PERSONAL INFORMATION SHARING POLICY
- This Personal Information Sharing Policy (the policy) applies to all staff working for TATA AFRICA which includes all permanent and temporary staff, contractors, and agency workers who are subject to the conditions and scope of this policy. This policy is in addition to other requirements which may be necessary for specific operations and it is your responsibility to familiarise yourself with this policy.
- “Personal information” means any information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. Personal information includes, for example, names and addresses, e-mail addresses, recruitment details, financial history and the like. It also includes opinions about individuals as well as facts and also applies to corporate contacts.
- “Special personal information” is information such as religious or philosophical beliefs, race or ethnic origin, trade union membership, political opinions, health, sexual life or criminal behaviour.
- Purpose definition and limitation
- Personal information can only be collected and further processed for lawful, specific and explicitly defined purposes related to a function or activity of TATA AFRICA.
- After personal information has been collected by TATA AFRICA it cannot be processed for purposes which are incompatible with the original ones.
- For example, this means that personal information processed by the HR department for HR purposes will likely not be able to be lawfully processed by the marketing department for marketing purposes.
- Personal information to be kept confidential
- TATA AFRICA must keep personal information confidential and safe from undue disclosures.
- That means that sharing personal information with an external third party is an exception to the confidentiality rule, and must be analysed in detail to ensure lawfulness, notably considering:
- Whether the purpose for which the external third party requires the personal information is compatible to the original purpose for which the information was collected;
- Whether sharing the personal information with the external third party will constitute a transborder flow of information; and
- Whether sharing the personal information with the external third party will likely put the information at risk due to the poor security measures the third party has in place.
- PROCEDURES TO FOLLOW
- If you receive a request for personal information you must: (a) notify the IO who will guide you or, as the case may be, lead the procedures; and follow the flowchart attached as Appendix A.
- If you are required to share personal information, you must consider whether the personal information is to be shared internally (i.e. within TATA AFRICA) or externally (i.e. with an agent, a public authority, an unconnected third party or other entities within TATA AFRICA). When you are certain of the type of request you received, please check the flowchart for guidance on the specific steps to take.
- If you are unsure which category the personal information sharing falls into, please contact the IO for further advice.
- You should document at all times any questions asked, answers given and authorisation gained by any parties involved when dealing with a personal information sharing request.
- Where you are asked to share personal information with unconnected third parties / public authorities, the IO will handle the process himself/herself.
- CLIENT INFORMATION
- CONSEQUENCES OF NON-COMPLIANCE
- POLICY REVISION
- CONTACT DETAILS OF THE IO
TATA AFRICA takes the protection of personal information seriously and aims to comply with POPIA.
Personal information relating to clients should not be shared with third parties, without seeking further guidance from the IO.
It is essential that all staff comply with all relevant parts of this policy. Any failure to comply with this policy could have serious consequences for TATA AFRICA and its employees. Failure to comply may lead to: disciplinary action, including summary dismissal (without notice or a payment in lieu of notice) for serious or repeated breaches; civil or criminal proceedings; and/or personal liability for those responsible.
This policy has been reviewed and approved by the IO, and is subject to change without prior notice.