Privacy Policy & Compliance Framework in terms of the
Protection of Personal Information Act, No. 4 2013 (South Africa)
Organisation
Vimbo Health SA (PTY) Ltd
Policy Operational Date
3 August 2021
Designated Information Officer
Tafi Mazikana
Introduction
Purpose of the Policy
The purpose of this policy is to enable Vimbo Health to:
Personal information
This Policy applies to Personal Information, being information relating to an identifiable, living, natural person and, where it is applicable, an existing juristic person, of Data Subjects in terms of the Protection of Personal Information Act 4 of 2013. Capitalised words used but not defined in this Policy have the meaning set out in the Act, as applicable.
Categories of Data Subjects
Data subjects include:
Policy Statement
Vimbo Health will:
Vimbo Health recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Vimbo Health will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Key Risks
Vimbo Health has identified the following potential key risks, which this policy is designed to address:
Conditions for Lawful Processing of Personal Information
Condition 1: Accountability
Vimbo Health SA (PTY) Ltd accepts it’s role as the responsible party for information processing, and has assigned a Information Officer (as above) whose responsibility it is to ensure compliance.
Condition 2:
Processing limitation
Consent
Upon initial registration, the user/ data subject consents to the processing of data through agreement to the Terms and Conditions and which are made clearly accessible in this process.
The user also consents during registration to receive SMS and Email communications by checking a clear “opt-in” button. THIS OPTION IS NOT PRE-CHECKED, AND CAN ONLY BE ACTIVATED BY THE USER SELECTING IT.
Maintaining Consent After Registration
The Terms and Conditions and Privacy Policy are available in the app at all times (after registration via the user profile screen), as well as on the company website.
In the app, the user can amend consent to email and SMS communications at any time after registration, through the in-app Profile Screen.
Scope of Personal Information Captured
Contact Details: Name, Phone Number, Email Address
Demographic Data: Age, Gender, Employment Status
Consent Data: Agreement to Terms and Conditions, Agreement to SMS and Email Communications
User Feedback: User reported experiences on the platform such as points for improvement.
Health Data: User entered answers to psychological questionnaires and the calculated results; user entries to interactive tools such as a list of problems, recording mood over time, or journal entries.
Minimality
Personal information is only processed for the purposes of:
Provision of Vimbo Health Services and tools: That is, for the purposes of providing the treatment programme to the user, and to enable the user to make use of available in-app tools. A user's inputs may be used to communicate beneficial information to them as part of the programme via notification, SMS, or email.
Technical Support: To enable Vimbo Health to provide technical assistance to the user.
Understanding usage and improving service: Vimbo Health analyses personal data to understand usage and to help us improve the platform and programmes. Where data is analysed outside of the provision of a personal service to the individual user, it will be anonymised by removing or obfuscating personally identifiable information (name, email address, phone number) . This analysis may be for the purposes of internally conducted research, or in partnership with an authorised 3rd party. This analysis on anonymised data sets may include profiling, machine learning to build and test future prediction models, or other techniques.
Condition 3:
Purpose Specification
Collection for specific purpose
Data will only be collected for the purposes stated above, of which the data subject will be aware via the Terms and Conditions and Privacy Policy
Retention of Records
After a period of 5 years from the end of service provision, data Vimbo Health will “de-identify” data through the removal or obfuscation of personally identifiable information (i.e name, email address, phone number). Where obfuscation occurs, this will be done in a manner that prevents reconstruction of the information in an intelligible form.
Condition 4:
Further Processing Limitation
Further Processing to be Compatible With Purpose of Collection
Per the terms of The Act, amongst other things further processing of personal information is not incompatible with the purpose of collection if
Vimbo Health will obtain consent for further processing of the data for research and any other purposes from the user by way of the Terms and Conditions. Furthermore, only anonymised aggregated data will be used for these purposes.
Condition 5:
Information Quality
To ensure that personal information is accurate, the user will have the ability to amend the certain information provided in registration at any time using the in-app profile screen, including name, email, gender, employment status, consent to receive email and SMS communications
Condition 6:
Openness
In line with Conditions 6 and 8 of the Act, Vimbo Health is
committed to ensuring that in principle Data Subjects are aware that their data is being processed and
Data Subjects will generally be informed through the Vimbo Health Privacy Policy. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory.
Condition 7:
Security Safeguards
Secure Infrastructure
Data will remain in the Google ecosystem, Google Firebase and Google Cloud Storage. The Google ecosystem meets high standards of security, and Google Cloud Storage provides encryption, ensuring the safety of data.
User Access Control
Access to the technology back end data is password protected.
Access by Vimbo Health personnel strictly controlled by the Information Officer, and restricted to critical use cases.
On-device Security
Data Subjects login occurs via SMS authentication using user phone number - this ensures that only the Data Subject has access to their account. We recommend in our Privacy Notice that the user enables their device security for added protection.
Condition 8:
Data Subject Participation
Requests by a Data Subject for data held on them will be handled by the POPI Act Information Officer in terms of Condition 8, with information provided to the data subject upon receiving adequate proof of identity.
A request by a Data Subject for the deletion of information held on them (personally identifiable or all) will be honoured.
Fees for access to personal information will be handled in
compliance with the PAIA Act.
Other Provisions
Processing of Special Personal Information
Vimbo Health does not collect biometric data. Vimbo Health does not knowingly collect any other special personal information, and does not explicitly request the user to make entries pertaining to special personal information such as religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject, or criminal behavior, or any ther personal information as defined in Section 26 of the POPI Act 2013.
Processing of personal information of children
Vimbo is intended for use by adults aged 18 years or over and we do not knowingly collect personal data from people under 18 years of age. During registration, users entering age under 18 are not able to proceed to use the app (in-app age check control).
Direct Marketing, Directories and Direct Communications
Whenever data is collected which might be used for any
marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
Whenever direct contact is made by email or SMS, the user will be given the option to Opt-Out of such communications.
Policy review
The Information Officer is responsible for an annual
review to be completed prior to the policy anniversary date.
Protection of Personal Information Act, No. 4 2013 (South Africa)
Organisation
Vimbo Health SA (PTY) Ltd
Policy Operational Date
3 August 2021
Designated Information Officer
Tafi Mazikana
Introduction
Purpose of the Policy
The purpose of this policy is to enable Vimbo Health to:
- comply with the law in respect of the data it holds about individuals;
- follow good practice;
- protect Vimbo Health’s staff and other individuals
- protect the organisation from the consequences of a breach of its responsibilities.
Personal information
This Policy applies to Personal Information, being information relating to an identifiable, living, natural person and, where it is applicable, an existing juristic person, of Data Subjects in terms of the Protection of Personal Information Act 4 of 2013. Capitalised words used but not defined in this Policy have the meaning set out in the Act, as applicable.
Categories of Data Subjects
Data subjects include:
- Users of Vimbo Health mobile applications
- Employees of Vimbo Health
- Customer organisations with whom Vimbo Health contracts
- Suppliers who provide services to Vimbo Health.
Policy Statement
Vimbo Health will:
- comply with both the law and good practice
- respect individuals’ rights
- be open and honest with individuals whose data is held
- provide training and support for staff who handle personal data, so that they can act confidently and consistently
Vimbo Health recognises that its first priority under the POPI Act is to avoid causing harm to individuals. In the main this means:
- keeping information securely in the right hands, and
- retention of good quality information.
Secondly, the Act aims to ensure that the legitimate concerns of individuals about the ways in which their data may be used are taken into account. In addition to being open and transparent, Vimbo Health will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
Key Risks
Vimbo Health has identified the following potential key risks, which this policy is designed to address:
- Breach of confidentiality (information being given out inappropriately)
- Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
- Failure to offer choice about data use when appropriate
- Breach of security by allowing unauthorised access
- Harm to individuals if personal data is not up to date
Conditions for Lawful Processing of Personal Information
Condition 1: Accountability
Vimbo Health SA (PTY) Ltd accepts it’s role as the responsible party for information processing, and has assigned a Information Officer (as above) whose responsibility it is to ensure compliance.
Condition 2:
Processing limitation
Consent
Upon initial registration, the user/ data subject consents to the processing of data through agreement to the Terms and Conditions and which are made clearly accessible in this process.
The user also consents during registration to receive SMS and Email communications by checking a clear “opt-in” button. THIS OPTION IS NOT PRE-CHECKED, AND CAN ONLY BE ACTIVATED BY THE USER SELECTING IT.
Maintaining Consent After Registration
The Terms and Conditions and Privacy Policy are available in the app at all times (after registration via the user profile screen), as well as on the company website.
In the app, the user can amend consent to email and SMS communications at any time after registration, through the in-app Profile Screen.
Scope of Personal Information Captured
Contact Details: Name, Phone Number, Email Address
Demographic Data: Age, Gender, Employment Status
Consent Data: Agreement to Terms and Conditions, Agreement to SMS and Email Communications
User Feedback: User reported experiences on the platform such as points for improvement.
Health Data: User entered answers to psychological questionnaires and the calculated results; user entries to interactive tools such as a list of problems, recording mood over time, or journal entries.
Minimality
Personal information is only processed for the purposes of:
Provision of Vimbo Health Services and tools: That is, for the purposes of providing the treatment programme to the user, and to enable the user to make use of available in-app tools. A user's inputs may be used to communicate beneficial information to them as part of the programme via notification, SMS, or email.
Technical Support: To enable Vimbo Health to provide technical assistance to the user.
Understanding usage and improving service: Vimbo Health analyses personal data to understand usage and to help us improve the platform and programmes. Where data is analysed outside of the provision of a personal service to the individual user, it will be anonymised by removing or obfuscating personally identifiable information (name, email address, phone number) . This analysis may be for the purposes of internally conducted research, or in partnership with an authorised 3rd party. This analysis on anonymised data sets may include profiling, machine learning to build and test future prediction models, or other techniques.
Condition 3:
Purpose Specification
Collection for specific purpose
Data will only be collected for the purposes stated above, of which the data subject will be aware via the Terms and Conditions and Privacy Policy
Retention of Records
After a period of 5 years from the end of service provision, data Vimbo Health will “de-identify” data through the removal or obfuscation of personally identifiable information (i.e name, email address, phone number). Where obfuscation occurs, this will be done in a manner that prevents reconstruction of the information in an intelligible form.
Condition 4:
Further Processing Limitation
Further Processing to be Compatible With Purpose of Collection
Per the terms of The Act, amongst other things further processing of personal information is not incompatible with the purpose of collection if
- the data subject has consented to further processing of the information
- the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form
Vimbo Health will obtain consent for further processing of the data for research and any other purposes from the user by way of the Terms and Conditions. Furthermore, only anonymised aggregated data will be used for these purposes.
Condition 5:
Information Quality
To ensure that personal information is accurate, the user will have the ability to amend the certain information provided in registration at any time using the in-app profile screen, including name, email, gender, employment status, consent to receive email and SMS communications
Condition 6:
Openness
In line with Conditions 6 and 8 of the Act, Vimbo Health is
committed to ensuring that in principle Data Subjects are aware that their data is being processed and
- for what purpose it is being processed;
- what types of disclosure are likely; and
- how to exercise their rights in relation to the data.
Data Subjects will generally be informed through the Vimbo Health Privacy Policy. Whenever data is collected, the number of mandatory fields will be kept to a minimum and Data Subjects will be informed which fields are mandatory.
Condition 7:
Security Safeguards
Secure Infrastructure
Data will remain in the Google ecosystem, Google Firebase and Google Cloud Storage. The Google ecosystem meets high standards of security, and Google Cloud Storage provides encryption, ensuring the safety of data.
User Access Control
Access to the technology back end data is password protected.
Access by Vimbo Health personnel strictly controlled by the Information Officer, and restricted to critical use cases.
On-device Security
Data Subjects login occurs via SMS authentication using user phone number - this ensures that only the Data Subject has access to their account. We recommend in our Privacy Notice that the user enables their device security for added protection.
Condition 8:
Data Subject Participation
Requests by a Data Subject for data held on them will be handled by the POPI Act Information Officer in terms of Condition 8, with information provided to the data subject upon receiving adequate proof of identity.
A request by a Data Subject for the deletion of information held on them (personally identifiable or all) will be honoured.
Fees for access to personal information will be handled in
compliance with the PAIA Act.
Other Provisions
Processing of Special Personal Information
Vimbo Health does not collect biometric data. Vimbo Health does not knowingly collect any other special personal information, and does not explicitly request the user to make entries pertaining to special personal information such as religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject, or criminal behavior, or any ther personal information as defined in Section 26 of the POPI Act 2013.
Processing of personal information of children
Vimbo is intended for use by adults aged 18 years or over and we do not knowingly collect personal data from people under 18 years of age. During registration, users entering age under 18 are not able to proceed to use the app (in-app age check control).
Direct Marketing, Directories and Direct Communications
Whenever data is collected which might be used for any
marketing purpose, this purpose will be made clear, and the Data Subject will be given a clear opportunity to opt in.
Whenever direct contact is made by email or SMS, the user will be given the option to Opt-Out of such communications.
Policy review
The Information Officer is responsible for an annual
review to be completed prior to the policy anniversary date.