Who we are
Our website address is: https://www.helderberghospice.org.za
Terms And Conditions
This site and the content provided in this site may not be copied, reproduced, republished, uploaded, posted, transmitted or distributed. ‘Deep-linking’, ’embedding’ or using analogous technology is strictly prohibited. Unauthorized use of this site and/or the materials contained on this site may violate applicable copyright, trademark or other intellectual property laws or other laws.
The owner of this site, the authors of these contents and in general anybody connected to this site in any way, from now on collectively called “Providers”, assume no responsibility for errors or omissions in these contents.
We reserve the right to modify or withdraw, temporarily or permanently, the Website (or any part of) without notice.
In an effort to assist our users, we may provide links to other websites or sources. We are not responsible for the availability of such external sites or resources, and do not endorse and are not responsible or liable, directly or indirectly, for the privacy practices or the content of such websites.
All online credit card transactions are processed in South African Rand (ZAR) only by PayFast which is a PCI DSS Level 1 Service Provider – the highest security level possible.
Should you wish for any reason to cancel your online donation, you may do so within seven (7) days and receive a full refund (less bank charges). Kindly notify us of any refund required by emailing firstname.lastname@example.org
By using this website, you consent to the terms of these terms and conditions and to Helderberg Hospice processing personal information for the purposes given.
Data Protection Policy
This policy helps to protect Helderberg Hospice from some very real data security risks. These rules apply regardless of whether data is stored electronically, on paper or on other materials. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. Refer to https://www.michalsons.com/blog/data-privacy-in-south-africa/150
What is personal information?
Personal information is essentially any information that identifies a person. But the position is a bit more complicated than that because different laws in South Africa define it to mean different things. It is therefore critical that we know exactly what information is personal. Refer to https://www.michalsons.com/blog/what-is-personal-information/1397
Personal information is currently defined in various different pieces of legislation (or potential legislation). They are the:
- Promotion of Access to Information Act (PAIA);
- Electronic Communications and Transactions Act (ECT Act)
- Protection of Personal Information Act (PPI Act, POPI)
- Protection of State Information Bill (POSI)
- Cybercrimes Bill
Some of our donors are from the EU, so we need to also consider that the General Data Protection Regulation (GDPR) applies to our organisation. The GDPR is very similar to POPIA, with there probably being a 30% difference between the two laws. The difference between the two laws comprises of various extra compliance requirements that we have to consider if both laws apply. Apart from these various kinds of differences or extra compliance requirements that we may have to consider, we believe that we should view data protection laws as being similar across most parts of the world.
Refer to https://www.michalsons.com/blog/gdpr-compliance-checklist/37679
The offences and penalties in POPIA are quite limited. For example, one is directed against the hindering and obstruction of the Information Regulator in the execution of its obligations and duties. Another important one is failing to protect an account number. A person convicted of these offences will be subject to a fine or to imprisonment for a period not exceeding 10 years, or to both a fine and imprisonment.
- Breaches of confidentiality – For instance, information being given out inappropriately.
- Failing to offer choice – For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage – For instance, Helderberg Hospice could suffer if hackers successfully gained access to sensitive data.
- Resulting in – Losing customers (and employees) and failing to attract new ones.
Helderberg Hospice has the responsibility to ensure data is collected, stored and handled appropriately.
- Each individual that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
- The client’s information can only be stored once permission has been granted by the client.
- It is the responsibility of all staff and volunteers working with personal information to take reasonable steps to ensure that data is kept accurate and up to date as possible.
- Staff should take every opportunity to ensure that data is up to date, i.e. when they the call a client, confirm details or any possible changes.
- Processing of personal data takes many forms, such as you collecting or storing it, or you sharing it with another organisation with which you are collaborating. Even if we use another organisation to process the personal data on our behalf, the responsibility to protect that data will rest with Helderberg Hospice (or you may contractually agree to share that responsibility). Because we determine the reason for processing the data, we’d be what data protection law considers a ‘responsible party or controller’, while the other organisation would be your processor or operator. The people whose personal data you process would be your data subjects.
- Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
- Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
- Explicit consent requires a very clear and specific statement of consent.
- Keep your consent requests separate from other terms and conditions.
- Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough. Be clear and concise.
- Make it easy for people to withdraw consent and tell them how.
- Keep evidence of consent – who, when, how, and what you told people.
- Keep consent under review, and refresh it if anything changes.
- Avoid making consent to processing, a precondition of a service.
- Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.
These rules describe how and where data should be safely stored.
- When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer or a car seat.
- Data printouts should be shredded and disposed of securely when no longer needed.
- Data should be backed up to the cloud weekly. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- All servers and computers containing data should be protected by approved security software and a firewall. At Helderberg Hospice, each computer has a firewall and antivirus program, plus the router has a firewall.
Data activities and types of data collected
We source funding from donors. We have a group of beneficiaries that we interact with. We employ people. We collaborate with other organisations. We sell goods and provide services to customers. We receive goods and services from suppliers. Data of all event attendees, shop donors details, monetary donors details and donors who donate services in kind to the organisation. The Administration support in the 24 hour Support centre collects data of all patients and their next of kin. We also collect data of businesses in the Helderberg area, i.e. schools, retirement homes and churches. We collect, analyse, sort, amend, store, and delete personal data.
Kinds of personal data
The kinds of personal data we collect often varies quite a lot. We collect the personal data of our donors, for example, when we want to seek funding from them, or when we actually get the funding and keep a register of the donors and their donations. Often, we’ll seek this funding from new donors using direct marketing to reach them. We also collect financial data, such as the bank details of your employees, collaborators or suppliers. We collect medical data from patients. The common thread running through all this collection is that the data is often of a very sensitive nature.
Purpose of the data collected
The data is collected to inform these parties of what happens at Helderberg Hospice. We keep them informed of events being held, send them newsletters and if we have a specific appeals. Also, to keep patient records as required by the statutory health bodies.
Who collects this data?
The data is collected by various staff members in the organisation. Shop donors’ details are collected by the shop and administration staff. Event attendees’ data gets collected by the Resource Development department. Administration staff collects the data of the patients and their next of kin.
How data is collected, collated and analysed
This data is collected in various ways. Details of shop donors are recorded when they donate, by completing a triplicate donation book where they give us permission to keep and use their data. Events attendees’ information is collected by ticket sales/event register as attendants provide us with their information. The data of patients and next of kin is collected when they complete their admission forms. The data is then captured from these different forms into an excel spreadsheet and then loaded onto our CIVI CRM. Once loaded onto the CRM, the system will recognise if someone has already supported the organisation in some way, if so their information is updated.
Backup of data
We have three ways of backing-up files and databases up to ensure that we have information to fall back on should there be a problem.
- Manual backups: Prior to big changes. This is done using plugin software and backups are then stored in our One Drive folder.
- Automatic Hetzner Backups: These are backups done by Hetzner at about 2am every morning. These backups are only kept for two weeks.
- Automated internal backup system: These backups are done either monthly or depending on how critical the data, daily. For Hospice CiviCRM, we have now set this up to do daily backups.
- We make sure our staff are adequately trained. New employees receive data protection training to explain how they should store and handle personal information.
- We use appropriate tools (like mass mailers and CRMs) for sending communications like our newsletter, for example MailChimp.
- We make sure we have a lawful purpose for processing personal data.
- We use a shredder for all the papers containing personal data that we aren’t using for a lawful purpose.
- We secure all the paper-based personal data we hold in locked storage cabinets and rooms, and control the access to those facilities.
- We use strong passwords and store them safely. Details to be forwarded to the Administration department for safe-keeping.
- We put up effective firewalls around digitally-stored personal data, install the latest anti-virus software, and encrypt drives (laptops and USBs, for example), tabs and phones as well.
- We only keep people’s information for as long as necessary. The organisation has established retention periods in place and has set up a process for deleting personal information once it is no longer required.