PAIA Manual

1.2 Definitions

• Company, we, our means Profit Recovery Solutions (Proprietary) Ltd, a private company (reg. no. 2005/000219/07) incorporated in the Republic of South Africa;
• Data Subject means a person to whom personal information relates;
• PAIA means the Promotion of Access to Information Act No. 2 of 2000 (as amended);
• POPIA means the Protection of Personal Information Act No. 4 of 2013 (as amended);
• Information Regulator means the Information Regulator (South Africa) https://inforegulator.org.za/.
• Responsible Party means a public or private body or any other person which, alone or in conjunction with another person, determines the purpose of and means for processing personal information.

Capitalised terms which are not defined in this section have the meaning assigned to them in the POPIA or the PAIA.

1.3 Acronyms and abbreviations

"IO"	Information Officer;
"DIO"	Deputy Information Officer;
"Minister"	Minister of Justice and Correctional Services;
"PAIA"	Promotion of Access to Information Act No. 2 of 2000 as Amended;
"POPIA"	Protection of Personal Information Act No. 4 of 2013;
"Regulator"	Information Regulator; and
"Republic"	Republic of South Africa

This PAIA Manual is useful for the public to-

1. Check the categories of records held by a body which are available without a person having to submit a formal PAIA request;
2. Have a sufficient understanding of how to make a request for access to a record of the body, by providing a description of the subjects on which the body holds records and the categories of records held on each subject;
3. Know the description of the records of the body which are available in accordance with any other legislation;
4. Access all the relevant contact details of the Information Officer and Deputy Information Officer who will assist the public with the records they intend to access;
5. Know the description of the guide on how to use PAIA, as updated by the Regulator and how to obtain access to it;
6. Know if the body will process personal information, the purpose of processing of personal information and the description of the categories of data subjects and of the information or categories of information relating thereto;
7. Know the description of the categories of data subjects and of the information or categories of information relating thereto;
8. Know the recipients or categories of recipients to whom the personal information may be supplied;
9. Know if the body has planned to transfer or process personal information outside the Republic of South Africa and the recipients or categories of recipients to whom the personal information may be supplied; and
10. Know whether the body has appropriate security measures to ensure the confidentiality, integrity and availability of the personal information which is to be processed.

The Information Officer appointed in terms of PAIA also refers to the Information Officer referred to in POPIA.

The Information Officer oversees the functions and responsibilities required by PAIA as well as the duties and responsibilities in terms of section 55 of POPIA and the regulations thereto, after registering with the Information Regulator.

The Information Officer may appoint, if necessary, Deputy Information Officers, permitted in terms of section 17 of PAIA as well as section 56 of POPIA.

All requests for information in terms of PAIA or POPIA must be addressed to the Information Officer.

Key contact details for access to information of the Clearwood Consulting (Pty) Ltd

Information Officer:	E.F. Mouton
Tel/WhatsApp:	0792443239
Email:	ewart@clearwood.co.za
Website:	www.clearwood.co.za
Company Phone & WhatsApp:	+27746156839
Company Email:	info@clearwood.co.za
Physical Address:	Tanglewood, PTN 44 Vaalbank 512JQ, Magaliesburg, Mogale City, Gauteng, South Africa, 1739

The Regulator has, in terms of section 10(1) of PAIA, as amended, updated and made available the revised GUIDE ON HOW TO USE PAIA ("GUIDE"), in an easily comprehensible form and manner, as may reasonably be required by a person who wishes to exercise any right contemplated in PAIA and POPIA.

The Guide is available in each of the official languages and in braille.

The Guide contains the description of-

1. The objects of PAIA and POPIA;
2. The postal and street address, phone and fax number and, if available, electronic mail address of-
   • The Information Officer of every public body, and
   • Every Deputy Information Officer of every public and private body designated in terms of section 17(1) of PAIA and section 56 of POPIA;
3. The manner and form of a request for-
   • Access to a record of a public body contemplated in section 11; and
   • Access to a record of a private body contemplated in section 50
4. The assistance available from the IO of a public body in terms of PAIA and POPIA;
5. The assistance available from the Regulator in terms of PAIA and POPIA;
6. All remedies in law available regarding an act or failure to act in respect of a right or duty conferred or imposed by PAIA and POPIA, including the manner of lodging-
   • An internal appeal;
   • A complaint to the Regulator; and
   • An application with a court against a decision by the information officer of a public body, a decision on internal appeal or a decision by the Regulator or a decision of the head of a private body;
7. The provisions of sections 14 and 51 requiring a public body and private body, respectively, to compile a manual, and how to obtain access to a manual;
8. The provisions of sections 15 and 52 providing for the voluntary disclosure of categories of records by a public body and private body, respectively;
9. The notices issued in terms of sections 22 and 54 regarding fees to be paid in relation to requests for access; and
10. The regulations made in terms of section 92.

Members of the public can inspect or make copies of the Guide from the offices of the public and private bodies, including the office of the Regulator, during normal working hours.

The Guide can also be obtained-

• Upon request to the Information Officer of the Information Regulator;
• From the website of the Regulator

A copy of the Guide is also available in the following two official languages, for public inspection during normal office hours-

• English
• Afrikaans

This section specifies the categories of records held by the company which are available without a person having to request access by completing Form C, types of the records and how the records can be accessed.

These are mostly records that maybe available on the website and a person may download or request telephonically or by sending an email or a letter.

Records of a public nature, typically those disclosed on the Company's website (https://www.clearwood.co.za/) and in its various reports, may be accessed without the need to submit a formal application.

Other non-confidential records, such as statutory records maintained at CIPC and the Master's Office, may be accessed without the need to submit a formal application, however, an appointment to view such records will still have to be made with the Information Officer.

This section lists all the records which are held by Clearwood in accordance with South African legislation.

Clearwood is required by law to keep certain records. These records are enumerated in various Acts of Parliament.

Our records are in paper and electronic form only. In terms of the Promotion of Access to Information Act, access must be granted irrespective of form or medium.

Accessibility of documents and records may be subject to the grounds of refusal set out in this PAIA Manual.

Where applicable to its operations, Clearwood also retains records and documents in terms of the legislation below.

Category of records	Applicable legislation
Memorandum of incorporation	Companies Act 71 of 2008
PAIA Manual	Promotion of Access to Information Act 2 of 2000
Privacy documentation (notices and policies)	Protection of Personal Information Act 4 of 2013
Notice of Incorporation	Companies Act 71 of 2008
Share Register	Companies Act 71 of 2008
Records of directors	Companies Act 71 of 2008
Annual Financial Statements	Companies Act 71 of 2008
Accounting Records	Companies Act 71 of 2008
Register, record or reproduction of the earnings, time worked, payment for piece work and overtime and other prescribed particulars of all the employees	Compensation for Occupational Injuries and Diseases Act, 130 of 1993
Written particulars of an employee after termination of employment	Basic Conditions of Employment Act 75 of 1997
Employee's name and occupation	Basic Conditions of Employment Act 75 of 1997
Time worked by each employee	Basic Conditions of Employment Act 75 of 1997
Remuneration paid to each employee	Basic Conditions of Employment Act 75 of 1997
Records of disciplinary transgressions, the actions taken by the Company and the reasons for the actions records - names, identifications numbers and monthly remuneration and address at which employee is employed race and gender information	Labour Relations Act 66 of 1995 Unemployment Insurance Act 63 of 2002 Employment Equity Act 55 of 1998 Broad-Based Black Economic Empowerment Act 53 of 2003
Records of workplace incidents including incidents which resulted in employees having to receive medical treatment Records of recommendations made to the Company in terms of issues affecting the health of employees	Occupational Health and Safety Act, 84 of 1993 and Compensation for Occupational Injuries and Diseases Act, 130 of 1993
Employee remuneration, and tax records	Tax Administration Act 28 of 2011, Income Tax Act 58 of 1962
Tax records	Tax Administration Act 28 of 2011, Income Tax Act 58 of 1962 and Value Added Tax Act 89 of 1991, Skills Development Levies Act 9 of 1999
Electronic communications and transactions records	Electronic Communications & Transactions Act 25 of 2002

This section describes the subjects in respect of which Clearwood holds records and the categories of records held on each subject.

Subjects on which the body holds records	Categories of records
Corporate	Director and shareholder records Records relating to the incorporation of the Company Statutory records Minutes and resolutions
Human Resources	HR policies and procedures Advertised posts Employee records Job Applicant records Training records
Finance	Tax records (the Company and employees) Annual financial statements Bank statements Purchase Orders/Invoices Asset Register Insurance information
Operational	Request for Proposals Operational reviews
Client & vendor dependencies	Client records Vendor records
Governance	Guidelines, policies and procedure
Legal Execution	Contracts
Correspondence Management	Internal and external correspondence
External Provisions	Records provided by a third party
Infrastructure Assets	Information technology
Business Progression	Strategic Plans
Outreach & Marketing	Marketing materials
Logistical Security	Visitor Records
Communications Hub	Contact Records

8.1 Purpose of Processing Personal Information

This section describes the purpose or reasons for processing personal information in Clearwood.

The Company processes personal information in the ordinary course of its business, including, but not limited to, the following:

• providing and improving our services;
• creating and managing client accounts;
• managing commercial relationships with clients and suppliers;
• to receive goods and/or services from suppliers;
• recruitment;
• managing employee relationships and performing employment contracts;
• for security purposes;
• to comply with legal obligations;
• information analysis;
• marketing our services;
• communication purposes; and
• administering our website.

For more information regarding the purposes we process personal information, please see our Privacy Notice on our website or for employees, please contact the Information Officer.

8.2 Categories of Data Subjects, personal information and categories of recipients

This section specifies the categories of data subjects whose personal information is processed by Clearwood and the nature or categories of the personal information being processed i.e. Description of the categories of Data Subjects, the information or categories of information relating thereto and categories of recipients.

Most commonly, the Company processes the following personal information of the following categories of data subjects:

Categories of Data Subjects	Personal Information that may be processed	Categories of recipients
Clients	Name and contact details Company registration details and incorporation documents Financial and tax information Key employee names, contact details Teleconference and video conference call recordings	Customer information may be shared with: • Our affiliates • Our suppliers and Operators • Professional service providers • Other customers • Debt collection agencies • Regulatory authorities and the courts, including the police
Suppliers	Name and contact details Company registration details and incorporation documents Physical and/or postal address Key employee names, contact details And Financial tax information Teleconference and video conference call recordings	Supplier information may be shared with: • Our affiliates • Our suppliers and Operators • Professional service providers • Our customers • Regulatory authorities and the courts, including the police
Employees	Name and Contact Details Identity number and date of birth / ID and/or passport copies Employment history Employment contracts Performance records Details of dependants, marital status and emergency contacts Payroll, financial and tax records Electronic access and communication records Health and safety records Training records Leave records Time and attendance records Teleconference and video conference call recordings	Employee information may be shared with: • Our affiliates • Our suppliers and Operators • Professional service providers • Our customers • Third Party verification • Regulatory authorities and the courts, including the police Supplier information / Corporate Assets: • Persons or organisations in the context of a sale of our shares, assets or business
Job Applicants	Name and contacts details Country of residence Visa information Educational background Interview notes and assessment result Employment history Additional information you choose to tell us	Job applicant information may be shared with: • Our affiliates • Our suppliers and Operators • Professional service providers • Third Party verification • Regulatory authorities and the courts, including the police
Third Parties (General public, website visitors, inbound inquiries)	Name and contact details Additional Information you choose to tell us	Personal Information may be shared with: • Our affiliates • Our suppliers and Operators • Professional service providers • Regulatory authorities and the courts, including the police

8.3 The recipients or categories of recipients to whom the personal information may be supplied

This section specifies the persons or categories of persons to whom Clearwood may disseminate personal information.

Category of personal information	Recipients or Categories of Recipients to whom the personal information may be supplied
Identity number and names, for criminal checks	South African Police Services
Qualifications, for qualification verifications	South African Qualifications Authority
Credit and payment history, for credit information	Credit Bureaus

8.4 Transborder flows of personal information

This section outlines all planned transborder flows of personal information.

While we generally store all of the personal information that we collect about you in the Republic of South Africa, it is possible that your personal information will be transmitted and hosted outside your region.

For example, our email and storage, accounting software and messaging service providers have servers outside of South Africa.

Most of our hosting platforms are in the Republic of Ireland or another EU state.

We ensure that countries to which your information is being shared either have adequate laws in place or that we have entered into contractual arrangements to ensure the protection of your personal information.

8.5 Information Security Measures

This section specifies the nature of the security safeguards implemented or under implementation to ensure the confidentiality and integrity of the personal information under the care of Clearwood.

In our role as a Responsible Party and in our role as a Processor under POPIA, we have taken technical and organisational measures to satisfy the requirements of "Condition 7 Security Safeguards" of POPIA listed in Section 19 to secure the integrity and confidentiality of personal information in a way that is appropriate, reasonable for our business.

Our cybersecurity framework actively works to prevent loss, damage, unauthorised destruction of, unlawful access to or processing of the personal information that we manage.

Our Framework also has due regard to generally accepted information security practices and procedures which apply generally or may be required in terms of our specific industry or professional rules and regulations.

Our cybersecurity framework achieves the requirements of Section 19 in the following ways:

Identify all reasonably foreseeable internal and external risks

• We monitor threats identified by international and industry experts
• Our cyber-risk vulnerabilities are identified and assessed through a risk assurance programme that seeks input from external parties and encourages open feedback and insights from our employees and key stakeholders.
• Our senior management team actively manage an Information Risk Register that spans across all functions and systems
• Personal Information Impact Assessments (PIIAs) are conducted whenever we believe processing might introduce risk to Data Subjects using a formalised methodology
• PIIAs and the Information Risk Register align to our overarching risk management methodology

Establish and maintain appropriate safeguards against the risks identified

• We proactively manage access to personal information as required by POPIA section 23. Privileged access is tightly controlled and our infrastructure design supports security objectives.
• We have adequate security measures in contracts & underpinning SLAs with all Operators as per POPIA Section 21, and we conduct security and data protection due diligence exercises against high risk operators.
• All transfers of personal information to other jurisdictions are secured and monitored as per POPIA Section 72
• As far as possible, Security by Design, Privacy by Design and Privacy by Default principles into all our systems and design decisions.

Regularly verify that the safeguards are effectively implemented

• Our cyber-security officers and partners actively manage health checks of all controls
• Our risk assurance programme ensures that appropriate tests are conducted periodically or as needed.
• Security controls are tested after every change

Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards

• Our threat and vulnerability management plan monitors for new or potential risks within the technologies that we use
• We analyse lessons learnt from incidents and near misses to identify weaknesses, vulnerabilities and opportunities for improvement
• Our senior management drive a continual improvement plan for our cyber-security framework

8.6 How to participate and object to processing of your personal information

If you would like to know what data we have about you, or if you would like us to update your information or delete it, please send an email to info@clearwood.co.za, WhatsApp or phone +27746156839, and one of our team will get in touch to walk you through the process.

If you are not happy at any point, please escalate queries to our Information Officer (see key contacts above).

8.6.1 What is personal Information?

According to the Protection of Personal Information Act (POPIA), "Personal Information" means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person (i.e. an organisation or company, etc), including, but not limited to -

1. Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
2. Information relating to the education or the medical, financial, criminal or employment history of the person;
3. Any identifying number, symbol, e-mail address, telephone number, location information, online identifier or other particular assignment to the person;
4. The biometric information of the person, for example, digital fingerprints, facial recognition maps, eye-scans, etc.
5. The personal opinions, views or preferences of the person;
6. Correspondence sent by the person that would reveal the contents of the original correspondence;
7. The views or opinions of another individual about the person; and
8. The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person.

8.6.2 Your rights as a Data Subject

Your Constitutional right to privacy is protected by the POPI Act.

Section 5 of POPIA gives you the following specific rights when it comes to your personal information: You have the right to:

• be informed when your data is collected
• be notified if the security of your data is compromised, i.e. a data breach has caused your data to be accessed by an unauthorised party
• participate in processing, specifically you can ask that data be deleted or updated and request access to whatever data an organisation has about you.
• object to processing and request that it cease, especially direct marketing
• not receive direct marketing via unsolicited electronic messaging unless you have explicitly consented to it before receiving the marketing messages
• understand when automated decision-making is being used and not suffer any impact because of that processing

If you are unhappy with the way that we are managing your data you have the right to complain either directly to our Information Officer or to the Information Regulator.

You also have the right to initiate civil proceedings if you believe your rights have been infringed.

We hope it would never come to that, and request that you get in touch with us to give us an opportunity to rectify any issue you may have with the way we manage your information.

If you would like to contact us in order to exercise any of these rights, please use the Key Contacts listed below.

8.6.3 Your legal rights

You have the right to:

8.6.3.1 Request access to your personal data

This is commonly known as a "data subject access request". This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you.

This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

8.6.3.2 Request erasure of your personal data.

This enables you to ask us to delete or remove personal data where there is no valid reason for us continuing to process it.

You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.

Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be communicated to you, if applicable, at the time of your request.

8.6.3.3 Object to processing of your personal data

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.

You also have the right to object where we are processing your personal data for direct marketing purposes.

In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

8.6.3.4 Request restriction of processing of your personal data.

This enables you to ask us to suspend the processing of your personal data in the following scenarios:

1. if you want us to establish your data's accuracy;
2. where our use of the data is unlawful but you do not want us to erase it;
3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
4. you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

8.6.3.5 Request the transfer of your personal data to you or to a third party.

We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform on a contract with you.

8.6.3.6 Withdraw consent

You can withdraw consent at any time where we are relying on consent to process your personal data.

This will not affect the lawfulness of any processing carried out before you withdraw your consent.

If you withdraw your consent, we may not be able to provide certain Website access or Services to you. We will advise you if this is the case at the time you withdraw your consent.

Please take note that regardless of your right to withdraw consent under POPI, other South African legislation applies and may require that we continue to process your data in order to comply with anti-corruption, crime-fighting and/or other national legislation, which you expressly understand and agree to.

A copy of the Manual is available-

• on www.clearwood.co.za
• head office of Clearwood Consulting for public inspection during normal business hours;
• to any person upon request and upon the payment of a reasonable prescribed fee; and
• to the Information Regulator upon request.

A fee for a copy of the Manual, as contemplated in annexure B of PAIA Regulations, shall be payable per each A4-size photocopy made.

The head of Clearwood Consulting will on a regular basis update this manual.

Regulatory & Dynamic Actions