1. Audit the processes used to collect, record, store, disseminate and destroy personal information
Companies must ensure the integrity and safekeeping of personal information in their possession or under their control. They must take steps to prevent the information being lost or damaged, or unlawfully accessed.
XStore makes use of encryption for both the transmission and storage of client data. Email communications can be encrypted via PGP should clients require. All web-based services provided by XStore for use by clients are SSL encrypted.
In addition, data that is marked for erasure is wiped using appropriate systems like DBAN for hard disks and WIPE for memory sticks/ flash cards, etc. A notice for destruction of data will be sent to clients on completion.
XStore maintains secure storage for all client-related information, protected by SHA256 SSL encryption.
2. Define the purpose of the information gathering and processing
Personal information must be collected for a specific, explicitly defined and lawful purpose that is related to a function or activity of the company concerned.
XStore maintains information about clients' networks and systems for the purpose of documenting technical configurations and using these configurations for system expansion, configuration and troubleshooting. This information includes technical documentation, configuration manuals, flow diagrams and network block diagrams.
3. Limit the processing parameters
Processing must be lawful and personal information may only be processed if it is adequate, relevant and not excessive given the purpose for which it is processed.
XStore only maintains information relating to the work it performs for, and is required to be performed by, clients. XStore T&C's include clauses that state that a certain amount of information is required about a client's systems in order to perform the requested work. In addition, client confidentiality is acknowledged per default unless otherwise stated. However, any information provided by clients is not covered under NDA unless specifically stated via such agreement.
What information do we collect?
- Full Name
- Contact details including physical/postal addresses, email addresses and phone numbers
- All information relating to our interaction with clients on support/consulting issues including but not limited to:
- device identifiers, IP addresses, firmware versions, operating system, time zone, language, MAC addresses, and other information about computing systems, applications, and networks
- details about configurations and data stored on systems
- network and internet connectivity details
- access controls information
- client staff information
- information about activity on computing systems, applications, and networks
- file and communications content and metadata;Antivirus and other malware statistics and files
- system logs and traffic, including URLs
4. Take steps to notify the 'data subject'
The individual whose information is being processed has the right to know this is being done and why. The data subject must be told the name and address of the company processing their information. In addition, he or she must be informed as to whether the provision of the information is voluntary or mandatory.
XStore, as indicated in the T&C's, will automatically retain certain data about a client. The client accepts this data retention as part of their service interaction with XStore. Furthermore, the status of a client's data will be communicated to clients should the status of such data change.
5. Check the rationale for any further processing
If information is received via a third party for further processing, this further processing must be compatible with the purpose for which the data was initially collected.
XStore will not retain data pertaining to clients unless it is relevant to the work performed for clients. XStore will communicate with clients should there be a change in data status. Information received cia 3rd parties will be treated with the same care as data received directly from clients.
Why we collect this information?
- required in the general course of our duties to clients and as it relates support, consulting and design services
- to comply with law and protect rights, safety and property
- for other purposes requested or permitted by our customers or users, or as reasonably required to perform our business
Additional reasons why we collect/store this information
- providing maintenance and technical support
- to facilitate support, consulting and design services
- used in the financial process (invoice/quote/statement)
- to manage our relationships with customers, partners, suppliers, event attendees, and others
- to analyze, improve and create XStore/eMailStor Services and other business offerings
- to enforce the legal terms that govern our business and online properties
- to provide security and business continuity
- to comply with law and protect rights, safety and property
- for other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.
6. Ensure information quality
The company processing the information must make sure the information is complete, accurate, up to date and not misleading.
XStore maintains accurate records about relating to its clients and keeps documentation up to date as system configurations change. Furthermore, XStore maintains a ticketing system which tracks and provides an audit trail for client interaction and client data.
7. Notify the information protection regulator
When PPI is enacted and a regulator established, organisations processing personal information will have to notify the regulator about their actions.
XStore will comply as required.
8. Accommodate data subject requests
PPI allows data subjects to make certain requests, free of charge, to organisations holding their personal information. For instance, the data subject has the right to know the identity of all third parties that have had access to their information. A data subject can also ask for a record of the relevant information.
XStore maintains strict records and documentation relating to its interactions with clients. This information is available to the respective clients at any time without cost.
9. Retain records for required periods
Personal information must be destroyed, deleted or “de-identified” as soon as the purpose for collecting the information has been achieved. However, a record of the information must be retained if an organisation has used it to make a decision about the data subject. The record must be kept for a period long enough for the data subject to request access to it.
XStore maintains records for the life of its interaction with a client, and beyond for a period of 5 years.
10. Cross-border data transfer
There are restrictions on the sending of personal information out of SA, as well as on the transfer of personal information back into SA. The applicable restrictions will depend on the laws of the country to which the data is transferred or from where the data is returned, as the case may be.
XStore will not transfer data concerning a client without their permission.
11. Destruction of data
XStore, the responsible party, must destroy or delete a record of personal information or de-identify it as soon as reasonably practicable after the responsible party is no longer authorised to retain the record in terms of the following provisions of the POPI Act:
Subject to subsections (2) and (3) of POPIA, records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless—
- retention of the record is required or authorised by law;
- the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
- retention of the record is required by a contract between the parties thereto; or
- the data subject or a competent person where the data subject is a child has consented to the retention of the record.
XStore uses the following mechanisms for data destruction:
- digital data in any format including online, disk-based or any other storage medium: DBAN for physical disk-based data, shred for online data
- physical media and formats: Fellowes 70S 14 Sheet Strip Cut Shredder with SafetyLock