2.0 Scope and responsibilities
Are a visitor to the South African Clinical Research Association (SACRA) website;
Create a user account on a South African Clinical Research Association (SACRA) Online Services/Electronic Platform;
Add to and manage your personal profile on a South African Clinical Research Association (SACRA) Online Service/ Electronic Platform;
Contact or communicate with South African Clinical Research Association (SACRA) via an Online Service/Electronic Platform.
Any suspected Security Breach or compromise of Personal Information or Confidential Information will be addressed as detailed in PC-GM-03 “Privacy, Security and Protection of Personal Information”.
4.0 Key definitions and clarifications
Confidential Information: All business information, operations, products or plans, personal information or plans which are not known to the general public and disclosed by South African Clinical Research Association (SACRA) will be deemed to be Confidential Information. Confidential Information will include all information disclosed to South African Clinical Research Association (SACRA) by a Client and that was clearly marked as ‘’Confidential’’.
Consent: Any voluntary, specific and informed expression of will in terms of which permission is given for the Processing of Personal Information.
Cookies: A small text file (up to 4KB) created by a website that is stored in the user’s computer either temporarily for that session only or permanently on the hard disk (persistent cookie). Cookies provide a way for the website to recognise you and keep track of your preferences.
Data: Information, facts and statistics used for reference or analysis in electronic form. For this Policy, all references to Data may include Personal Information and/or Confidential Information.
Data Protection Officer (DPO): Is someone, either an employee or a professional hired externally, who has responsibility for ensuring that their organisation is compliant.
Data Subject: The person to whom the personal information relates.
Electronic Platform: A secure electronic system used by authorised South African Clinical Research Association (SACRA) staff in accordance with their documented access rights for the delivery of electronic information (including, without limitation, documents).
Information Officer: The “head” of a private body (such as a company) or the most senior person of a particular public body, or any person duly authorised by such acting person. “Data Protection Officer” will have a corresponding meaning.
Information Regulator: An independent body established in terms of Section 39 of POPIA, empowered to monitor and enforce compliance by public and private bodies with the provisions of POPIA. “Regulator” will have a corresponding meaning.
IP address: A unique address that identifies a device on the internet or a local network.
Key Definition: A clarification of terminology applicable to a specific PROC DOC. These terms may be listed for clarity or additional information to the specific PROC DOC and may not necessarily be referred to again in the remainder of the PROC DOC. Reoccurring definitions may be listed in the South African Clinical Research Association (SACRA) Glossary and not in the Key Definition section of a Procedural Document as per the Authors discretion. Commonly used roles may also be defined to indicate associated department or function within the organisation. The customised South African Clinical Research Association (SACRA) Glossary is an alphabetical list of common terms and abbreviations South African Clinical Research Association (SACRA) uses in their day-to-day operations. Definitions for those terms are available on the internal shared drive.
Online Services: A system/platform that collects Data during a user’s interaction with that system/platform and includes without limitation the South African Clinical Research Association (SACRA) website (including mobile sites) and social media sites (Facebook, LinkedIn etc.) mobile sites/applications and/or other online platforms.
Personal Information: Information relating to an identifiable, living natural person, and where it is applicable, and identifiable, existing juristic person, including, but not limited to (a) information relating to the race, gender sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture or employment history of the person; (b) information relating to the education or the medical, financial, criminal or employment history of the person; (c) any identifying number, symbol, email address, physical address, telephone number, location information, online identifier or other particular assignment to the person; (d) the biometric information of the person; (e) the personal opinions, views, or preference of the person; (f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the content of the original correspondence; (g) the views or opinions of other individuals about the person; and (h) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person. “Personal Data” has a corresponding meaning. Without limiting the generality of the foregoing, Personal Information must always be treated as Confidential Information, even after the individual’s death. It should be noted that Personal Information which has undergone Pseudonymisation and/or was de-identified, and which can be attributed to a Data Subject by the use of additional information and/or deidentified should be considered as Personal Information.
Processing: Any operation or activity or set of operations, whether by automatic means, concerning Personal Information, including (a) the collection, receipt, recording, organisation, collation, storage, dating or modification, retrieval, alteration, consultation or use; (b) dissemination by means of transmission, distribution or making available in any other form; or (c) merging, linking as well as restriction, degradation, erasure or destruction of information. “Process”, “processes”, and “processed” shall have the corresponding meaning.
Promotion of Access to Information (PAIA): The Promotion of Access to Information Act Number 2 of 2000, as amended, is South Africa’s access to information law and it enables people to gain access to information held by both public and private bodies. PAIA gives legislative effect to the right of access to information in accordance with section 32 of the Constitution of the Republic of South Africa, 1996.
Protection of Personal Information Act (POPIA): The Protection of Personal Information Act, Number 4 of 2013, as amended. POPIA regulates the lawfulness of processing activities of South Africa’s Personal Information.
Pseudonymisation: A technique that replaces or removes information in a data set that identifies an individual. According to the European General Data Privacy Regulation (GDPR); “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” To note Pseudonymised data and Anonymised data are not the same.
Records: Any recorded information that a business holds in any form or medium (paper and electronic). Records also include records that third parties created (and are now under the control of the business/responsible party) regardless of when it came into existence. Records include email and other recorded electronic communications.
Security Breach: Any potential or actual breach of information security, whether intentional or unintentional that has an effect on Personal Information and the Responsible Party and/or the Operator’s company resources and reputation, including without limitation viruses or other malicious codes, hacking or computer theft. “Security Incident” or “Privacy Incident” has a corresponding meaning.
Traffic data: Any data processed for the purposes of the conveyance of a communication on an electronic communications network in respect of that communication and includes data relating to the routing, duration or time of a communication.
User: A person who uses a computer and/or other devices to access an Online Service.
Web browser: An application used to access and view this website. Well known web browsers include Internet Explorer, Google Chrome and Safari.
6.0 Personal Information that South African Clinical Research Association (SACRA) collects
Users that communicate with SACRA through an Online Service/Electronic Platform will no longer be anonymous to SACRA, since the users will provide certain Personal Information to SACRA.
Personal Information is any information that identifies users as an individual or relates to users as an identifiable individual. Depending on how users interact with SACRA, Personal Information that SACRA collects may include without limitation, a user’s name and surname, email address, telephone number, log- in and account information for authentication purposes and account access, gender, qualification and experience details and other detail relating to SACRA’s Online Services/Electronic Platforms, including, but not limited to, traffic data, location data, weblogs and other communication data; information that users provide to SACRA, including Records of correspondence; marketing and other preference information; and social media account information.
SACRA may also collect other information that does not personally identify users. Such other information includes browser and device information, website and application usage data, IP addresses, demographic information such as marketing preferences, geographic location, primary language, and information collected through cookies and other technologies or information that has been anonymised or aggregated. If SACRA links this information with user’s Personal Information, SACRA will treat that linked information as Personal Information.
Note: It is possible to modify and/or block the installation of cookies sent by the website of South African Clinical Research Association (SACRA), however the quality of the operations of the services may be affected.
Users can choose not to provide Personal Information to South African Clinical Research Association (SACRA) when requested. However, if this is necessary to provide users with SACRA’s solutions and services, access to SACRA’s Online Services/Electronic Platforms, or to perform administrative functions, SACRA may be unable to do perform these functions.
7.0 Sensitive Personal Information
South African Clinical Research Association (SACRA) does not collect sensitive Personal Information about users, e.g. information relating to health, religion, political beliefs, race or sexual orientation via our Online Services and asks that users do not send or provide this information to SACRA unless specifically requested to do so in writing and via a documented Consent process.
8.0 How South African Clinical Research Association (SACRA) collects your Personal Information
SACRA may collect Personal Information from users in a variety of ways when users interact with SACRA, including without limitation when:
You access SACRA’s Online Services or interact with SACRA in any other way.
You reach out to SACRA regarding potential business opportunities and/or SACRA’s services, you create an account with SACRA on one of our online platforms or Electronic Platforms, perform administrative and business functions and when you communicate with SACRA.
SACRA responds to your enquiries and requests, obtains feedback from you about our services or you apply for employment with SACRA.
SACRA collects Personal Information from third parties, including public databases, social media sites, business partners with whom SACRA offers services or engage in joint marketing activities and third parties that provide list enhancement or similar services.
9.0. Legal basis for Processing Personal Information
Our legitimate business interests (or those of a third party with whom we share users Personal Information) for the purpose of managing, operating or promoting our business, include marketing, for business and administrative purposes, except where such interests are overridden by users interests or fundamental rights or freedoms which require protection of Personal Information; and/or
Where this is necessary to comply with a legal obligation on South African Clinical Research Association (SACRA); and/or
To protect the vital interests of any individual; and/or
Where users have Consented to the use of their Personal Information.
10.0. Use of Personal Information
SACRA may use Personal Information to enable users to effectively use and to improve SACRA’s Online Services/Electronic Platforms. For example, to:
Perform administrative and business functions and internal reporting.
Send administrative information to users.
Obtain feedback from users about our services including through client satisfaction surveys, in which event, South African Clinical Research Association (SACRA) will only use Personal Information for the sole purpose of sending users a survey (through our third-party email delivery provider).
Respond to enquiries and fulfil requests by users.
Assess the performance of Online Services/Electronic Platforms and to improve their operation.
Inform users about and provide users with South African Clinical Research Association (SACRA)’s services and solutions.
Update SACRA’s Records and keep contact details up to date.
SACRA engages in these activities to manage SACRA’s contractual relationship with clients/users, to comply with SACRA’s legal obligations, or for SACRA’s legitimate business interests.
11.0. Sharing Personal Information
With business partners with whom SACRA offers services or engage in joint marketing activities.
With service providers to provide operational services or facilitate transactions on SACRA’s behalf, including but not limited to Processing of orders, assisting with services, client support, email delivery, data analytics and auditing.
Where Data Subjects Consent to the sharing of their Personal Information.
In connection with, any joint venture, merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of South African Clinical Research Association (SACRA)’s business by or to another company.
For other legal reasons.
South African Clinical Research Association (SACRA) may share Personal Information in response to a request for information by a competent authority in accordance with, or required by any applicable law, regulation or legal process.:
Where necessary to comply with judicial proceedings, court orders or government orders; or
To protect the rights, property or safety of SACRA, its business partners, Data Subjects, or others, or as otherwise required by applicable law.
Any third parties with whom we share Personal Information are contractually required to implement appropriate data protection and security measures to protect Personal Information and are not permitted to use Personal Information for any purpose other than the purpose for which they are provided with or given access to Personal Information.
12.0 Security of your Personal Information
SACRA is committed to protecting Personal Information from accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure by using a combination of physical, administrative and technical safeguards and contractually requiring that third parties to whom SACRA discloses Personal Information do the same.
However, while SACRA have implemented reasonable technical and organisational precautions to protect the security and integrity of Personal Information, due to the inherent nature of the internet as an open global communications vehicle, SACRA cannot guarantee that information, during transmission through the internet or while stored on SACRA’s systems or otherwise in SACRA’s care, will be absolutely safe from intrusion by others, such as hackers.
SACRA maintains physical, electronic and procedural safeguards to protect Personal Information. We strive to protect information transmitted on or through SACRA’s Online Services/Electronic Platforms, however, SACRA cannot and do not guarantee the security of any data or information SACRA transmits on or through the Online Services/Electronic Platforms, and users do so at their own risk. SACRA cannot and do not guarantee the security of users’ data or information.
13.0 Cross border transfers
Where SACRA transfers Personal Information to a country or international organisation that does not provide a level of protection for Personal Information which the POPIA Information Regulator deems adequate, SACRA enters into a Data Processing Agreement to ensure adequate protection measures.
14.0 Data Subject’s rights under Data Protection Laws
SACRA adheres to applicable Data Protection Laws in South Africa which provide Data Subjects with certain rights relating to Personal Information (subject hereto that such Personal Information fall within the application of the POPIA and further subject to the limitations as set out in POPIA). Data Subjects’ rights include without limitation:
The right to access Personal Information that South African Clinical Research Association (SACRA) processes about them.
The right to rectify inaccurate Personal Information South African Clinical Research Association (SACRA) holds about them without undue delay and taking into account the purposes of the Processing, to have incomplete Personal Information about them completed.
The right to ask South African Clinical Research Association (SACRA) to delete their Personal Information without undue delay in certain circumstances.
The right to restrict the Processing of their Personal Information in certain circumstances.
Where South African Clinical Research Association (SACRA) processes Personal Information based on a Data Subject’s Consent, the Data Subject has the right to withdraw his/her Consent at any time for future Processing.
Where South African Clinical Research Association (SACRA) processes Personal Information based upon South African Clinical Research Association (SACRA)’s legitimate interests of a third party, the Data Subject has the right to object to the Processing of Personal Information at any time (including to any profiling).
Where South African Clinical Research Association (SACRA) processes Personal Information for direct marketing purposes, the Data Subject has the right to object to Processing of his/her Personal Information at any time, including profiling to the extent that it is related to such direct marketing.
The right not to be subject to a decision based solely on automated Processing, including profiling, which produces legal effects concerning Data Subjects or similarly significantly affects Data Subjects.
The right to lodge a complaint to the Information Regulator.
SACRA will consider such requests and respond to requestors within 30 (thirty) days. SACRA may require verification of a requestor’s identity before providing a copy of the Personal Information, as permitted by law.
15.0 Cookies and Similar Technologies
Ensuring that web pages can function properly.
Know user navigation and user experience.
Collect anonymous statistical information, such as which sections have been visited, and how long a user has been in the SACRA environment.
These technologies collect information that users’ browsers send to SACRA’s Online Services/Electronic Platforms including an user’s browser type, information about IP address (a unique identifier assigned to a user’s computer or device which allows a user’s PC or device to communicate over the Internet), together with the date, time and duration of a user’s visit, the pages users view and the links users click.
16.0 Links to third party websites and applications
17.0 Direct marketing
SACRA may send direct marketing communications about SACRA’s solutions and services. Recipients thereof can choose whether they wish to receive marketing communications from SACRA by email, SMS, and phone.
Recipients may opt out of receiving marketing materials from SACRA at any time and manage their communication preferences by contacting SACRA using the contact details on SACRA’s website. Recipients should include their contact details and a description of the marketing material they no longer wish to receive from SACRA. SACRA will comply with such requests as soon as is reasonably practicable.
If recipients opt out of receiving marketing related communications from SACRA, SACRA may still send recipients administrative messages as part of their ongoing use of our solutions and services, which recipients will be unable to opt out of.
SACRA do not provide Personal Information to unaffiliated third parties for direct marketing purposes or sell, rent, distribute, or otherwise make Personal Information commercially available to any third party.
18.0 Retaining Personal Information
SACRA will retain Personal Information for as long as is necessary to fulfil the purpose for which it was collected unless a longer retention period is required to comply with legal obligations, resolve disputes, protect assets or enforce agreements. The criteria SACRA uses to determine retention periods include without limitation, whether:
SACRA’s legal, contractual or other obligation to retain Personal Information, or as part of a business agreement, an investigation or for litigation purposes.
Personal Information is needed to maintain accurate business and financial Records.
There are automated means to enable users to access or update their Personal Information at any time.
The Personal Information is sensitive Personal Information in which event South African Clinical Research Association (SACRA) will generally retain this for a specific purpose and limited period of time.
You have Consented to South African Clinical Research Association (SACRA) retaining your Personal Information for a longer retention period, in which case, South African Clinical Research Association (SACRA) will retain Personal Information in accordance with your Consent.
20.0 How to contact us
If you have any questions about how your Personal Information is processed by SACRA, you have a privacy concern or you wish to make a request or a complaint relating to your Personal Information, please contact us by using the following email address email@example.com and/or the contact details and process as set out in the SACRA PAIA Manual with is available on the website of SACRA at www.sacraza.com