1. Introduction and purpose

• Compass Medical Waste Services (CMWS) commenced business in 1998 specialising in the containment, collection, treatment and disposal of healthcare risk waste. CMWS is obligated to comply with The Protection of Personal Information Act 4 of 2013.
• This policy sets the standard applicable to the protection of personal information as required by The Protection of Personal Information Act 4 of 2013, as well as the purpose for which such said information is used.
• This policy is applicable to CMWS’ management, all employees and any person/entity/body/individual/company (“the customer” / “supplier”) whose information is supplied to or given to CMWS.

2. External references

• The Protection of Personal Information Act 4 of 2013

3. Definitions

• The Protection of Personal Information (POPI)

4. Personal Information Collected

Section 9 of the POPI Act states that “personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.” CMWS requires the consent of both employee, supplier and customer before collecting and storing personal information.
• Employees must sign a consent – contract clause.
• Suppliers - External service providers (person/entity/body/individual/company) must sign a separate Agreement and Consent Declaration confirming commitment to this policy, including assurance that security measures are in place when personal information is processed.
• CMWS collects and processes customer information pertaining to the customer’s business needs. The type of information depends on the need for which it is collected and will be processed for that purpose only.
Wherever possible CMWS will inform the customer as to the information required and the information deemed optional. Examples of personal information collected include, but is not limited to, the following:
• Identity number, name and surname of the directors.
• Description of the customer’s business, its contact details, telephone and fax numbers and email address.

5. Information collected automatically

When you use our website or online applications, we automatically receive and record information on our server logs from your browser or mobile platform, including your location, IP address, cookie information, and the page you requested. We treat this data as non-personal Information, except where we are compelled to do otherwise by law or legal authority. We only use this data in aggregate form and we may provide this aggregate information to our partners about how our customers, collectively, use the site, so that our partners may also understand how user make use of the site.

6. The usage of personal information

Processing Limitation (sections 9 – 12 of POPI) & Further Processing Limitation (section 15 of POPI): CMWS undertakes to collect personal information in a legal and reasonable way and to process such personal information obtained from customers only for the purpose for which it was initially obtained. Processing of personal information obtained from customers will not be undertaken in an insensitive or incorrect way that can intrude on the privacy of the customer. The customer’s personal information will only be used for the purpose for which it was collected. This may include: • Confirming, verifying and updating the customer’s information.
• For audit and record keeping purposes.
• In connection with legal proceedings.
• Providing services to the customer to render the services requested and to maintain and constantly improve the relationship.
• Provide communication regarding products and services.
• Provide communication in respect of regulatory matters that may affect the customer and to comply with legal and regulatory requirements
• To notify the customer about changes to CMWS’ service
• To respond to the customer’s queries and/or comments
• CMWS will also use the customer’s personal information to comply with legal and regulatory requirements or industry codes to which CMWS subscribes, or which apply to CMWS, or when it is otherwise required by law.
• Where CMWS collects personal information for a specific purpose, CMWS will not keep it for longer than is necessary to fulfil that purpose, unless CMWS is required to keep it for legitimate business or legal reasons. In order to protect information from accidental or malicious destruction, when CMWS deletes information from its services, CMWS may not immediately delete residual copies from its servers or remove information from its backup systems.
• The customer can opt out of receiving communications from CMWS at any time. Any direct marketing communications that CMWS sends the customer will provide the customer with the information and means necessary to opt out.

7. Disclosure of Personal Information

CMWS may disclose the customer’s personal information to CMWS’ business partners who are involved in the delivery of products or services to the customer. CMWS has agreements in place to ensure that they comply with these privacy terms. CMWS may share the customer’s personal information with, and obtain information about, the customer from: Third parties for purposes listed above. • Other companies in the industry where CMWS believes it will enhance the services and products, CMWS can offer the customer, but only when the customer has not objected to such sharing;
• Other third parties from whom the customer has chosen to receive marketing information.
• When CMWS reports for statistical purpose information to comply with legal and regulatory requirements. CMWS may also disclose the customer information:
• When CMWS has a duty or a right to disclose in terms of law or industry codes.
• When CMWS believes it is necessary to protect its rights.

8. Personal Information Security

Security Safeguards (sections 19 - 22 of POPI): CMWS will secure the integrity and confidentiality of personal information in its possession. CMWS will provide the necessary security of data and keep it in accordance with prescribed legislation. CMWS is legally obliged to provide adequate protection for the personal information it holds and prevent unauthorised access and use of personal information. CMWS will, on an on-going basis, continue to review its security controls and related processes to ensure that the customer’s personal information is secure. CMWS will maintain and develop reasonable protective measures against risks such as loss, unauthorised access, destruction, use, alteration or revelation of personal information. CMWS’ security policies and procedures cover:
• Acceptable usage policy.
• Computer and network security.
• Governance and regulatory issues.
• Physical security.
• Retention and disposal of information.
• Secure communications.
• Security in contracting out activities or functions.

9. Data Subject Participation (sections 23 - 25 of POPI)

Employees or suppliers can request certain personal information and may also be required to correct or delete personal information within the specifications of the POPI Act. CMWS undertakes not to request or process information related to race, religion, medical situation, political preference, trade union membership, sexual certitude or criminal records. CMWS will also not process information on juveniles.

10. Information Quality (section 16 of POPI)

CMWS will ensure that accurate and sufficient information of its customers on record and will update this when necessary.

11. Approaches to implementation

• All employees of CMWS must be included in training on this policy and the POPI Act
• This policy must be included in the formal employee induction program

---