a. Data protection principles
In accordance with the PoPI Act of South Africa (November, 2013) the school recognises the importance of maintaining the privacy of staff, pupil and family records and information and endeavours to follow the 8 principles set forth by the Protection of Personal Information Policy (November 2013) namely:
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Security safeguards
- Data subject participation
b. Data sharing and access request approach
- Public Data Subject Access Request (DSAR) forms are available on our website and at the front office
- All DSAR’s are subject to identity verification before requests are approved.
- Teacher’s email addresses and telephone numbers may not be given to parents unless the teacher has specifically decided to make his/her own data public.
- Class lists with children’s names and surnames may not be publically shared or displayed.
- No telephone numbers, email addresses or any other personal information of teachers, parents or pupils may be given to a third party under any circumstances.
- The teacher reserves the right to either give the learner’s workbook back to the learner at the end of a school year, or to retain the workbooks. It is encouraged that workbooks are returned to pupils and any assessment activities that are to remain confidential be removed from the workbooks and shredded prior to the child taking them home.
c. Paper records of Personal Information
- Paper records of personal information are kept in a secured cupboard when not in use. This includes mark books and class lists.
- When the retention period for paper records of personal information expires or copies are no longer necessary, these records are destroyed by shredding.
- Paper records awaiting shredding are kept in a secure paper records box that is only accessible by the Information Officer.
- Once read, all psychology, therapy and remedial specialist reports pertaining to pupils are filed in their learner profiles immediately. Reports may not be left where they can be read or accessed publicly.
- Shredding occurs weekly on a Friday morning by the Information Officer or appointed staff member.
d. Requirements for transporting Personal Information
- When paper records of personal information (e.g. learner profiles) need to be transported off of school premises, this data is secured in a tamper-proof sealed envelope with the seal number recorded before transportation.
- All such records are either hand delivered by a member of staff, posted via the South African Post Office, or couriered.
e. Management review procedures
- The Information Officer does a Data Impact Analysis whenever:
- The school begins utilizing new administration systems, software or technology that make use of personal information.
- Participating in a high-risk activity.
- Processing large amounts of special information.
- The Information Officer will investigate any incident where a data breach seems to have occurred and data subjects will be informed if their data has been lost, destroyed, or otherwise mishandled, following internal investigation procedures.
f. Retention period for personal information
- Staff data is retained for 4 years after a staff member has resigned or left.
- Student, parent/guardian, next of kin, and designated emergency information is retained for 10 years.
- Personal Information may be retained longer if the school is required to do so by another governmental agency (e.g. SARS).