Protection of Personal Information Act (POPI Act) – POPIA

SCHOOL DATA MANAGEMENT POLICY - POPIA

The POPI Act was signed into law on 19 November 2013 and published in the Government Gazette on 26 November 2013.  This Act:

  1. Recognizes that a person’s right to privacy includes protection against unlawful collection, retention, dissemination and use of personal information.
  2. Introduces measures to protect personal information that is processed by public and private bodies.
  3. Prescribes minimum requirements for processing personal information.

On 22 June 2020 the President announced that the majority of the provisions of the Protection of Personal Information Act 4 of 2013 (POPIA) will commence on 1 July 2021.

THE MAIN PURPOSE OF POPI IS TO:
  1. Give effect to everyone’s right to privacy as enshrined in the Constitution.
  2. Facilitate the balance between the right to privacy with other rights, such as the right to access to information.
  3. Safeguard important interests, such as the free flow of information within the Republic and across international borders.
WHAT DOES THIS MEAN FOR St THOMAS AQUINAS

St Thomas Aquinas is an entity that handles personal information for administrative purposes.  In order to comply with POPI, the school needs to:

  1. Plan and allocate resources to lawfully collect, handle and dispose of data;
  2. Analyse our current practices in dealing with personal information;
  3. Draft or review our own data protection policyin line with the new requirements set out in POPI; and
  4. Proactively implement the requirements of POPI to avoid the pressure of meeting the compliance deadline of POPI.
DEFENITIONS: - 1 Personal information:

Information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.

 

2 - DATA SUBJECT:
  • The data to whom personal information relates i.e. a teacher, parent or learner.

 

(POPI Act) – POPIA

Everyone’s right to privacy is enshrined in the Constitution

Learner Support Needs

3 - INFORMATION REGULATOR:

A juristic person.  Subject only to the Constitution and the law.  Must perform its functions in accordance with this Act and the promotion of Access to Information Act.

4 - INFORMATION OFFICER:

Person responsible for ensuring that the organization complies with the POPI Act.  Must be registered with the Information Regulator.

5 - PROCESSING:

Any operation concerning personal information, including collection, storage, modification, dissemination, degradation or destruction. 

Functions of the Information Officer

  • Undertakes duties once the school has registered them with the Information Regulator.
  • Monitor and implement Codes of Conduct issued by the Information Regulator.
  • Encourage the school to comply with POPI.
  • Marketing and advertisements – the school will inform a data subject that information about them is being collected for advertising or marketing purposes.
  • Retention of information – personal information should not be kept longer than necessary for achieving the purpose for which the information was collected. The school must destroy a record of personal information or de-identify it after this period.
  • Obligations under POPI:
  • Collect only relevant information
  • Only collect information for a specific purpose
  • Allow for Data Subject or Regulator to access information
  • Security measures to protect information.

Principles of POPI

There are 8 conditions or guiding principles that St Thomas Aquinas must comply with:

  1. Accountability
  2. Processing limitation
  3. Purpose specification
  4. Further processing limitation
  5. Information quality
  6. Openness
  7. Security safeguards
  8. Data subject participation

Penalties

Schools that do not comply with POPI may be liable to pay a penalty of up to R 10 million.  In their individual capacity, the principal who breach POPI, may be laible for a fine and/or imprisonment for up to 12 months.

6 - SCOPE and PURPOSE OF THIS POLICY

The Saint Thomas Aquinas data management policy applies to assessment records, security, storage and reporting.  The purpose of this policy is to record the details of data management at the school.

7 - ASSESSMENT RECORDS

Assessment information includes physical (examination/test papers/portfolios) and recorded (results) data.  

High School and Primary School examination papers/test papers/portfolio pieces, once written, are stored by individual subject teachers in locked cupboards.  The results are recorded by the examiners on SASPAC (see point 3).  Such recording of results are checked by HODs and verified as correct by each learner when they receive their reports.  Furthermore, progression schedules are stored in an individual EdLab folder, which is secured in locked, unmarked cabinets in the school’s Boardroom and controlled by the Principal’s Personal Assistant.  Such cabinets are not freely accessible to the general public, other members of staff or visitors.If access is needed, a register must be completed by the teacher and the reason stated for access.

All records of marks are also kept by educators in their individual subject/class files, which are monitored by HODs.  

Reports are printed from three central locations and are monitored and controlled by HODs and the Principal’s PA.  No other staff member of learner has access to these reports. 

Once the June examinations for Grades 8 – 11 are moderated and finalized, they are returned to learners for safe-keeping.  Grade 12 June and preliminary examinations are filed in individuals’ portfolios, which are stored by the school at the end of each year for a period of three years.  Grade 12 portfolios for the IEB, are stored for 5 years.

8 - EXTERNAL EXAMINATIONS IEB

The management of external examinations will be guided by the rules and regulations supplied by the body governing the examinations. 

9 - LEARNER DOCUMENTATION

All documentation relating to learners, which includes registration documents, consent forms, parents’ identity documents and proof of residence is treated as confidential.  Details from such documents are recorded on SASPAC and then the documents are kept in locked cabinets.

10 - SASPAC

    SASPAC is used to manage the daily administration tasks of the school.  Records pertaining to:

                Learner and Educator details

                Absentees

                Misdemeanours

                Subjects and marks

                Finances

                Library

                Reporting

                Code of conduct

     

    This system also permits:

                Updating

                Searching

                Browsing

                Collating 

    SASPAC supports up to 20 assessment cycles, with customizable learning area outcomes for each cycle. 

    SASPAC runs on a Microsoft SQL database, utilizing MSDE as the engine.

    The system follows servers and workstation architecture.

    SASPAC is secured through a group and user security policy – access to menus and submenus is defined according to our requirements and the system is secure in that there is a firewall and protection that ensures it is not tampered with, or cannot be accessed by unauthorized persons. 

    As an extra precaution, the system is backed up at the end of each day by the Principal’s PA and there is a UPS that protects the server from power surges and interruptions. 

    Access to the SASPAC system is strictly controlled:  only the Principal, the Principal’s PA and the Deputies have full administration rights. There are various levels of access to SASPAC.  SASPAC is also password protected.

    No personal information is permitted to be shared to any unauthorized personnel.  Access to information is given according to the area that staff members are involved in and for the purpose of liaison with regard to the education and progress of their students.  Otherwise, staff members are unable to have access to or to edit information outside of their sphere of professional contact according to their job description.

    11 - CCTV Cameras

    Currently we have 55 cameras installed all over the school property.  The main    purpose of these cameras is for safety and security.

    CCTV protects St Thomas Aquinas School’s assets against vandalism and theft. It enhances our school security system by providing an appropriate level of             surveillance on school grounds.  The presence of these cameras deters          misconduct and inappropriate behavior and also reassures all learners, staff and    visitors that they are protected on our school grounds.

    The CCTV cameras are used to:

    • Prevent and verify incidents involving criminal behavior; misconduct or inappropriate behavior.
    • Verify other incidents (injuries, loss or damage on school premises).
    • Visual coverage during emergencies.

    The CCTV cameras are NOT:

    • Hidden
    • Located in private areas such as toilets, changing rooms or staff rooms
    • Used to monitor learner or staff work performance

    Location of CCTV cameras in our school:

    Notices are displayed all over the school which alerts people to the presence of   the cameras.

    Access to CCTV footage

    CCTV footage is only accessed for the purposes set out and only by the following people:

    • The principal or nominee, including people explicitly authorized by the principal.
    • Any other people permitted by the law.

    The screensare in the admin building and the Deputy Principal of the High School’s office.

    Showing footage to staff, learners and/or their parents involved in incidents       

    The principal may show specific footage of an incident to those directly involved,            including relevant staff, learners and/or their parents.

    This means that any person on school premises may be captured on CCTV          footage of an incident that the principal may subsequently show to staff, learners and/or their parents.

    The school cannot give copies of CCTV footage to staff, learners, parents or any other parties.  Permission must be granted from the Information Regulator to       release these copies.

    Managing and securing the CCTV system

    The principal or their nominee is responsible for managing and securing the CCTV system including:

    • Operation of the CCTV system and ensuring that it complies with this policy.
    • Considering the appropriate location and use of cameras and method for storing CCTV footage
    • Maintaining and upgrading cameras when required.

    Storage of footage

    CCTV footage is kept for no more than 31 days.  If St Thomas Aquinas School has not used CCTV footage in any of the ways set out above and there has been no request to view or access footage during this period, the footage is deleted.

    Where CCTV footage has been used to verify an incident or where it is required to be retained for legal reasons, our school will manage and securely retain the footage in accordance with the POPI Act.

    12 - SCHOOL CALENDAR

    In order that an updated record is kept of the school’s calendar and in order to prevent clashes, the following is to take place:

    • A Master Calendar (MC) will be kept by one person who will be referred to as the Calendar Co-ordinator (CC).
    • All critical (those that affect transport, venues, many staff/students…) calendar dates must be forwarded to the CC who will update the MC.
    • When information is received by the CC and the booking clashes with an original booking (OB) the following will occur:
    1. The CC will return the information to the person who is attempting to make the second booking (SB) that is clashing.
    2. SB must discuss the booking with OB and a decision is to be made regarding the way forward.
    3. If there is a change/addition that needs to be made to the MC this must be relayed to the CC in writing and be signed by the OB and SB.
    4. The OB and SB are responsible for sending a written advice to anyone who is affected by the changes to the booking/calendar.
    • In the event that the OB and SB are unable to agree, they will make an appointment with the principal who will make the final decision regarding the Master Calendar booking.
    • The CC will forward an updated MC to all management regularly.
    • It is imperative that the Master Calendar is consulted when the sports whiteboard (near reception) is updated.
    • Such updates of the sports whiteboard should take place each Friday afternoon for the week following.
    • Any changes written on the sport whiteboard after the Friday should be written in red in order that such changes are immediately obvious.