Personal Information Privacy Policy

Preamble

Against the background of the dream to be an internationally recognised university in Africa, distinguished for engaged scholarship, social responsiveness and an ethic of care, the Council of the North-West University (NWU) has adopted this Policy on 17 June 2021.

Interpretation and application

This Policy must be interpreted and applied in a manner consistent with, but not limited to –

  1. Constitution of the Republic of South Africa, 1996;
  2. Higher Education Act, 101 of 1997;
  3. Protection of Personal Information Act, 4 of 2013 (“POPIA”);
  4. Promotion of Access to Information Act, 2 of 2000 (“PAIA”)’
  5. Statute of the North-West University (“the Statute”)
  6. Kink IV Report on Good Corporate Governance in South Africa;
  7. POPIA Industry Code of conduct: Public Universities (adopted by the Board of Universities South Africa as guidelines on 24 June 2020);
  8. Information Governance Framework of the NWU;
  9. Research Ethics Policy of the NWU; and
  10. all other applicable policies of the NWU.

Definitions

In this policy, unless the context indicates otherwise –

“automated means” refers to processing done by a computer;

“consent” means any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information;

“data subject” means the person to whom the personal information relates, including –

  • prospective students;
  • student applicants;
  • all registered students;
  • exchange students;
  • post-doctoral fellows;
  • alumni;
  • all NWU employees;
  • employment candidates;
  • external members of committees;
  • researchers;
  • research participants;
  • authors;
  • council members;
  • service providers, suppliers, independent contractors;
  • partner organisations;
  • subsidiaries;
  • donors and funders;
  • visitors;
  • members of the public;
  • any other NWU stakeholder, where personal information is collected, processed or disposed of; and
  • any other individual with whom the NWU may interact from time to time, whether or not such person is a natural or juristic person;

“de-identify” in relation to personal information of a data subject means to delete information that –

  1. identifies the data subject;
  2. can be used or manipulated by a reasonably foreseeable method to identify the data subject; or
  3. can be linked by a reasonably foreseeable method or other information that identifies a data subject, and de-identified had a corresponding meaning;

“filing system” refers to a structures set of personal information which is accessible according to specific criteria, regardless of whether it is centralised or decentralised, including anything from a physical file in an alphabetised filing cabinet to multiple inter-related databases that can be accessed from anywhere in the world and can handle complex search queries;

“information classification” means the process of assigning an appropriate level of classification to information to ensure that it receives an adequate level of protection;

“information governance” means the umbrella concept aiming at governing all information management activities that are performed to derive/ensure value from information for the NWU while complying with all regulatory requirements and international best practices;

“information management” entails the activities and organisational functions that are necessary in order to manage, control, and destroy data in any form regardless of their medium, origin and quality;

“information officer” means the vice-chancellor;

“Information Regulator” refers to the Regulator established in terms of section 39 of the POPIA;

“non-automated means” refers to a filing system other than a computer-accessible database;

“NWU employee” means an individual employed by the NWU on any basis, including full-time, part-time and fixed-term;

“operator” means a person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;

“personal information” means personal information as defined in section 1 of the POPIA;

“Policy” means this Personal Information Privacy Policy;

“privacy impact assessment” is a structured approach for the NWU to understand the privacy risks associated with the processing of personal information and take appropriate steps to manage those risks;

“processing” means processing as defined in section 1 of the POPIA;

“special personal information” means special personal information as defined in section 1 of the POPIA;

“student” means a student as defined in paragraph 1 of the Statute;

Policy statement

The Council of the North-West University considers a proper process and framework for the management of the protection of privacy and provision of assurance to be of paramount importance for the good governance and effective management and administration of the North-West University, and therefore it is the policy of the North-West University to –

  1. increase the level of the protection of privacy of information within the NWU by aligning the NWU’s approach to information governance, specifically privacy, with that of the Information Regulator;
  2. establish an environment to ensure the uniform and appropriate implementation of the POPIA to promote good information and technology governance to achieve the NWU’s strategic objectives;
  3. provide for the responsible use of personal information within the NWU.

Purpose

The purpose of this policy is to ensure, inter alia, the following:

  1. Data minimisation – limiting the amount of personal information the NWU collects and retains.
  2. Transparency – being open and honest about what personal information the NWU collects and how it will be used.
  3. Security – protecting the personal information the NWU holds from harm.
  4. Use limitation – ensuring that the NWU uses and discloses personal information only when necessary and lawfully.
  5. Privacy rights – helping the NWU’s data subjects to exercise their privacy rights and maintain control over their personal information.

Scope of application

This policy applies to –

  1. all processing of personal information by “public higher education institutions” as defined in section 1 of the Higher Education Act, 101 of 1997;
  2. all NWU employees and students who access, use or deal with personal information, or handle questions or complaints about personal information in the course of their NWU-related activities;
  3. any individual who discloses personal information to the NWU, whether they are part of the NWU community or any member of the public worldwide;
  4. personal information collected by the NWU in connection with the services it offers, whether it be personal information collected offline or online; and
  5. personal information collected from operators’ websites or platforms.

Roles, responsibilities and accountability

Information Officer

  1. The Information Officer of the NWU is the Vice-Chancellor.
  2. The duties and responsibilities of the information officer must be performed in accordance with section 55 of the POPIA and the designation of deputy information officers and delegation of duties and responsibilities to them must be performed in accordance with section 56 of the POPIA and section 17 of the PAIA.
  3. The information officer must be registered with the Information Regulator.
  4. Deputy information officers may be appointed to assist the information officer with his/her duties.