survey feedback about school culture, operations, facilities, academic experience, etc.
4.2.2.2 Use/Purpose:
Student personal information is kept for the following purposes:
4.2.2.2.1 to record student progress over their lifetime at Nova Pioneer such that each student is able to develop to his/her full potential
4.2.2.2.2 to comply with legislative or administrative requirements e.g. LURITS in South Africa, NEMIS in Kenya,
4.2.2.2.3 to enable parents/guardians to be contacted in the case of emergency or to inform parents of their child’s educational progress or to inform parents of school events, etc.,
4.2.2.2.4 to support the educational, social, physical and emotional requirements of each student,
4.2.2.2.5 to record the achievements, e.g. compile yearbooks, establish a school website, record school events, and to keep a record of the history of the school. Such records are taken and used in accordance with the Nova Pioneer Student Enrollment Contract.
4.2.2.2.6 to ensure that the student meets the school’s admission criteria including minimum academic and age requirements,
4.2.2.2.7 to furnish documentation/information about the student to the Department/Ministry of Education,
4.2.2.2.8 to furnish, when requested by the student (or their parents/guardians in the case of a student under 18 years) documentation/information references to tertiary-level educational institutions,
4.2.2.2.9 improving the Nova Pioneer offering through use of survey results.
4.2.2.3 Location and storage:
All student data is stored within the School Information System. Parents/guardians of students have access to the SIS through a Parent Portal which allows them to view and update their details as needed.
4.2.3 Parent/Guardian Information
4.2.3.1 Collection:
In addition to the abovementioned personal data collected for students. personal information is collected from parents/guardians and includes:
4.2.3.1.1 Name, address, relation to student and contact details,
4.2.3.1.2 Personal identification details – ID number and proof of identification,
4.2.3.1.3 in the case of non-citizens, passport and work permit details as necessary,
4.2.3.1.4 financial information such as proof of income and proof of residence documentation,
4.2.3.1.5 employment information such as profession, company and relevant contact details.
4.2.3.2 Use/Purpose:
Parent/guardian records are kept for the purposes of:
4.2.3.2.1 Conducting affordability and credit checks to ensure ability to pay school fees.
4.2.3.2.2 Billing of tuition fees
4.2.3.2.3 Contacting parents/guardians in cases of emergency
4.2.3.2.4 Keeping parents/guardians updated of student academic progress
4.2.3.2.5 Communicating with parents/guardians regarding student behaviour.
4.2.3.3 Location and storage:
All student data is stored within the School Information System (SIS). Parents/guardians of students have access to the SIS through a Parent Portal which allows them to view and update their details as needed.
4.2.4 Creditors
4.2.4.1 Collection:
Nova Pioneer may hold some or all of the following information about creditors: Name, Address, Contact details, Tax details, Bank details and Amounts paid
4.2.4.2 Use/Purpose:
Creditor information is kept for purposes of routine financial affairs, including the payment of invoices. the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.
4.2.4.3 Location and storage:
All financial information related to creditors is managed
-
The Information Officer
5.1 The Information Officer is a Nova Pioneer employee and is appointed by the CEO.
5.2 The Information Officer of Nova Pioneer will:only undertake their duties after Nova Pioneer is registered with the Information Regulator;
5.2.1 monitor and implement Codes of Conduct issued by the Information Regulator; and
5.2.2 encourage Nova Pioneer and its stakeholders to comply with the requirements of processing personal information in terms of the provisions of the POPI Act.
-
Data Security & Protection
To ensure the safety and security of all data, Nova Pioneer shall:
6.1 ensure that all systems services and equipment used for processing and/or storing data adhere to acceptable standards of security and data safeguarding, and is regularly updated to continue to comply with such standards;
6.2 issue appropriate, clear, regular rules and directives, whether for the organisation as a whole or a particular part of it, department, person or including password protocols, data access protocols, sign-on procedures, password safeguarding protocols, the description of accessories, applications and equipment, etc.
6.3 evaluate any third-party services Nova Pioneer is considering or may acquire to process or store data, e.g. cloud computing services.
6.4 The only person(s) entitled to access data covered by this policy, will be those who need to access it for the execution of their direct work services or required outputs.
6.5 Under no circumstances will data or personal information be shared outside the scope of required work outputs, or informally.
6.6 In the event of any doubt, an employee shall be entitled to access confidential information only after obtaining authorisation from their line manager or a senior manager, where any work output requiring access is unusual or out of the ordinary
6.7 Employees will receive induction and on-the-job training in relation to and work outputs involving personal information of data subjects.
6.8 Employees shall keep all data secure by taking sensible practical precautions and complying with all rules, practices and protocols. In particular, strong passwords shall be used at all times and passwords shall not be shared. In the exceptional circumstance that a password may require to be shared, it shall only take place after explicit, provable authorisation has been procured from a senior manager or line manager before sharing it, and then only for the stated purpose. All necessary steps shall be taken after a password has been shared in such exceptional circumstances, to reset it to a strong, unique password to avoid future data compromise or breach.
6.9 Personal data will not be shared informally, and in particular it will never be sent by email or without protection with appropriate passwords, where required to be sent by email;
6.10 Data shall be encrypted before being transferred electronically. The IT manager will develop and maintain protocols for data transfer to ensure it is sent in protected form to authorised parties;
6.11 Personal data shall never be transferred or sent to any entity not authorised directly to receive it;
6.12 Employees are prohibited from saving copies of personal data to their own computers;
-
Unauthorized access/breach to security of personal information
In the event that the security of personal information is breached in anyway, Nova Pioneer will
7.1 Notify the Regulator (through the Information Officer) and data subject, if possible, if it reasonably believes that the personal information of a data subject has been accessed or acquired by any unauthorised party. The data subject must be informed via a notice that is in writing and is address; sent by e- address;
7.2 The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. The notice must include a description of the possible consequences of the security compromise; a description of the measures that the responsible party intends to take or has taken to address the security compromise; a recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of the security compromise; and if known to the responsible party, the identity of the unauthorised person who may have accessed or acquired the personal information.
7.3 The notification must take place as soon as reasonably possible after the parties have become aware of the compromise. Nova Pioneer must consider the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and when deciding on the length of time in which to report the compromise to the Regulator and the data subject. Should Nova Pioneer become aware of the fact that disclosing the compromise to the data subject will impede a criminal investigation it may delay disclosing the compromise to the data subject.
-
Data storage:
8.1 Storage of data in hard copy/paper form will follow the following protocols:
8.1.1 Where data is stored on paper, it will always be kept in a secure place where an unauthorised person cannot access or see it. This also applies to data stored electronically which has been printed out for any reason.
8.1.2 When not required for use such papers should be kept in a locked drawer, safe or cabinet.
8.1.3 Employees should ensure that paper and print-outs are not left in places where unauthorised persons can see them, e.g. on a printer, and all unwanted paper must be shredded.
8.2 Storage of data in electronic form will follow the following protocols:
8.2.1 Where data is stored electronically, it must be protected from unauthorised access, accidental deletion or any risk of exposure to malicious hacking attempts:
8.2.2 Data should be protected by strong passwords that are changed regularly and never shared between employees;
8.2.3 Where data is stored on removable media such as a CD or a DVD these must at all times be locked away securely when not in immediate use;
8.2.4 All data will only be stored on designated drives and servers and shall only be uploaded to approved cloud computing services;
8.2.5 All servers containing personal data will be located in secure protected locations away from general office space;
8.2.6 Data will be backed up frequently in accordance with backup protocols. Such backups will be tested regularly in line with the under the direction of the IT Manager,
8.2.7 Data will never be saved directly to laptops or other mobile or removable devices such as tablets or smartphones or or data sticks;
8.2.8 All servers and computers containing data will be protected by approved security software, and one or more firewalls under the direction of the IT Manager.
-
Consent to processing and storing personal information
9.1 Nova Pioneer shall not collect, process or store personal information without the consent of the data subject. If the data subject is a student, wh parent/guardian must consent.
9.2 Consent may be given verbally or in writing and a record of the consent obtained from a data subject will be kept.
9.3 Nova Pioneer shall allow a data subject, who adequately identifies him/herself to the Information Officer, to access his/her personal information. The data subject may request that corrections be made to his/her personal information if it has changed. The data subject may also request that the Information officer delete information that was unlawfully obtained, is excessive, out of date, irrelevant, misleading or incomplete. In cases where access is granted through self service channels, the data subject may access and update the data directly e.g. the School Information System Parent Portal (parents/guardians) and the HR Management System (employees)
9.4 The school may process information without the data subject and/or parent/guardians’ consent if it is necessary for the conclusion or performance of a contract to which the data subject is a party; and/or the processing complies with an obligation contained in legislation; and/or it protects the legitimate interest of the data subject; and/or it is necessary for the proper performance of a public law duty that has been imposed on the school; and/or it is necessary for pursuing the legitimate interests of Nova Pioneer or a third party to whom the information is supplied. The Information Officer shall determine what shall constitute a legitimate interest and if necessary shall seek legal advice.
9.5 Nova Pioneer will inform a data subject if their information is being collected for advertising or marketing purposes. Data subjects may object to the use of their data for marketing purposes.
9.6 A Data Subject may withdraw the consent they gave Nova Pioneer to process their personal information.
9.7 Nova Pioneer is allowed further processing of information after an initial consent to collect personal information was garnered but such processing must be compatible with the purpose for which the personal information was initially collected.
-
Personal Information and Third Parties
10.1 The terms laid out in this Policy apply to all Third Party Vendors or Service Providers with which Nova Pioneer has agreements. Third Party Service Providers are subject to the same regulations as Nova Pioneer in terms of protection of personal information.
10.2 Nova Pioneer may disclose Personal Information of data subjects to our providers whose services or products stakeholders elect to use. The relevant agreements in place will ensure confidentiality and privacy conditions.
10.3 Nova Pioneer may also disclose personal information of data subjects where we have a duty or a right to disclose in terms of applicable legislation, the law or where it may be necessary to protect the rights of Nova Pioneer.
-
Review Cycle:
This Policy will be reviewed periodically at the Policy Committee meeting and changes to the policy will then be discussed and documented before being approved and implemented.
