Archives

No archives to show.

Categories

  • No categories

Instagram

PIA Policy

PRIVACY IMPACT ASSESSMENT (PIA) FOR TTP PROJECTS

1. INTRODUCTION

This Privacy Impact Assessment (PIA) has been conducted for Tabe Trading & Projects (Pty) Ltd trading as TTP Projects in accordance with South African data protection laws, particularly the Protection of Personal Information Act (POPIA). This assessment evaluates the collection, use, storage, and processing of personal information in TTP’s operations and services.

2. ORGANIZATIONAL OVERVIEW

Organization Name: Tabe Trading & Projects (Pty) Ltd trading as TTP Projects
Primary Address: No 2 Centre Road, Morningside, Sandton, Gauteng, 2196, RSA
Information Officer: Obakeng Tabe (Founder)
Core Business: Engineering, technology design, security systems, installation, and maintenance services

3. PERSONAL INFORMATION INVENTORY

3.1 Categories of Personal Information Collected

Client Contact Information: Names, phone numbers, email addresses, physical addresses collected for service delivery, communication, and invoicing purposes. Medium sensitivity.

Employee Information: Names, ID numbers, contact details, qualifications, employment history collected for HR management and compliance purposes. High sensitivity.

Vendor Information: Company details, contact information, financial information collected for procurement and payment processing. Medium sensitivity.

Security Footage: Video recordings from CCTV systems collected for security monitoring purposes. High sensitivity.

Access Control Data: Biometric data, access logs collected for security management purposes. High sensitivity.

Financial Information: Banking details, payment information collected for processing payments and financial management. High sensitivity.

3.2 Special Personal Information

Biometric Information: Fingerprints, facial recognition data processed on the basis of explicit consent and security requirements.

Criminal Records: Background checks for security personnel processed on the basis of legal obligation and legitimate interest.

4. DATA FLOW MAPPING

4.1 Collection Points

  • Direct collection from clients during consultations
  • Contract and service agreement forms
  • Site assessments and surveys
  • Security systems installed at client premises
  • Employment applications and HR processes
  • Vendor registration processes

4.2 Processing Activities

  • Client project management
  • Security system monitoring and maintenance
  • Financial transaction processing
  • Human resources management
  • Vendor management
  • Compliance reporting

4.3 Data Transfers

  • Internal transfers between departments
  • Transfers to service providers and contractors
  • Transfers to regulatory authorities when required
  • Cross-border transfers for international projects or cloud services

5. COMPLIANCE ASSESSMENT

5.1 POPIA Compliance Status

Appointment of Information Officer: Completed – Obakeng Tabe designated as Information Officer.

Registration with Information Regulator: Pending, to be completed.

Privacy Policy: Implemented but requires regular review.

Data Subject Consent Mechanisms: Implemented and included in service agreements.

Data Security Measures: Implemented with technical and organizational measures in place.

Data Breach Procedures: Implemented with response plan established.

Third-Party Processor Agreements: Partially implemented, review of all agreements required.

Employee Training: Ongoing with regular training sessions conducted.

Record of Processing Activities: Implemented and maintained by Information Officer.

Data Retention Schedule: Implemented following legal requirements.

5.2 Lawful Basis for Processing

TTP Projects processes personal information based on the following lawful bases under POPIA:

  • Consent: Obtained for specific processing activities
  • Contract: Necessary for fulfillment of contractual obligations
  • Legal Obligation: Compliance with applicable laws
  • Legitimate Interests: Business operations and service delivery
  • Public Interest: When applicable for security purposes

6. RISK ASSESSMENT

6.1 Identified Risks

Unauthorized access to client data: Medium likelihood with high impact. Mitigation through access controls, encryption, and regular security audits.

Data breach of security systems: Low likelihood with severe impact. Mitigation through enhanced security protocols and regular penetration testing.

Non-compliance with POPIA: Low likelihood with high impact. Mitigation through regular compliance reviews, training, and documentation.

Over-collection of personal information: Medium likelihood with medium impact. Mitigation through data minimization principles and purpose limitation.

Retention beyond necessary periods: Medium likelihood with medium impact. Mitigation through implementation of data retention policies.

Third-party processor non-compliance: Medium likelihood with high impact. Mitigation through due diligence, contractual safeguards, and regular audits.

Cross-border transfer issues: Low likelihood with medium impact. Mitigation through transfer impact assessments and appropriate safeguards.

7. DATA PROTECTION MEASURES

7.1 Technical Measures

  • Encryption of sensitive data at rest and in transit
  • Access controls based on role and need-to-know principles
  • Firewalls, intrusion detection, and prevention systems
  • Regular security updates and patches
  • Secure development practices for proprietary systems (SSICS, CEMMS)
  • Backup and disaster recovery procedures

7.2 Organizational Measures

  • Information security policies and procedures
  • Regular staff training on data protection
  • Confidentiality agreements with employees and contractors
  • Physical security measures for premises
  • Clean desk policy
  • Incident response procedures
  • Regular compliance audits

8. DATA SUBJECT RIGHTS PROCEDURES

Access: Formal request process with verification of identity. Response within 30 days.

Correction: Submission of correction request with verification. Completion within 30 days.

Deletion: Evaluation of grounds for deletion followed by implementation. Completion within 30 days.

Objection: Review of objection and assessment of alternative processing basis. Response within 21 days.

Restriction: Temporary suspension of processing implemented immediately upon valid request.

Data Portability: Export of data in structured format provided within 30 days.

9. DATA BREACH RESPONSE PLAN

9.1 Detection and Reporting

  • Internal reporting channels established
  • Responsibility assigned to Information Security Team
  • Initial assessment criteria defined

9.2 Containment and Recovery

  • Immediate steps to contain breach
  • Evidence preservation procedures
  • Recovery and restoration protocols

9.3 Notification

  • Information Regulator notification within 72 hours where required
  • Data subject notification without undue delay where high risk
  • Law enforcement notification when applicable

9.4 Post-Breach Review

  • Root cause analysis
  • Remediation plan development
  • Implementation of lessons learned

10. RECOMMENDATIONS

  1. Complete registration with the Information Regulator
  2. Enhance documentation of processing activities, particularly for security systems
  3. Review and update consent mechanisms for all data collection points
  4. Implement additional security measures for biometric data processing
  5. Conduct regular data protection training for all staff
  6. Develop specific procedures for handling security footage
  7. Enhance due diligence for third-party processors
  8. Implement automated tools for data retention management
  9. Conduct regular penetration testing of security systems
  10. Develop specific privacy safeguards for the SSICS platform

11. CONCLUSION

This Privacy Impact Assessment has identified the privacy impacts and risks associated with TTP Projects’ operations and services. While fundamental data protection measures are in place, several areas require enhancement to ensure full compliance with POPIA and to adequately protect the personal information processed by the organization. The recommendations outlined in this assessment should be implemented according to a prioritized schedule to mitigate identified risks.

12. REVIEW SCHEDULE

This Privacy Impact Assessment will be reviewed:

  • Annually
  • Upon significant changes to business operations
  • When new systems processing personal information are implemented
  • Following any significant privacy incident

Next scheduled review date: April 5, 2026