PAIA & POPIA Manual

Last updated: 08 March 2023

MANUAL: IN TERMS OF SECTION 51 OF THE PROMOTION OF ACCESS TO INFORMATION ACT 2 OF 2000 (PAIA)

READ WITH THE PROTECTION OF PERSONAL INFORMATION ACT 4 OF 2013 (POPIA) FOR BIC SOLUTIONS PROPRIETORY LIMITED

INDEX

1. INTRODUCTION

The Company is a private company, registration number 2014/148595/07.

The Company’s website address is www.bicsolutions.co.za.

The Company offers digital healthcare solutions and business support to businesses across Africa and is an enabler of the medical and associated industries. The Company provides end-to-end access across the entire value chain by using custom-built modular digital solutions, combined with proprietary data, to support innovation, cost savings and a vastly improved user experience. In addition, the Company has world-class, cloud- based solutions for the Life and Health Insurance industries that reduce the cost and increase the speed and accuracy of underwriting and claims processes.

The Company is committed to observe and comply with the directives of the South African Constitution and all applicable national legislation which endorse the key principles of good corporate governance, transparency and accountability.

Section 32 of the South African Constitution, which entrenches the right to access to information and stipulates that everyone has the right to access information held by the government or a Private Body to enforce a culture of transparency and accountability, is carried out by PAIA.

According to Section 51 of PAIA, private organisations, such as the Company are required to create a manual that outlines the minimal standards that must be met for people to gain access to the information that is stored by such an organisation.

This manual constitutes the Company’s POPIA and PAIA Manual. POPIA’s amendments to section 51 of the PAIA served as the basis for compiling this Manual to establish basic standards for the Processing of Personal Information. POPIA encourages the protection of Personal Information that is conducted by both public and private authorities.

In addition, this Manual includes information on the submission of objections to the Processing of Personal Information and deals with the requests to delete or destroy Personal Information or Records in terms of the POPIA.

2. DEFINITIONS

2.1 Client refers to any natural or juristic person that provides services to the Company;
2.2 Company means BIC Solutions (Pty) Ltd, registration number: 2014/148595/07 a private company registered in the Republic of South Africa;
2.3 Conditions for Lawful Processing means the conditions for the lawful processing of Personal Information as fully set out in chapter 3 of POPIA;
2.4 Constitution means the Constitution of the Republic of South Africa, 1996;
2.5 Customer refers to any natural or juristic person that received or receives services from the Company;
2.6 Data Subject has the meaning ascribed thereto in section 1 of POPIA; Data Subject in terms of POPIA includes a juristic person to whom Personal Information relates;
2.7 Guide means the guide compiled in terms of section 10 of PAIA by the Human Rights Commission.
2.8 Information Officer means the BIC Solutions’ Information Officer as referred to in paragraph 5;
2.9 Information Regulator means the Information Regulator established in terms of section 39 of the Protection of Personal Information Act, 2013;
2.10 Manual means this manual prepared in accordance with section 51 of PAIA and regulation 4(1)(c) of the POPIA Regulations;
2.11 Operator has the meaning ascribed thereto in section 1 of POPIA;
2.12 PAIA means the Promotion of Access to Information Act, No. 2 of 2000;
2.13 Personal Information has the meaning ascribed thereto in section 1 of POPIA;
2.14 POPIA means the Protection of Personal Information Act, 2013;
2.15 POPIA Regulations mean the regulations promulgated in terms of section 112(2) of POPIA;
2.16 Private Body has the meaning ascribed thereto in sections 1 of both PAIA and POPIA;
2.17 Processing has the meaning ascribed thereto in section 1 of POPIA;
2.18 Responsible Party has the meaning ascribed thereto in section 1 of POPIA;
2.19 Record has the meaning ascribed thereto in section 1 of PAIA and includes Personal Information;
2.20 Requester has the meaning ascribed thereto in section 1 of PAIA;
2.21 Request for Access has the meaning ascribed thereto in section 1 of PAIA;
2.22 SAHRC is a national institution, the South African Human Rights Commission, established to support constitutional democracy and is committed to promote respect for, observance of and protection of human rights for everyone without fear or favour; and
Capitalised terms used in this Manual have the meanings ascribed thereto in Section 1 of POPIA and PAIA as the context specifically requires, unless otherwise defined herein.

3. PURPOSE OF THE MANUAL

This Manual:
3.1 for the purposes of PAIA –
3.1.1 promotes the right to access to information; and
3.1.2 fosters a culture of transparency and accountability in the Company by giving effect to the right of access to information, and details the procedure to be followed by a Requester and the manner in which a Request for Access to information will be facilitated; and
3.2 for the purposes of POPIA, amongst other things details –
3.2.1 the purpose for which Personal Information may be processed;
3.2.2 a description of the categories of Data Subjects for whom the Company Processes Personal Information;
3.2.3 the categories of Personal Information relating to such Data Subjects; and
3.2.4 the recipients to whom Personal Information may be supplied.
3.3 This Manual aims to comply with the provisions of section 51 of PAIA read with the amending provisions introduced by POPIA.

4. COMPANY DETAILS

The details of the Company are as follows:

• Physical address: 50 Betty Street, Riviera, Pretoria, 0184

Postal address: Same as physical address

5. CONTACT DETAILS OF THE INFORMATION OFFICER

The Information Officer’s contact details are as follows:

• Physical address: 50 Betty Street, Riviera, Pretoria, 0184
• Postal address: Same as physical address
• Information Officer: Willem Burger
• Email address: willieb@bicsolutions.co.za
• Telephone number: +27 (0) 12 001 0020

6. LATEST NOTICE IN TERMS OF SECTION 52(2) REGARDING CATEGORIES OF RECORDS AUTOMATICALLY AVAILABLE (SECTION 51(1)(b)(ii))

At this stage, no notice(s) has/have been published on the categories of Records that are automatically available without a person having to request access in terms of PAIA.

7. THE SECTION 10 GUIDE ON HOW TO USE PAIA

7.1 A Guide has been compiled in terms of Section 10 of PAIA by the SAHRC. It contains information required by a person wishing to exercise any right, contemplated by PAIA. It is available in all the official languages of the Republic of South Africa.

7.2 The Guide was available from the SAHRC prior to 30 June 2021. From 1 July 2021, the Information Regulator assumed the functions of the SAHRC. Accordingly, the above Guide, as updated by the Information Regulator in accordance with POPIA, will be available at the offices of the Information Regulator and on its website.

7.3 For any queries or for the lodging of any complaints where you as the Requester believes that the Company has not adequately dealt with your request, direct all complaints or queries to:

Information Regulator:

The Research and Documentation Department

Physical address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001

Postal address: P. O. Box 31533, Braamfontein, Johannesburg, 2017

Telephone number: 010 023 5200

Website: www.inforegulator.org.za

Email (complaints): complaints.IR@justice.gov.za

Email (general enquiries): inforeg@justice.gov.za

8. PLANNED TRANSBORDER FLOWS OF PERSONAL INFORMATION

The Company shall comply with the provisions of section 72 of POPIA which regulates the conditions for transborder flows of Personal Information.

9. GROUNDS FOR REFUSAL

Chapter 4 of PAIA provides circumstances under which a Request for Access to Records may or must be refused. These include:

9.1 mandatory protection of the privacy of a third party who is a natural person, including a deceased person, where such disclosure of Personal Information would be unreasonable;
9.2 mandatory protection of the commercial information of a third party, if the Record contains:
9.2.1 trade secrets of that third party;
9.2.2 financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of that third party;
9.2.3 information disclosed in confidence by a third party to the Company, if the disclosure could put that third party at a disadvantage in negotiations or commercial competition;
9.3 mandatory protection of confidential information of third parties if it is protected in terms of any agreement;
9.4 mandatory protection of the safety of individuals and the protection of property;
9.5 mandatory protection of Records which would be regarded as privileged in legal proceedings;
9.6 the commercial activities of the Company, which may include:
9.6.1 trade secrets of the Company;
9.6.2 financial, commercial, scientific or technical information which disclosure could likely cause harm to the financial or commercial interests of the Company;
9.6.3 information which, if disclosed could put the Company at a disadvantage in negotiations or commercial competition;
9.6.4 a computer program which is owned by the Company, and which is protected by copyright;
9.6.5 the research information of the Company or a third party, if its disclosure would disclose the identity of the Company, the researcher or the subject matter of the research and would place the research at a serious disadvantage.

10. RECORDS THAT CANNOT BE FOUND OR DO NOT EXIST

The Requester will receive notice in this regard from the Information Officer in the form of an affidavit outlining the steps taken to locate the document and, consequently, the inability to locate the document, if the Company is unable to find the Records that the Requester is looking for despite reasonable and diligent search and it believes that the Records are either lost or that they are in its possession but unattainable.

11. REMEDIES AVAILABLE TO THE REQUESTER UPON REFUSAL OF A REQUEST FOR ACCESS IN TERMS OF PAIA

11.1 If a Requester decides to contest the decision denying their request, they must do so in writing to the Information Officer within 20 working days of receiving the decision letter, outlining their grounds for contesting the decision and specifying whether they are contesting the entire finding of fact or decision or a particular portion of it.

11.2 Except with the permission of the Appeal Committee, the Requester (the Appellant) will not be permitted to rely on any grounds of appeal not specifically stated in their written appeal throughout the proceedings of the appeal. Within 180 days of receiving notice of the decision, a Requester may file an application with a court for appropriate remedies in accordance with sections 56(3)(c) and 78 of PAIA.

12. REMEDIES AVAILABLE FOR THE COMPANY

The Company has the right to lay a complaint to the Information Regulator if the information is disclosed contrary to the provisions of PAIA or POPI or if its rights are infringed.

13. KNOW YOUR RIGHTS

You have the right to:
13.1 know who is collecting and Processing your Personal Information;
13.2 be notified if your Personal Information has been accessed or acquired by an unauthorised person;
13.3 request, where necessary, the correction, destruction or deletion of your Personal Information;
13.4 object, on reasonable grounds, to the Processing of your Personal Information;
13.5 object to the Processing of your Personal Information at any time for purposes of direct marketing;
13.6 not to have your Personal Information Processed for purposes of direct marketing by means of unsolicited electronic communications;
13.7 not to subject, under certain circumstances, to a decision which is based solely on the basis of the automated Processing of your Personal Information intended to create a profile;
13.8 submit a complaint to the Information Regulator regarding the alleged interference with the Protection of your Personal Information and to submit a complaint to the Information Regulator in respect of a determination of an adjudication;
13.9 institute civil proceedings regarding any alleged interference with the Protection of your Personal Information.

14. PROCEDURE FOR A REQUEST FOR ACCESS IN TERMS OF PAIA

14.1 The Requester must use the prescribed form (see Annexure A) to make the Request for Access to a Record. This must be made to the Information Officer. This request must be made to the address or electronic mail address of the Information Officer.

14.2 In order for the Information Officer to identify the Record and the Requester, the Requester must include sufficient information on the request form. The type of access needed must further be specified by the Requester. In addition, the person making the request should state whether they want to be informed in another way and provide the information needed to do so.

14.3 The Requester must identify the right that he or she is seeking to exercise or protect and provide an explanation as to why the requested Record is required for the exercise or protection of that right.

14.4 If a request is made on behalf of a person, the Requester must provide sufficient documentation to the Information Officer to demonstrate their authority to do so.

15. PRESCRIBED FEES (SECTION 54)

The following applies to requests (other than personal requests):
15.1 A Requester is required to pay the prescribed fees before a request will be processed in terms of the Regulations made in terms of the Promotion of Access to Information Act in Government Notice R757 of 2021 in Government Gazette 45057 of 27 August 2021.
15.2 Records may be withheld until the fees have been paid.
15.3 The fee structure is available on the website of the South African Human Rights Commission at www.sahrc.org.za.
15.4 Please note that submitting a correctly completed Request for Access form does not provide the Requester with automatic access to the requested Record. Certain limitations may apply if an application to access to a Record fall within a category as specified in section 23(4)(a) of the POPIA read with Part 3 of Chapter 4 of PAIA. Section 9 of PAIA limits the right to access information. Such justifiable limitations include commercial confidentiality, good governance and the protection of Personal Information as prescribed by the Protection of Personal Information Act No. 4 of 2013 (POPIA).

16. DECISION TO GRANT ACCESS TO RECORDS

If the Request for Access has been granted or denied, the Requester will be notified accordingly. If the request is denied, the Requester will be provided with sufficient justification for the denial and informed of their right to appeal the denial of their request to a court (in the case of a PAIA request) or the Information Regulator (in the case of a POPIA request) and informed of the process (including the deadline) for doing so.

17. PROTECTION OF PERSONAL INFORMATION THAT IS PROCESSED BY THE COMPANY

17.1 Chapter 3 of POPIA provides for the minimum Conditions for Lawful Processing of Personal Information by a Responsible Party. These terms cannot be waived unless certain exclusions as stipulated in POPIA apply.

17.2 To perform its commercial and organizational tasks, the Company needs Personal Information pertaining to both natural persons and juristic persons. The way this information is handled and the purpose for which it is processed are decided by the Clients and Customers of the Company in its capacity as Responsible Parties. Therefore, the Company, as an Operator will Process Personal Information for the Responsible Parties in terms of a contract or mandate (without coming under the direct authority of that Responsible Party) and will comply with the following:

17.2.1 The Company will treat Personal Information which comes to its knowledge as confidential and shall not disclose it, unless required by law or during the proper performance of its duties;

17.2.2 The Company will notify the Responsible Party immediately where there are reasonable grounds to believe that the Personal Information of a Data Subject has been accessed or acquired by any unauthorized Person.

17.3 As far as POPIA is concerned, please review the Company’s privacy policy on the Company’s website at: https://bicsolutions.co.za/privacy-policy/.

Click on the links below to below to download and complete the PAIA and POPIA forms if needed.

ANNEXURE A: PAIA FORM 2 – REQUEST FOR ACCESS TO RECORD

ANNEXURE B: POPIA FORM 1 – OBJECTION TO THE PROCESSING OF PERSONAL INFORMATION

ANNEXURE C: POPIA FORM 2 – REQUEST FOR CORRECTION OR DELETION OF PERSONAL INFORMATION