Data Protection Policy

VAZO Foundation NPC's comprehensive framework for ensuring lawful, secure, and transparent processing of personal information in compliance with POPIA and PAIA.

Last Updated: January 2025

Information Officer Contact

Sebastian Hendricks

Director of Digital Strategy & Systems

Email: privacy@vazofoundations.org

Phone: 0878222686

Key Responsibilities

  • • Overall accountability for POPIA and PAIA compliance
  • • Ensuring data protection policies are implemented
  • • Handling access to information requests
  • • Reporting to the Information Regulator
1. Purpose

The purpose of this Data Protection Policy is to establish a comprehensive framework for ensuring the lawful, secure, and transparent processing of personal information in line with the Protection of Personal Information Act (POPIA) and the Promotion of Access to Information Act (PAIA).

This policy ensures that VAZO Foundation NPC maintains the highest standards of data protection while fulfilling our mission of youth empowerment and child protection in Cape Town communities.

Policy Objectives:

  • • Ensure full compliance with POPIA and PAIA requirements
  • • Protect the privacy rights of all data subjects
  • • Establish clear accountability and governance structures
  • • Minimize risks associated with data processing
  • • Maintain transparency in our data handling practices
2. Scope

This policy applies to all individuals and entities who process or have access to personal and business information collected, stored, or processed by VAZO Foundation NPC.

Covered Personnel

  • • All directors and board members
  • • Full-time and part-time employees
  • • Volunteers and mentors
  • • Contractors and consultants
  • • Interns and temporary staff
  • • Partner organization representatives

Data Categories Covered

  • • Program participant information
  • • Volunteer and staff records
  • • Child protection case files
  • • Donor and partner data
  • • Website and digital platform data
  • • Financial and operational records

Geographic Scope:

This policy applies to all data processing activities conducted within South Africa and any cross-border data transfers involving VAZO Foundation NPC operations.

3. Responsibilities

Information Officer (IO)

Position: Director of Digital Strategy & Systems

Current IO: Sebastian Hendricks

📧 privacy@vazofoundations.org | 📞 0878222686

Key Responsibilities:
  • • Overall accountability for POPIA and PAIA compliance
  • • Ensuring data protection policies are implemented and maintained
  • • Handling access to information requests
  • • Reporting to the Information Regulator as required
  • • Appointing and overseeing Deputy Information Officers

Deputy Information Officers (DIOs)

  • • Assist the IO in compliance activities
  • • Handle day-to-day data protection queries
  • • Conduct privacy impact assessments
  • • Monitor compliance within their departments
  • • Must be registered with the Information Regulator

All Staff and Volunteers

  • • Follow this policy and related procedures
  • • Complete mandatory data protection training
  • • Report suspected data breaches immediately
  • • Maintain confidentiality of personal information
  • • Only access data necessary for their role

Management Accountability

Directors and senior management are ultimately accountable for ensuring compliance and must provide adequate resources, training, and support for data protection activities.

4. Principles of Data Protection

We commit to processing personal information in accordance with POPIA's eight conditions for lawful processing:

1Accountability

Information Officer and Deputy Information Officers ensure compliance and can demonstrate adherence to POPIA principles.

2Processing Limitation

Information is processed lawfully, reasonably, and minimally, with appropriate consent or legal basis.

3Purpose Specification

Information is collected for specific, explicitly defined, and lawful purposes related to our youth empowerment mission.

4Further Processing Limitation

Further use of data is compatible with the initial purpose or has additional lawful basis.

5Information Quality

Data is complete, accurate, not misleading, and updated where necessary for the purpose.

6Openness

Individuals are informed about data collection, usage, and their rights through clear privacy notices.

7Security Safeguards

Information is protected against unauthorized access, loss, damage, or destruction through appropriate technical and organizational measures.

8Data Subject Participation

Individuals may request access to, correction, or deletion of their personal information.

5. PAIA Compliance

We maintain full compliance with the Promotion of Access to Information Act (PAIA) through the following mechanisms:

Annual Reporting

  • • Submit PAIA Annual Report to the Information Regulator
  • • Report on access requests received and processed
  • • Document any appeals or complaints
  • • Track compliance metrics and improvements

PAIA Manual

  • • Maintain comprehensive PAIA manual
  • • Make manual available to the public
  • • Update manual annually or as needed
  • • Include clear request procedures

Self-Assessment

  • • Complete PAIA Self-Assessment Tool via BizPortal
  • • Evaluate compliance gaps and improvements
  • • Implement corrective actions as needed
  • • Document assessment results

Access Request Processing

  • • Process requests within 30 days
  • • Apply appropriate exemptions where applicable
  • • Maintain detailed request logs
  • • Provide clear reasons for any refusals
6. Data Security Measures

We implement comprehensive technical and administrative safeguards to protect personal information:

Technical Safeguards

Secure Digital Storage

Encrypted databases and secure cloud storage

Access Controls

Role-based permissions and multi-factor authentication

Data Encryption

End-to-end encryption for sensitive data

Network Security

Firewalls, intrusion detection, and secure connections

Administrative Safeguards

Staff Training

Regular data protection and security awareness training

Internal Audits

Regular compliance assessments and process reviews

Incident Response

Comprehensive breach response and recovery procedures

Vendor Management

Due diligence and contracts for third-party processors

7. Reporting & Monitoring

Information Officer Responsibilities

  • • Ensure all required reports are submitted to the Information Regulator
  • • Monitor compliance across all departments and programs
  • • Coordinate with external auditors and regulators
  • • Maintain comprehensive compliance documentation

Incident Reporting

  • • All staff must immediately report suspected data breaches to the Information Officer
  • • Breach notification to authorities within 72 hours as required
  • • Detailed incident logs and corrective action documentation
  • • Regular incident trend analysis and prevention measures

Compliance Training

  • • Mandatory POPIA training for all new staff and volunteers
  • • Annual refresher training and updates
  • • Specialized training for high-risk roles
  • • Training completion tracking and certification

Performance Monitoring

  • • Regular compliance audits and assessments
  • • Key performance indicators for data protection
  • • Continuous improvement initiatives
  • • Stakeholder feedback and complaint resolution

Emergency Contact Procedures

For urgent data protection incidents or breaches:

📧 databreach@vazofoundations.org | 📞 0878222686 (24/7 availability)

8. Enforcement

Non-compliance with this policy may result in serious consequences for individuals and the organization:

Individual Consequences

  • • Verbal or written warnings
  • • Mandatory additional training
  • • Suspension of access privileges
  • • Disciplinary action up to termination
  • • Personal liability for damages
  • • Potential criminal charges for serious breaches

Organizational Risks

  • • Regulatory fines and penalties
  • • Reputational damage and loss of trust
  • • Legal action from affected individuals
  • • Loss of funding and partnerships
  • • Operational disruption and costs
  • • Regulatory sanctions and oversight

Progressive Discipline Approach

We follow a progressive discipline approach, considering factors such as:

  • • Severity and impact of the violation
  • • Intent and circumstances surrounding the incident
  • • Previous compliance history
  • • Cooperation with investigation and remediation
  • • Potential for rehabilitation and improvement
9. Review and Updates

This policy is reviewed and updated regularly to ensure continued effectiveness and compliance:

Regular Review Schedule

  • • Annual comprehensive policy review
  • • Quarterly compliance assessment
  • • Monthly incident and trend analysis
  • • Ad-hoc reviews following significant incidents

Update Triggers

  • • Changes in POPIA or PAIA legislation
  • • New regulatory guidance or requirements
  • • Organizational structure or process changes
  • • Technology system updates or implementations

Stakeholder Involvement

Policy reviews involve input from directors, department heads, the Information Officer, legal advisors, and relevant external experts to ensure comprehensive coverage and practical implementation.

Contact Information

For questions about this policy, compliance concerns, or data protection matters, contact:

Information Officer

Sebastian Hendricks

Director of Digital Strategy & Systems

📧 privacy@vazofoundations.org

📞 0878222686

📍 10a Flamingo Way, Pelican Park, Cape Town

General Inquiries

📧 info@vazofoundations.org

📞 0878222686

🌐 www.vazofoundations.org

📘 Facebook

Emergency Data Breach Reporting

📧 databreach@vazofoundations.org | Available 24/7 for urgent incidents

Committed to Data Protection Excellence

This policy reflects our unwavering commitment to protecting personal information while fulfilling our mission of youth empowerment and community safety.

Contact Information OfficerView Privacy Policy