ARTICLE 1. PREAMBLE
1.1 With the introduction of the Protection of Personal Information Act No 4 of 2013, all organisations processing personal information by automated means need to have an explicit policy to govern the process. As Cycling South Africa (CyclingSA) has implemented an online registration process inclusive of membership, licensing and event management which includes processing and holding personal information, POPI is applicable for our work.
1.2. Therefore, in line with the POPI Act, Cycling SA commits to:
1.2.1. give effect to the constitutional right to privacy, by safeguarding personal information processed by Cycling SA, subject to justifiable limitations that are aimed at:
18.104.22.168. balancing the right to privacy against other rights, particularly the right of access to information; and
22.214.171.124. protecting important interests, including the free flow of information within SA and across international borders;
1.2.2. regulate the manner in which personal information may be processed, by establishing conditions, in harmony with international standards, that prescribe the minimum threshold requirements for the lawful processing of personal information;
1.2.3. provide persons with rights and remedies to protect their personal information from processing that is not in accordance with this Act; and
1.2.4. establish voluntary and compulsory measures, in line with the Act, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
1.3. Some of the obligations under POPI are to:
1.3.1. collect only information required for a specific purpose;
1.3.2. apply reasonable security measures to protect it;
1.3.3. ensure it is relevant and up to date;
1.3.4. only hold as much information as required, and only for as long as required;
1.3.5. allow the subject of the information to see it upon request and to correct it.
ARTICLE 2. PURPOSE
Cycling SA holds personal information in relation to registration of members and on specific officials including club, regional, provincial administrators as well as coaches, team management, riders and officials.
ARTICLE 3. SCOPE
3.1. This policy applies to any person who is, or has been, any of the following with respect to Cycling SA:
3.1.1. Employee or former employee;
3.1.3. Board member;
3.1.4. Volunteer forming part of any panel, communication group, commission, committee, or forum of CyclingSA or any of its affiliated provincial, regional or associated members.
ARTICLE 4. DEFINITIONS
4.1. Personal information is any information relating to an identifiable, living natural person or juristic person (e.g. companies, closed corporations etc.) and includes, but is not limited to:
4.1.1. information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
4.1.2. information relating to the education or the medical, financial, criminal or employment history of the person;
4.1.3. any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
4.1.4. the biometric information of the person;
4.1.5. the personal opinions, views or preferences of the person;
4.1.6. correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
4.1.7. the views or opinions of another individual about the person; and
4.1.8. the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.
4.2. Processing is any operation or activity or any set of operations whether or not by automatic means, concerning personal information, including:
4.2.1. the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
4.2.2. dissemination by means of transmission, distribution or making available in any other form; or
4.2.3. merging, linking, as well as restriction, degradation, erasure or destruction of information.
ARTICLE 5. RIGHTS OF INDIVIDUALS WHOSE DATA CYCLING SA REQUESTS OR HOLDS
5.1. As part of the process, all such individuals registering have been notified that information is being collected by virtue of the individual inputting their data which is protected by the individual accessing the database using a password they select. It is that individual’s responsibility to:
5.1.1. understand that by submitting their data, they consent to their data being held by Cycling SA, such consent may be withdrawn at any time with consequences including not being able to enter certain events
5.1.2. keep the password confidential
5.1.3. change the password if they become aware of a possibility that it has been compromised
5.1.4. ensure that they are 18 years or older or if not, for the data to be inputted by a person legally entitled/competent to do so (e.g. guardian, parent)
5.1.5. give permission for Cycling SA to hold and process information related to a minor for whom they have a legal responsibility by entering the minor’s information
5.1.6. ensure that the data inputted are correct at all times
5.1.7. upon retirement or resignation from cycling, to request Cycling SA to delete the data
5.1.8. contact the Cycling SA office about questions or concerns at any time and if not satisfied, to submit a complaint to the Regulator as set out in the POPI Act
ARTICLE 6. ACCESS
6.1. Procedure for access to personal information will be handled in compliance with the Promotion of Access to Information Act 2 of 2000 (PAIA Act).
6.2. A limited number of Cycling SA employees and other persons authorised by Cycling SA and the service provider, if any, providing the database may have access to this information.
6.3. All such persons are required to sign a confidentiality agreement before being given access to data.
ARTICLE 7 USE OF INFORMATION (INCLUDING PHOTOGRAPHS)
7.1. The information provided will only be used in Cycling SA’s normal business may include:
7.1.1. providing information to the Department of Sports, Arts and Culture of South Africa, and prospective sponsors for statistical purposes (mainly demographic information submitted without names).
7.1.2. providing information to the Union Cycliste Internationale (UCI), Confederation of African Cycling (CAC) and the SA Sports Confederation and Olympic Committee (SASCOC) for the purposes of event entries provided that they are subject to privacy requirements at least as stringent as the POPI Act.
7.1.3. sending out email correspondence and newsletters
7.1.4. issuing information to the media related to the individual’s squash profile
7.1.5. providing information for the purpose of research (submitted without names)
7.2. Information may be released to the SA authorities if so, required by law or subpoena.
7.3. Information shall not be released for direct marketing purposes unless the individual concerned grants specific permission.
7.4. The individual may wish to release information from their data for the purposes of company incentives.
ARTICLE 8. SECURITY
8.1. Cycling SA is responsible to ensure that the appointed service provider keeps all data secure and private.
8.2. Cycling SA will work with the service provider to inform the individual by email if there is a suspicion of unauthorised access to the individual’s data and take immediate steps to reinforce security and privacy.
8.3. The service provider is responsible to provide Cycling SA with the results of regular vulnerability and penetration tests and that it has adequate insurance to cover its cyber-security obligations.
ARTICLE 9. RETENTION OF INFORMATION
9.1. After being notified of an individual’s retirement or resignation, Cycling SA may keep the demographic and performance related information, unless otherwise agreed, for statistical purposes. No information about name and contact information will be retained.
9.2. Where Cycling SA cancels its contract with a service provider holding private information, Cycling SA is responsible to ensure that the service provider deletes all Cycling SA information from all its servers once it has transferred all relevant information to Cycling SA the format required by Cycling SA.
ARTICLE 10. FEES
10.1. Cycling SA shall establish a fee in respect of costs associated with data protection from time to time if required. This fee will be established in terms of Cycling SA’s financial policies.
ARTICLE 11. REGISTRATION
11.1. At the appropriate time, CYCLINGSA shall:
11.1.1. register with the appointed Regulator that it holds and processes private information;
11.1.2. appoint an information officer and deputy information officer/s with the responsibilities set out in sections 55 and 56 of the POPI Act;
11.1.3. appoint a responsible party.
ARTICLE 12. CONTRAVENTION OF POLICY AND REPORTING
12.1.1. Any breach of this policy or accompanying regulations either through a cyber-security breach of any sort or by an individual with access to restricted data should be reported immediately to the Secretary General of Cycling SA who shall to notify the Board and the Regulator with all available information to support an investigation.
12.1.2. In the case of an individual/s with access to private data allegedly breaching the policy or regulations:
12.1.3. an internal investigation by an independent panel appointed by the Compliance and Advisory board shall be initiated by the Secretary General;
12.1.4. if found in breach, the individual may be subject to action and sanction under Cycling SA’s Disciplinary Rules and Regulations; and
12.1.5. the matter will be reported to the Regulator simultaneously for further investigation.
ARTICLE 13. AMENDMENT OF THIS POLICY
This policy shall be reviewed in 2023 or sooner if changes to legislation require a review.
ARTICLE 14. EFFECTIVE DATE
The policy is effective from 1 July 2021.