The Protection of Personal Information Act‚ 4 of 2013 (POPI) regulates and controls the processing of Personal Information.
LIFT is an Airline company operating in the Republic of South Africa.
LIFT for the purposes of carrying out its business and related objectives‚ does and will from time to time‚ processes the Personal Information of living individuals and legal entities including public and private entities‚ such as Personal Information pertaining to employees and staff‚ prospective employees‚ and job applicants‚ students and interns‚ service providers and contractors‚ vendors‚ clients‚ customers‚ and other third parties.
LIFT is obligated to comply with POPI‚ and the data protection conditions housed under POPI with respect to the processing of all and any Personal Information.
This Policy describes how LIFT will discharge its duties in order to ensure continuing compliance with POPI in general and the information protection conditions and rights of data subjects in particular.
LIFT does on an ongoing basis collect and process Personal Information belonging to Data Subjects in order to carry out and pursue its business and related operational interests. This may‚ without detracting from the generality thereof include:
• Recruitment and employment purposes;
• Concluding contracts and business transactions;
• For risk assessments‚ insurance‚ and underwriting purposes;
• Assessing and processing queries‚ enquiries‚ complaints‚ and/or claims;
• Conducting criminal reference checks and/or conducting credit reference searches or verification;
• Confirming‚ verifying‚ and updating persons details;
• For purposes of personnel and other claims history;
• For the detection and prevention of fraud‚ crime‚ money laundering‚ or other malpractice;
• Conducting market or customer satisfaction research;
• Promotional‚ marketing‚ and direct marketing purposes;
• Financial‚ audit and record-keeping purposes;
• In connection with legal proceedings;
• Providing services to clients to carry out the services requested and to maintain and constantly improve the relationship;
• Communicating with employees‚ third parties‚ customers‚ suppliers and/or government officials and regulatory agencies; and
• In connection with and to comply with legal and regulatory requirements or when it is otherwise required or allowed by law.
This Policy will apply to the processing by LIFT of all and any Data Subjects’ Personal Information.
This Policy without exception will apply to:
• LIFT and its subsidiary companies‚ including all employees thereof‚ including permanent‚ fixed-term‚ and temporary staff‚ directors‚ executives‚ and secondees;
• Any entity or person who processes Personal Information on behalf of LIFT‚ whether residing or operating in South Africa or overseas‚ who will hereinafter be referred to as an “Operator”‚ provided they have been made aware of this Policy.
Any Employee or Operator who processes Personal Information belonging to a Data Subject on behalf of LIFT‚ shall comply with all the provisions of POPI‚ including the 8 data protection conditions set out under section 4 of POPI‚ which are as follows:
• Personal Information shall be obtained and processed fairly and lawfully;
• Personal Information shall be obtained only for one or more specified and lawful purposes‚ and shall not be further processed in any manner incompatible with that purpose or those purposes unless specific consent to do so has been obtained;
• Personal Information shall be adequate‚ relevant and not excessive in relation to the purpose or purposes for which they are processed;
• Personal Information shall be accurate and‚ where necessary‚ kept up to date;
• Personal Information processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes;
• Personal Information shall be processed in accordance with the rights of data subjects under POPI;
• Appropriate technical and organisational safeguards and measures must be put in place to protect and guard against unauthorised or unlawful processing of Personal Information and against accidental loss or destruction of‚ or damage to‚ Personal Information;
• Personal Information shall not be transferred outside South Africa to another country unless that country has similar Data Privacy laws to those housed under POPI in place‚ or the person to whom the Personal Information is being transferred provides a written undertaking to apply the principles housed under POPI to the processing of the aforementioned personal information.
• Necessary cookies enable you to use our website and all its features‚ such as maintaining an anonymous session while visiting the website and enabling access to secure areas of our websites. Without these cookies‚ you may not be able to use all the features of our websites.
Before any Personal Information is processed‚ the person processing such information on behalf of LIFT must bring to the Data Subject’s attention the provisions housed under the LIFT CONSENT TO PROCESS PERSONAL INFORMATION IN TERMS OF THE IMPLIED CONSENT DOCUMENT‚ which is housed on the LIFT website‚ and which for ease of reference is attached hereto marked Annexure “1”‚ which document amongst others houses the following instructions and details.
• Why the processing of the Data Subject’s Personal Information is necessary;
• What Personal Information is required and the purpose for the requirement;
• What will be done with the Personal Information;
• That in order to use the Personal Information‚ the Data Subject must provide consent for such processing‚ unless such processing is necessary to carry out actions for the conclusion or performance of a contract to which the Data Subject is a party; or is required and complies with an obligation imposed by law on either the Data Subject or the Responsible Party; or is necessary to protect the legitimate interest (s) of the Data Subject or the Responsible Party; or is necessary for the proper performance of a public law duty by a public body; or is necessary for pursuing the Data Subject or the Responsible Party’s legitimate interests‚ or that of a third party to whom the Personal Information is supplied;
• Who the Personal Information will be shared with;
• Whether the Personal Information will be sent outside the borders of South Africa and what data security measures are in place to protect the information;
• What will be done with the Personal Information once the purpose for its collection and use has expired.
• When processing a Data Subjects Personal Information‚ the person processing such information must ensure that:
• They only process Personal Information‚ which is relevant and accurate and only for the purpose for which it is required;
• Special Personal Information will only be processed in line with the provisions set out under POPI and in accordance with instructions set out by the Compliance Manager from time to time;
All Company employees and where applicable‚ Operators and persons acting on behalf of LIFT must before processing Personal Information ensure that the record housing the Personal Information will be kept secure and that appropriate measures and safeguards are in place to prevent any unauthorised access‚ disclosure and / or loss of such Personal Information.
Removing and Downloading Personal Information on to portable devices from workplace equipment or taking soft copies of Personal Information off-site must be authorised in writing by the manager of the relevant department from where the information emanates and a copy of such authorisation sent to the Compliance Manager‚ and which removal will be subject to the following provisions:
• The person removing the Personal Information must explain and justify the operational need for the removal in relation to the volume and sensitivity of the Personal Information and ensure that the details of the Personal Information being removed is documented and recorded under a “removal register”;
• The Personal Information to be removed must be strongly encrypted;
• The person removing and using said data should only store the data necessary for their immediate needs and should remove the data as soon as possible once dealt with and such removal should be confirmed by way of a recorder in the removal register;
• To avoid loss of encrypted data‚ or in case of failure of the encryption software‚ an unencrypted copy of the data must be held in a secure environment.
• Where it is necessary to store Personal Information on portable devices such as laptops‚ USB flash drives‚ portable hard drives‚ CDs‚ DVDs‚ or any computer not owned by LIFT ‚ employees and where applicable‚ Operators and persons acting on behalf of LIFT without exception must before storing said Personal Information ensure that the data is encrypted and is kept secure and that appropriate measures and safeguards are in place to prevent unauthorised access‚ disclosure and loss of such Personal Information and points 7.2.1- 7.2.5 will apply mutatis mutandi to said data.
• Where paper or hard copies of Personal Information are removed from LIFT premises‚ employees and where applicable‚ Operators and persons acting on behalf of LIFT without exception must before removing said Personal Information ensure that only that data necessary for the purpose it is being removed is taken‚ is documented in a removal register and is thereafter whilst away from LIFT premises kept safe and secure and that appropriate measures and safeguards are in place to prevent any unauthorised access‚ disclosure and loss of such Personal Information.
• Paper or hard copies of Personal Information and portable electronic devices housing Personal Information should be stored in locked units‚ which should not be left on desks overnight or in view of other employees or third parties.
• Personal Information‚ which is no longer required‚ should be securely archived and retained‚ as per LIFT DOCUMENTATION STANDARDS MANUAL.
• Personal Information must not be disclosed unlawfully to any third party.
• Where an OPERATOR is to process Personal Information on behalf of LIFT‚ such processing will be subject to a written OPERATOR agreement concluded between LIFT and the OPERATOR‚ which agreement is to be substantially in same format as the standard LIFT OPERATOR agreement annexed hereto marked Annexure “B”.
• All losses of Personal Information must be reported to the relevant manager of the department from where the information emanates‚ the departmental Data Protection Coordinator and the Compliance Manager.
• Negligent loss or unauthorised disclosure of Personal Information‚ or failure to report such events‚ may be treated as a disciplinary matter.
• LIFT via its Information Security Officer and IT department will continuously review its security controls and processes to ensure that all Personal Information is secure.
In terms of POPI‚ a Data Subject has the right to:
• Request access to their Personal Information which LIFT holds‚ provided that they follow the “Access to Information Procedure” set out under the LIFT PAIA Manual housed under the LIFT website;
• Ask LIFT to update‚ correct or delete any of its Personal Information‚ which LIFT thereafter has a duty to correct‚ save where LIFT is of the view that the request is incorrect‚ invalid and / or unreasonable;
• Object to LIFT processing their Personal Information‚ which LIFT holds about them‚ by filing a notice of objection;
• Object to LIFT processing their Personal Information‚ which LIFT holds about them‚ by filing a notice of objection.
LIFT has appointed an Information Manager who has been tasked with the primary responsibility for compliance with POPI. All LIFT employees are under a duty to:
• Raise any concerns in respect of the processing of Personal Information with the Compliance Manager;
• Promptly pass on to the Information Manager all data subject access requests and requests from third parties for Personal Information;
• reporting losses or unauthorised disclosures of Personal Information to the Information Manager as soon as such loss or disclosure has been noted; and
• Address any queries or concerns about this Policy and / or compliance with POPI with the Information Manager.
Where any LIFT employee requires a LIFT service provider‚ contractor and/or agents (Operator) to process Personal Information for or on behalf of LIFT‚ such employee shall ensure that prior to such processing a standard LIFT Operator Agreement is concluded with the Operator in respect of such processing.
Any transgression of this Policy will be investigated and may lead to disciplinary action being taken against the offender.