Summary
This guide covers POPIA (Protection of Personal Information Act) compliance for Skills Development Providers using skillSYMS. Learn how to handle learner data responsibly, respond to data subject requests, and maintain compliance.
Who This Guide Is For
- Training provider administrators
- Information officers
- HR and compliance managers
- Anyone handling learner personal information
Understanding POPIA
What is POPIA?
The Protection of Personal Information Act (Act 4 of 2013) is South Africa’s data protection law. It regulates how organizations collect, store, process, and share personal information.
Key Principles
- Accountability: Organizations must ensure compliance
- Processing Limitation: Only collect what you need
- Purpose Specification: Use data only for stated purposes
- Further Processing: Limitations on secondary use
- Information Quality: Keep data accurate and current
- Openness: Be transparent about data practices
- Security Safeguards: Protect data appropriately
- Data Subject Participation: Allow access and correction
Your POPIA Responsibilities
As a Training Provider
You are typically the Responsible Party for learner data you collect. This means:
- You determine why and how data is processed
- You must have valid grounds for processing
- You’re responsible for data subject requests
- You must report breaches
skillSYMS as Operator
skillSYMS acts as an Operator (processor), processing data on your behalf:
- We process data per your instructions
- We implement security measures
- We help you respond to requests
- We notify you of incidents
Collecting Learner Information
Lawful Collection
Before collecting data, ensure you have grounds:
| Ground | Example |
|---|---|
| Consent | Marketing communications |
| Contract | Learner agreement services |
| Legal Obligation | QCTO reporting requirements |
| Legitimate Interest | Programme improvement |
What to Collect
Only collect what’s necessary:
Required for QCTO:
- Full name
- SA ID number
- Date of birth
- Contact details
- Education history
Optional:
- Disability status (for accommodation)
- Employment details
- Emergency contacts
Do Not Collect (unless justified):
- Religious beliefs
- Political affiliation
- Health information beyond disability needs
- Biometric data beyond ID photos
Privacy Notice
Provide learners with a privacy notice explaining:
- What you collect
- Why you collect it
- How you’ll use it
- Who you’ll share it with
- Their rights
In skillSYMS: Add your privacy notice to the learner registration form.
Storing and Securing Data
Access Control
Configure appropriate access in skillSYMS:
| Role | Access Level |
|---|---|
| Admin | Full access |
| Facilitator | Assigned learners only |
| Assessor | Assessment data only |
| Learner | Own data only |
Data Security
skillSYMS implements:
- Encryption in transit (TLS 1.3)
- Encryption at rest (AES-256)
- ID number masking
- Access logging
- Regular backups
Your Responsibilities
Additionally, you should:
- Use strong passwords
- Enable MFA for admin accounts
- Review user access regularly
- Remove access for departing staff
- Secure your devices and networks
SA ID Number Handling
Special Requirements
SA ID numbers are sensitive. In skillSYMS:
- IDs are encrypted at rest
- IDs display masked (showing last 4 digits only)
- Full IDs accessible only to authorized roles
- ID access is logged
Best Practices
- Verify IDs at registration
- Don’t store ID copies unnecessarily
- Use masked IDs in reports where possible
- Never share IDs via unsecured channels
Sharing Learner Data
With QCTO and SETAs
Sharing for QCTO reporting is a legal obligation:
- Use official export formats
- Share via secure channels
- Document what was shared
- Retain submission confirmations
With Employers
For workplace learning:
- Include in learner agreement
- Share only relevant information
- Establish data sharing agreements
- Document the arrangement
With Assessors/Moderators
When assessors are external:
- Limit access to assigned learners
- Use read-only where possible
- Review access after engagement ends
Data Subject Requests
Types of Requests
Learners may request to:
- Access: See what data you hold
- Correct: Fix inaccurate information
- Delete: Remove their data
- Object: Stop certain processing
- Restrict: Limit data use
Handling Requests in skillSYMS
Access Request:
- Navigate to learner profile
- Click Generate Data Export
- Review before sending
- Provide within 30 days
Correction Request:
- Navigate to learner profile
- Click Edit
- Make corrections
- Document the change
- Notify learner
Deletion Request:
- Check retention requirements first
- If deletable, navigate to learner profile
- Click Delete Learner
- Confirm deletion
- Record the request
Important: You may not be able to delete data required for QCTO compliance. Explain this to the learner if applicable.
Response Timeframes
- Access requests: 30 days
- Correction requests: ASAP, max 30 days
- Deletion requests: Reasonable time (typically 30 days)
- Objections: Consider promptly, respond within 30 days
Data Retention
Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Learner records | 7 years after completion | QCTO requirements |
| Assessment records | 7 years | Audit trail |
| Evidence files | 7 years | PoE requirements |
| Audit logs | 7 years | Compliance |
| Marketing data | Until consent withdrawn | Consent-based |
Automated Retention in skillSYMS
skillSYMS can be configured to:
- Archive completed learner records
- Flag records approaching retention limits
- Assist with secure deletion after retention period
Breach Response
What is a Breach?
A breach occurs when personal information is:
- Accessed without authorization
- Lost or destroyed
- Disclosed inappropriately
Response Steps
- Contain: Stop ongoing breach
- Assess: Determine scope and risk
- Notify skillSYMS: If platform-related
- Notify Information Regulator: If risk of harm
- Notify Affected Persons: If high risk
- Document: Record incident and response
- Review: Prevent recurrence
Notification Requirements
If breach poses a real risk of harm:
- Notify Information Regulator as soon as reasonably possible
- Notify affected learners
- Provide details: what happened, what data, what to do
POPIA Checklist for SDPs
- Privacy notice provided to all learners
- Consent obtained for marketing
- Access controls configured properly
- Staff trained on data handling
- Data subject request process documented
- Retention schedule implemented
- Breach response plan in place
- Information Officer appointed
- Registered with Information Regulator
Next Steps
- Privacy Policy — skillSYMS privacy practices
- POPIA Compliance Notice — Our POPIA compliance details
- Audit Readiness Checklist — Prepare for audits