Protecting Our Future

STANDARDS OF OPERATION

Cloud based technology is the modus operandi for day-to-day operational deployment and data storage. Data is stored in the Azure Cloud, monitored on a full-time basis by a certified Azure Administrator Associate for network security. Data collection is done primarily using M365 applications and tools.

 

PURPOSE OF THE POLICY

The purpose of the policy is to:

• set the operational and governance framework according to which data is managed by CW Advisory;

• fulfil the compliance requirements of Cyber and Data Protection Act Chapter 12:07 and be influenced by best practices in the GDPR and the South African Protection of Personal Information Act (POPI Act) - POPIA

• serve as a reference point to CW Advisory employees and associates for all matters related to data collection, management and security.

 

POLICY STATEMENT

In undertaking its business purpose, CW Advisory needs to process personal data which relates to staff, suppliers and customers. This policy sets out the standards which must be adhered to when personal data is being processed by, or on behalf of, CW Advisory. In summary CW Advisory’s overall approach is that it respects the rights of individuals and is committed to not invading or endangering their privacy unnecessarily; it considers the legislative requirements to be the minimum that must be achieved and will, wherever possible, adopt and implement standards which go beyond basic compliance with the law.

 

DEFINITIONS

 

Archives are, as the context requires, either physical or electronic recorded information that has been deemed of sufficient administrative, fiscal, legal, historical or informational value as to warrant permanent retention under the relevant CW internal regulation, or a designated facility containing such information objects.

 

Anonymous or anonymized information means information about a person whose identity cannot be determined.

 

Child’s representative means a parent, legal guardian, or other individual legally responsible for the child in question with respect to issue being addressed.

 

Child or children refer to individuals who are under 18 years of age.

 

Consent means, in light of the information provided to the individual data subject, any freely given, specific and informed agreement of a data subject to the processing of their personal data. Consent as defined and used in this Policy is intended to provide the data subject with agency as to the collection and further processing of their data. The consent is often supported by other legitimate bases for data processing such as CW Advisory’s legitimate interest, beneficiary interest, vital interest or contract. Data subject requests for withdrawal or alteration of consent will be reviewed and acted on with due consideration to the best interest of the child and the legitimate bases relied on for the collection and processing of the personal data.

 

Controller means the entity or individual, including a public authority, agency or other body, who, alone or jointly with others, determines the purposes and means of the processing of personal data.

 

Data Protection Impact Assessment (DPIA) means a standardized assessment building on the recognized international data protection principles that assesses the impact of the envisaged processing activities on the protection of personal data and on the rights and freedoms of the data subjects. A DPIA aims to identify mitigating measures, if any, in order to avoid or minimize such impact.

 

Data subject means an individual whose personal data is subject to processing under this Policy, regardless of who provided the personal data or how it was found. For the purpose of the Policy, the term data subject includes, but it is not limited to past, potential or current clients, individual donors, supporters, suppliers, individuals in other CW Advisory associate organizations and personnel.

 

Particularly Sensitive personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union/staff association membership, genetic data and biometric data capable of uniquely identifying a natural person, data concerning health, or data concerning an individual’s sex life or sexual orientation.

 

Personal data means any information relating to an identified or identifiable individual (‘data subject’). An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to

1. an identifier such as a name, an identification number, audiovisual materials, location data, an online identifier,

2.  one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual or

3. assessments of the status and/or specific needs, such as in the context of assistance programmes. The definition of what constitutes personal data is contextual and expanding particularly due to enhancements in technology and methods for identifying individuals.

 

Personal data breach means a breach of security leading to the accidental or unauthorized destruction, loss, alteration, disclosure, access, or unplanned loss of availability of personal data that is unencrypted or can be decrypted.

 

Personal data transfer means any action that makes personal data accessible or otherwise available to another party, other than the data subject, regardless of the media and format (electronically or physically). Movement of data or provision of access to data to other individuals within CW Advisory is not a personal data transfer. Personal data transfer includes transfers within a country as well as data transfers from the country where the data was originally collected to another country or countries.

 

Process or processing means any operation or set of operations performed on personal data, whether by automated means or manually, such as collecting, recording, structuring, consulting, retrieving, using, transferring, disclosing, sharing or otherwise making available, or deleting.

​

Processor means an individual or entity, including a public authority, agency or other body, which processes personal data on behalf of the controller.

 

Pseudonymization means any technical process under which personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable individual.

 

CW Advisory associate means one of the following kinds of entities with which CW Advisory has a contractual relationship or collaboration arrangement: a civil society partner, bilateral or multilateral partner, supplier or vendor, corporate partner, or a sub-contractor of any of these entities. It does not include governments.

 

CW Advisory filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis. This includes databases and other repositories of personal data, as well as archives, administered by or on behalf of CW Advisory.

 

CW Advisory personnel means CW staff, individual consultants and contractors, interns, volunteers, gratis personnel,ambassadors[HP1] , and persons working for CW Advisory through an employment agency or similar arrangement.

 

DATA PROTECTION POLICY GUIDELINES

 

CW Advisory Responsibilities

CW Advisory will produce policies, procedures, guidelines and work instructions which if followed correctly will facilitate the achievement of compliance with the requirements of the relevant legislation by individuals processing personal data in the course of their CW Advisory duties.

​

This policy, and the procedures referred herein, are owned by CW Advisory and it is her/his responsibility to ensure they are kept up to date and communicated appropriately throughout the business.

​

Additional policies relevant to this policy are owned by the departments/teams indicated. The Legal and Compliance Department should be consulted on the contents of those policies to ensure they meet the requirements of the legislation and align with this policy.

​

Specific data handling procedures, guidelines or work instructions may also be produced by other departments, teams or line managers but if they involve the handling of personal data, they must be approved by the Legal and Compliance Department.

 

Responsibilities and consequences of non-compliance

Everyone who processes personal data on behalf of CW Advisory is responsible for ensuring they comply with the requirements of this policy and the relevant legislation.

​

In addition, line managers are required to ensure that the processing undertaken by individuals reporting to them complies with the requirements of this policy and the relevant legislation.

​

In the event any individual considers that the processing they are undertaking does not comply with this policy, or the relevant legislation, they should cease the processing and  raise the issue with their line manager and the Legal and Compliance Department.

If any individual considers that the provisions of this policy, or any of the procedures or work instructions related to it, breach the requirements of the relevant legislation they should report this immediately to the Legal and Compliance Department.

​

Failure to comply with the requirements of this policy or the relevant legislation constitutes a serious breach of the applicable Code of Conduct and may result in action,  which could include dismissal, being taken under the Disciplinary Procedure Policy as  appropriate.

 

Principles related to the processing of personal data

All processing of personal data undertaken by CW Advisory must be in compliance with the principles set out below. Individuals processing personal data on behalf of CW Advisory should ensure they adhere to the Principles in addition to any specific requirements of this policy, procedures or work instructions related to it. Breach of the Principles is a breach of Cyber and Data Protection Act 2021. In the event of any conflict between the Principles and this policy, procedures or work instructions the Principles have precedence and the conflict should be reported to the Legal and Compliance Department.

 

The six GDPR principles apply in conjunction with the Cyber and Data Protection Act require that personal data shall be:

• processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

• collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, not be considered to be incompatible with the initial purposes (‘purpose limitation’);

• adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

• accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

• kept in a form which permits identification of data subjects for no longer than is  necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or  historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

• processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 

Respecting The Rights Of Data Subjects

Everyone who processes personal data on behalf of CW Advisory will respect the privacy rights of the data subject and ensure they do not undertake any processing which breaches the rights granted under the GDPR and Data Protection Act set out below.

The GDPR and/or Data Protection Act, grant certain rights to data subjects and CW Advisory will issue procedures and work instructions to ensure that those rights are respected and are easily exercisable by the data subjects whose personal data it is processing. The rights granted to data subjects are:

• Right of access: The data subject has the right to confirmation of the processing undertaken and to a copy of the personal data being processed. This copy must be provided free of charge and within one calendar month

• Right to rectification: inaccurate data must be corrected without delay and incomplete data completed upon request. Any requests to exercise this right should be forwarded to the Legal and Compliance Department without delay.

• Right to erasure: also known as the ‘right to be forgotten’ this provides that under certain circumstances the data subject can oblige the data controller to erase personal data relating to them without undue delay. Any requests to exercise this right should be forwarded to the Legal and Compliance Department without delay.

Right to restrict processing: under certain circumstances the data subject can object to processing other than storage of their personal data. Any requests to exercise this right should be forwarded to the Legal and Compliance Department without delay.

• Right to data portability: this entitles the data subject to a copy of their personal data in a structured and commonly used machine readable format and allows them to require it to be transmitted to another data controller. CW Advisory must be prepared to honour any such requests which should be forwarded to the Legal and Compliance Department without delay

• Right to object to processing: a data subject may object to processing including the profiling of the data subject, which is undertaken under the public interests or legitimate interests’ bases and can also object to the processing of their data for direct marketing purposes. Any requests to exercise this right should be forwarded without delay to the Data Protection Officer for actioning.

• Right not to be subject to automated individual decision-making: data subjects can object to ‘automated processing’ (which includes profiling) if that processing results in decisions which have a legal effect concerning him or her (or similarly significantly affects them) being made solely on the basis of that processing. At the current time no such processing is undertaken by CW Advisory, if any is anticipated or planned advice should be sought from the Legal and Compliance Department.  

In addition to the above explicit rights the provisions of Articles 13 and 14 of the GDPR, and/or similar clauses in Cyber and Data Protection Act, specify that certain information must be given to a data subject who is the subject of data processing at specific times, this is sometimes referred to as the ‘Right to be informed’ but is in fact an obligation on the data controller. The obligation is met by advising the data subject how their data will be used, for how long, the legal basis for the processing and how it will be kept secure. This information should be given when the data is collected and whenever it is to be used for a purpose which is different to the one for which it was originally collected. Most commonly this will be done by reference to the CW Advisory Privacy Policy and to specific Privacy Statements provided by the Legal and Compliance Department as part of the design of data collection forms. To ensure that sufficient notice is drawn to the Privacy Policy and the requirements of these articles are met advice should be sought from the Legal and Compliance Department before any data collection is undertaken or any personal data is used for new or novel purposes.

 

Records Keeping

Everyone who processes personal data on behalf of CW Advisory shall ensure that sufficient records are kept of their processing to enable CW Advisory to meet the requirements of the Accountability Principle as set out below. Specific work instructions may be issued to provide guidance on the records which should be kept.

In addition to the Data Protection principles set out  above, Article 5 of the GDPR, and/or similar clauses in the Cyber and Data Protection Act, states that the controller shall be responsible for, and be able to demonstrate compliance with, the data protection Principles; this is commonly known as the Accountability Principle.

Compliance with the Accountability Principle requires significant record keeping of all data processing undertaken by CW Advisory, in particular the following records shall be maintained:-

• A cloud based inventory register detailing the personal data assets processed, the nature of the processing, the systems used, the legal basis, the time for which the data will be retained and how it will be disposed of.

• Data Protection Impact Assessments undertaken.

• Privacy Policies and Privacy Statements and the dates and circumstances when they were used.

• Copies of the wording used to obtain consent and records of how and when consent was given by individuals to the processing of their personal data.

• A Data Breach Register

• Records of data protection training and tests relating to it.

• Copies of this policy and the procedures referred to in it and by which compliance with it is ensured, the dates those policies/procedures applied and the reasons why they were withdrawn or amended.

 

Personal Data Breaches

Everyone who processes personal data on behalf of CW Advisory shall ensure they take all appropriate and reasonable precautions to prevent a personal data breach occurring. In the event they become aware of such a breach they will report the matter immediately to the Legal and Compliance Department.

The decision as to whether or not the breach represents a risk to the rights and freedoms of the data subject requires an in-depth knowledge of the issues involved and how personal data could be misused to create such a risk. The individual who discovers the data breach is unlikely to possess sufficient knowledge of these issues to make this judgement and therefore all personal data breaches should be reported without delay to the Legal and Compliance Department who will assess the risks to the data subject(s) and if appropriate report the breach to Microsoft through the ICT department.

The CW Advisory Personal Data Breach Incident Response Process also require ‘near misses’ (i.e. events that could have led to a data breach if it were not for specific intervening action being taken to prevent the breach and/or circumstances which have the potential to lead to a data breach) to be reported so that action can be taken to assess and mitigate the risk of a similar event causing a breach in the future.

 

Data Protection Impact Assessment

Everyone who processes personal data on behalf of CW Advisory shall ensure that they apply ‘privacy by design and default’ practices by, for example, collecting only the personal data required for a specified purpose and ensuring that the data is only accessible to those who need it to carry out their CW Advisory tasks. All projects, processes or procedures which involve the processing of personal data shall first be subject to a screening process to determine whether a Data Protection Impact Assessment (DPIA) is required. If a DPIA is deemed necessary it will be undertaken, and any identified remedial actions implemented, before personal data is processed.

The GDPR introduces the concept of ‘privacy by design and default’. In essence this requires the controller to ensure that all its processing operations are designed to minimise the risk to the privacy of the data subjects. This involves measures such as encryption, data minimisation, pseudonymisation, and role-based access protocols. CW Advisory will ensure that privacy by design and default is enshrined in policies, procedures and work instructions which relate to the processing of personal data.

Processing which uses new technologies, or which because of its nature, scope, context or purposes is likely to result in a high risk to the rights and freedoms of the data subjects is, under the GDPR and the Cyber and Data Protection Act, subject to the requirement to carry out an assessment of the impact of the processing operations on the protection of personal data- a Data Protection Impact Assessment. CW Advisory has Data Protection Impact Assessment Procedures in place which must be adhered to whenever a new data processing operation which involves the collection of personal data, or the use of personal data already collected in a way which is different to that for which it was originally collected, is planned.

 

Transferring Personal Data Outside CW Advisory

Personal data shall only be transferred outside CW Advisory where there is a legitimate business reason for doing so to a recipient who has been subject to due diligence checks and is bound by a contract which, by incorporation of mandatory standard clauses, specifies the purposes for which the data is transferred and restricts the use of the data to those purposes.

CW Advisory may engage with third parties to carry out work for it which will require personal data to be transferred to that third party (e.g. sending a list of customers email addresses to a specialised emailer company to fulfil a marketing campaign). These third parties are known as ‘Data Processors’. CW Advisory will only use Data Processors that are able to satisfy it, and provide guarantees, that they have appropriate organisational and technical measures in place to ensure the data is processed in compliance with the GDPR and Cyber and Data Protection Act , and who have signed a binding contract which specifies the purpose for which the personal data is transferred, restricts the processing to that purpose, specifies the duration of the contract and sets out how the data will be dealt with at the end of the contract. The CW Advisory Legal and Compliance team have drafted standard contract clauses to ensure the requirements of the GDPR and CDPA, are met when contracting with a third party to carry out data processing on behalf of CW Advisory and these clauses must be incorporated into every contract appointing a data processor. Responsibility for incorporating these clauses and carrying out initial and ongoing due diligence checks rests with the managers owning each CW Advisory product/service.

 

Overseas Transfers

Before any data is transferred overseas the Legal and Compliance Department must be notified and their approval to the transfer obtained. If personal data is to be transferred overseas specific measures must be in place to ensure that the rights and freedoms of the data subjects are protected.

The GDPR has three mechanisms by which overseas transfers can be safely made, an adequacy decision, appropriate safeguards or binding corporate rules. Which of these measures is appropriate depends on the nature and circumstances of the transfer and advice should be sought from, and permission granted by, the Legal and Compliance Department before any such transfer is undertaken.

 

Data Protection Training

Everyone who processes personal data on behalf of CW Advisory, including accessing personal data, must complete the mandatory online data protection training session and demonstrate their understanding by successfully completing the accompanying test(s).

In order to ensure compliance with this policy and with the regulatory requirements relating to the processing of personal data, all individuals employed by CW Advisory are required to complete a mandatory internal data protection training session. They are also required to demonstrate their understanding of the contents of the training module and of this policy by successfully completing an online test. The training session and accompanying test should ideally be completed as soon as the individual has access to CW Advisory systems but in any event within two months of the commencement of their employment.

Further refresher training should be undertaken at intervals dependant on the individual’s role but at least once every three years. Additional online training modules may be made available to educate individuals about specific topics covered by this policy, line managers should review these modules and the roles of individuals in their team to determine if any should be a mandatory requirement of an individual’s Personal Development Plan.

 

Applicable Legislation

As a company duly incorporated in accordance with the laws of the Republic of Zimbabwe, CW Advisory remains guided by the Cyber and Data Protection Act Chapter 12:07 and all relevant and applicable laws that may be issued from time to time.

The General Data Protection and Regulations remains a guiding document whose principles and ethos guide our data protection policies.