This policy should be read in conjunction with the StudentPlus/W3 Technologies Security Statement and POPI Page.
We are committed to helping you uphold your own and your clients’ rights over their personal information, whilst also making your obligations in meeting the requirements under data protection legislation as simple as possible.
Our commitment to protecting privacy is guided by our information security principles. These are as follows:
Processing Limitation – We will only process the data you have provided to us, for the purpose which it was shared.
Accuracy – We will endeavour to make it as easy as possible for you to keep your information up to date.
Data Minimisation – If information you shared with us is no longer necessary to fulfil our contractual obligations, we shall ensure that any data which isn’t erased is in a non-identifiable form.
Openness – We pride ourselves in exceptional customer service, helping make your life easier, whilst also guarding your interests. Therefore, should you require further explanation on a subject, we will happily clarify our role and involvement with you.
Consent – If for any reason we should need to undertake further processing of information provided by you, we shall not do so without your consent, unless legally obliged.
Confidentiality – Fundamentally, we want to give you peace of mind, so that you can share information with StudentPlus/W3 Technologies with confidence! This will mean you can focus on the excellent service we provide.
Collection of Personal Information
You, the studio, collect personal information from your clients/students and provide this information in the StudentPlus Administration system, so that you can easily manage the administration and billing of your dance studio. It is therefore presumed that in adding this information to the StudentPlus system, you are authorised to do so.
Some of the personal information required is personally identifiable, such as an email address, name, home address or telephone number. Other non-identifiable information is also provided, such as anonymous demographic information, which is not unique, such as a person’s postal code, age, gender, preferences, interests and favourites.
Information about your computer hardware and software is automatically collected by StudentPlus; this information can include: your IP address, browser type, domain names, access times and referring website addresses. StudentPlus uses this information for the operation of the System, to maintain quality of the System, and to provide general statistics regarding use of the System.
Use of Personal Information
StudentPlus collects and uses personal information to execute student class and billing services. StudentPlus may also contact you via surveys to conduct research about your opinion of current services or of potential new services that may be offered.
Save for circumstances where we have your express consent, the information that StudentPlus collects is not shared with or sold to other organisations for commercial purposes. StudentPlus will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to:
Should W3 Technologies or the StudentPlus System merge with or be acquired by another entity, your information will be transferred subject to the provision of reasonable notice by StudentPlus/W3 Technologies.
Security and Storage of Personal Information
Each region in which StudentPlus operates is assigned a data protection officer (DPO), whose role is to ensure that the company remains compliant with data protection legislation and honours this policy.
StudentPlus stores the information provided by you, however you retain all rights to such information.
StudentPlus secures your personal information against any unauthorised access, use or disclosure. The personally identifiable information you provide is held on computer servers in a controlled, secure environment. The transfer of data is protected through the use of encryption, such as the Secure Socket Layer (SSL) protocol.
Please see our Security Statement for further details on the above.
One of the primary purposes of cookies is convenience; cookies save you time by telling the server that you have returned to a specific page. This allows you to store certain information such as username and password, simplifying the process of accessing the System.
You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer.
Changes to This Policy
StudentPlus/W3 Technologies may, from time to time, update its policy and so encourages you to periodically visit this page in order to review any changes made. StudentPlus/W3 Technologies will also notify you by e-mail of any significant changes.
W3 Technologies welcomes any feedback that you may have regarding this Policy. Furthermore, if you believe that W3 Technologies has not adhered to this Policy, please contact W3 Technologies at email@example.com and we will use commercially reasonable efforts to promptly determine and remedy the problem.
WHAT IS POPI?
The Protection of Personal Information Act No.4 of 2013 (POPI) is South Africa’s legislation for the protection of individuals’ personal information against unethical use. The preamble to the Act states the intention is to:
“Regulate, in harmony with international standards, the processing of personal information by public and private bodies in a manner that gives effect to the right to privacy subject to justifiable limitations that are aimed at protecting other rights and important interests.”
The purpose behind POPI can therefore be seen as the promotion of the constitutional right to privacy by ensuring that responsible parties and operators engage in lawful processing of personal information in accordance with, and with respect for, the rights of data subjects.
RESPONSIBLE PARTIES AND OPERATORS
The responsible party in respect of POPI is the public or private body or any other person which determines the purpose of and means for the processing of information.
An operator is a person or entity who processes information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
Putting this into context, you, the client are the responsible party for your students (data subjects) personal information. StudentPlus/W3 Technologies is acting as an operator for your benefit, processing your students personal information in order to assist you in your studios administration. The relevance of this is that a party’s role determines their rights, obligations and liabilities.
LAWFUL PROCESSING OF PERSONAL INFORMATION
Personal information is information which can be used to identify a data subject – a definitive list can be found in Section 1 of the Act. The data subject is the person to whom the personal information relates and can be either a natural or juristic person. Almost any way that a company interacts with the personal information of a data subject constitutes processing – a definitive list is once again available in Section 1 of the Act.
Under POPI there are eight principles for the lawful processing of information, aimed at posing a balance between the necessary processing of data for business purposes and protecting the rights of individuals. These are:
More detailed information on each of these principles is provided in Chapter 3 of POPI.
Whose legal responsibility it is to ensure compliance with POPI depends on the relationship between the data subject and the organisation doing the processing.
RIGHTS OF DATA SUBJECTS
Under POPI, data subject rights include the right to access what information of theirs is held, the right to correct information, the right to be notified of collection and the purpose of the collection, the right to object to the processing of their information and, in certain circumstances, the right to erasure.
In the case of an alleged infringement of a data subject’s rights, any person has the right to lodge a formal complaint with the Regulator. Pursuant to section 74, complaints can be made to the Information Regulator, by completing and submitting the relevant form found on their website.
POPI AND STUDENTPLUS / W3 Technologies (Pty) Ltd
Privacy and data protection are cornerstones of the culture at StudentPlus / W3 Technologies, and, as such, we have for some time been largely compliant with the obligations that are now statutorily imposed by virtue of being an operator under POPI.
These obligations have been codified within POPI as follows:
The personal information provided to StudentPlus / W3 Technologies by you includes information such as data subjects’ names, dates of birth, gender, physical address, email address and contact numbers. On signup and in order to make use of StudentPlus, you are required to agree to our Terms of Service. These contain a clause consenting to the lawful collection and processing of personal information.
As was the case before POPI, StudentPlus/W3 Technologies will continue to make reasonable efforts to assist you in the provision of personal information in line with your obligations to your clients/students (data subjects) rights under POPI, as laid out in sections 23 to 25 of the Act.
As well as complying with the principles of lawful processing, which for StudentPlus/W3 Technologies includes meeting the three obligations covered above, the following are relevant:
StudentPlus/W3 Technologies protects you against the unauthorised access, use and disclosure of your information, both in transit when you access your information, and at rest in our server. Our adopted measures meet and often exceed the requirements laid out in the relevant data protection legislation. Some of our key controls are detailed below:
PROTECTION OF DATA IN TRANSIT
Data transferred between your browser and the StudentPlus servers is encrypted and secured by SSL certificates – the same protocol used by your internet banking – so that no-one can eavesdrop on your communications.
PROTECTION OF DATA AT REST
The StudentPlus servers are stored in a data centre in South Africa, hosted by Xneelo. Access to the buildings, data floors and individual areas is strictly controlled by means of individually programmed access cards – using biometrics and visual identification – ensuring secure, single-person entry.
HIGH SECURITY STANDARDS
The StudentPlus inward and outward facing infrastructures are secure by design. We follow the Open Web Association Security Project (OWASP) guidelines and verify that they have been followed before making changes to our system. Role based access controls are in place to limit the amount of information any one member of our team has access to and all activity on privileged accounts is logged.
Our system is constantly being developed to protect your data from common attacks, such as cross-site scripting (XSS) and SQL injection. The processes we use have been designed with security at their heart and we continue to look for ways to update and improve them.
StudentPlus/W3 Technologies reviews the security measures of our service providers before contracting with them, ensuring that they are not a weak link in terms of our security. The Xneelo data centre has effective technical and organisational measures in place to ensure the protection of all information assets across their operations.
AVAILABILITY AND CONFIDENTIALITY
The StudentPlus server infrastructure has alerts in place for unsatisfactory performance and is also monitored manually by our team to maintain service.
Your password’s confidentiality is preserved by storing them via a one way hash function on our database. This means that even if an unauthorised person were able to access the StudentPlus server, this information is still protected.
PERSONAL DATA BREACH PROCESS
In the unlikely event of a data breach, StudentPlus/W3 Technologies will contact all affected parties in accordance with our data breach process. This process is formulated to meet the strictest data protection requirements of our operational regions.