The North-West University(NWU) is strongly committed to protecting personal information/data. This privacy statement describes why and how we collect and use personal information and provide information about individuals’ rights in relation to personal information. It applies to all personal information provided to the University, both by individuals themselves and by other stakeholders. The University may use personal information provided to for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.
As used in this privacy statement “NWU”, “us”, “we” refer to the North-West University and/or anyone of its members that might process personal information of data subjects.
In this privacy statement, we refer to information about any data subject or information defined as personal data or personal information. We also collectively refer to handling, collecting, protecting or storing personal information as processing such personal information.
“data subject” means the person to whom personal information relates. Data subjects may include, but is not limited to:
- Prospective students
- student applicants
- all registered students
- post-doctoral fellows
- employment candidates
- all NWU staff members
- external members of committees
- research participants
- council members
- service providers, suppliers, independent contractors
- partner organisations
- donors and funders
- members of the public
- any other NWU stakeholder, where personal information is collected, processed or disposed
- any other individual with whom the NWU my interact from time to time, whether or not such person is a natural or juristic person.
“personal information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, juristic person, including, but not limited to:
- information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical mental health, well-being, disability, religion, conscience, belief , culture, language and birth of the person;
- Information relating to the education or the medical, financial, criminal or employment history of the person;
- any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other assignment to the person ;
- any biometric information of the person ;
- the personal opinions, views or preferences of the person ;
- correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence ;
- the views or opinions of another individual about the person ; and
- the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
Our legal grounds for processing personal information
Legislation may require the University to set out in this privacy statement the legal grounds on which we rely in order to process personal information. In such cases, the University rely on one or more of the following processing conditions:
- Our legitimate interests in the effective delivery of information and services to all stakeholders and the effective and lawful operation of our business and the legitimate interest of our consumers in receiving professional services from us (provided these do not interfere with any rights of the data subjects);
- Our legitimate interests in developing and improving our business, services and offering;
- To satisfy any requirement of law, regulation or professional body to which we are a member;
- To perform our obligations under a contractual arrangement/agreement with all stakeholders; or
- Where no other processing condition is available, if the data subject have agreed to us processing his/her personal information for the relevant purpose.
Processing of personal information at the NWU
The types of personal information the NWU will typically collect and maintain for its purposes can be accessed from the personal information inventory published on the University website. This inventory may be updated from time to time.
How does the University use your personal information?
The NWU collects personal information only for specific, explicitly defined and lawful purposes related to an activity or function performed by the NWU.
You, as the data subject, will be made aware of this purpose.
The NWU will inform the data subject of the following :
- Where personal information is collected from
- Where personal information is not collected from
- The source of the personal information collected
- The purpose of collecting the personal information
- Whether the collection is voluntary or mandatory
- What happens if the data subject does not provide their personal information?
- Laws that allow data collection
- When it is intended to send personal information to a third party.
The NWU will use your personal information only for the purposes for which it was collected and agreed upon. In addition, when necessary your personal information may be retained for legal or research purposes.
Disclosure/transfer of information
The NWU will take all reasonable steps to ensure that personal information is not disclosed to any third parties, except in certain allowed circumstances. The NWU have arrangements in place to ensure that the University comply with the privacy requirements as informed by the Protection of Personal Information Act.
Cross border transfer of personal information
If the University process any personal information, this personal information may be transferred to and stored outside the Republic of South Africa only when:
- the other country provides an adequate level of protection for your personal information; and/or
- under an agreement which satisfy all the requirements for the transfer of personal information outside the borders of the Republic of South Africa.
Transfer of personal information to third party providers
The University may transfer or disclose personal information we process to third party contractors, subcontractors, and/or their subsidiaries and affiliates under certain allowed circumstances.
The servers powering and facilitating our IT infrastructure might be located in secure data centres around the world, and personal information might be stored on any one of them.
Third party service providers may use their own third-party subcontractors that have access to personal information. It is the University’s policy to use only third party service providers that are bound to maintain appropriate levels of security and confidentiality to process personal information only as instructed by the University, and to flow the same obligations down to their sub processors.
The University may disclose personal information under the following circumstances:
- With professional advisers, for example, law firms, as necessary to establish, exercise or defend our legal rights and obtain advice in connection with the running of our business. Personal information may be shared with these advisers as necessary in connection with the services they have engaged to provide;
- When explicitly requested by the data subject ;
- To law enforcement, regulatory and other government agencies and to professional bodies, as required by and/or in accordance with applicable legislation or regulation. The University may also review and use personal information to determine whether disclosure is required or permitted.
- Where the University have a duty or a right to disclose in terms of any legislation and/or industry codes;
- Whether University believe it is necessary to protect our rights;
- If required for any operational and/or legal processes.
The University is obliged to provide adequate protection for the personal information we hold and to stop unauthorised access and use of personal information. The University will implement generally accepted standards of technology and operational security in order to protect personal information from loss, misuse, alteration or destruction. Only authorised persons are provided access to personal information, such individuals have agreed to maintain the confidentiality of this personal information.
Although we use appropriate security measures once we have received personal information , the transmission of information over the internet (including by email) is never completely secure. The University endeavour to protect personal information but cannot guarantee the security of information transmitted to or by us.
The University will on an ongoing basis, continue to review all security controls and related processes to ensure that all data subject’s personal information remains secure.
NWU security policies and procedures cover :
- Physical security;
- Computer network security;
- Access to personal information;
- Secure communications;
- Security in contracting our activities or functions;
- Retention and disposal of information;
- Acceptable use of personal information;
- Governance and regulatory issues;
- Monetary access and usage of personal information;
- Investigating and reacting to security incidents.
When the University contract with third parties, we impose appropriate security, privacy and confidentiality obligations on these parties to ensure that personal information that we remain responsible for, is kept secure.
The University will ensure that anyone to whom we pass personal information agree to treat this personal information with the same level of protection as we are obliged to.
The rights of the data subject
All data subjects may have certain rights under legislation in relation to the personal information we hold. Data subjects have a legal right to:
- Obtain confirmation as to whether the University process personal information about him/her, receive a copy of his/her personal information and obtain certain other information about how and why the University process personal information;
- Request for personal information to be amended or rectified where it is inaccurate (e.g., change of address) and to have incomplete personal information completed.
The right to delete personal information processing in the following cases:
- The personal information is no longer necessary in relation to the purpose for which it was collected and processed;
- If the data subject withdraws consent and the University have no other lawful basis for processing the personal information;
- Our legal ground for processing is that the processing is necessary for legitimate interest pursued by us or a third party, the data subject objects to the processing and the University do not have overriding legitimate grounds;
- The data subject objects to processing for direct marketing purposes;
- Personal information has been unlawfully processed or obtained; or
- Personal information about the data subject must be erased to comply with a legal obligation to which we are subject.
The right to restrict personal information processing in the following cases:
- For a period enabling the University to verify the accuracy of personal information where a data subject contested the accuracy of the personal information;
- Personal information has been unlawfully processed or obtained and the data subject request restriction of processing instead of deletion;
- Personal information is no longer necessary in relation to the purposes for which it was collected and processed but the personal information is required by the data subject to establish, exercise or defend legal claims; or
- For a period enabling the University to verify whether the legitimate grounds relied on by us override the data subject interest where the data subject objected to processing based on it being necessary for the pursuit of a legitimate interest identified by the University.
The right to object to the processing of personal information in the following cases:
- The University’s legal ground for processing is that the processing is necessary for a legitimate interest pursued by us or a third party; or
- Processing is for direct marketing purposes.
The right to data portability
- The right to receive personal information provided to the University and the right to send that information to another organisation (or ask the University to do so, if technically feasible) where our lawful basis for processing the personal information is consent or necessity for the performance of our contract with the data subject and the processing is carried out by automated means.
The right to withdraw consent
- Where the University process personal information based on consent, individuals have a right to withdraw consent at any time. The University do not generally process personal information based on consent as we can usually rely on another legal justification.
Changes to this privacy statement
This privacy statement was last updated on 2 December 2020.
The University may update this privacy statement at any time by publishing an updated version on the University’s website. When changes are made to this privacy statement the University will amend the revision date on the website as well as in the privacy statement. The amended privacy statement will apply from that revision date. Therefore, we encourage all data subjects to review our privacy statement periodically to be informed about how we are protecting personal information.
Should you have any inquiries about this notice, need further information about our privacy practises, wish to withdraw consent, exercise preferences or access or correct your personal information, please contact us at the numbers or addresses listed on our website.