Data Protection Policy

Last updated: January 2021

1. Introduction

V4 Creative provides branding and website design services. We provide IT services to our clients which include hosting clients’ networks, systems & data and client IT backups.

The purpose of the policy is to:

  • To establish a company-wide approach to information security
  • To prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of data and computer systems
  • To define mechanisms that protect the reputation of V4 Creative and allows the company to satisfy its legal and ethical responsibilities with regards to its clients and connectivity to worldwide networks

2. Definition of Personal Information as described in the Protection of Personal Information Act:

‘‘personal information’’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignments
  • to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to
  • the person or if the disclosure of the name itself would reveal information about the person;

Every employee who has access to personal, confidential, and sensitive information of V4 Creative, Clients, or third parties has a duty to protect that information from unauthorized access. V4 Creative are obligated to ensure that employees are aware of this policy and advised on how to perform their work within the boundaries of this policy. All V4 Creative employees will be informed of this policy during induction and also scheduled information sessions.

  • Confidential information is data whose loss, corruption or unauthorized disclosure would violate contracts, impair the business functions of the company, or result in any business, financial, or legal loss. Examples: Any data explicitly identified as protected under law, data protected by contract or copyrighted information, medical information, personnel information, and account or financial information of the company & its clients.
  • Personal information, a subset of confidential information, as defined by POPI Act
  • Sensitive information is data whose unauthorized disclosure is not a violation of the law, does not impair business or result in a financial loss but may be damaging to our employees, clients or the company’s reputation. Thus, it requires a higher degree of security than other information. Examples of sensitive information:
    • A list of employee names and salaries
    • Detailed client project data

Therefore, V4 Creative expects employees to comply with the following data security standards:

  • Where possible, utilise two-factor authentication on admin panel access, Google Drive and Zoho Books (accounting software).
  • Apply user access control principles with segregation of duties, thereby limiting data and information access to only authorised and relevant individuals.
  • Strictly limit the amount of confidential data, including personal information, stored on desktop/laptop computers and network drives to that which is necessary to accomplish the legitimate purpose for which it was collected or extracted from institutional databases.
  • Remove confidential data from the desktop/laptop computers and network drives upon completion of the work.
  • When gathering data from clients, explicitly inform the clients as to the purpose of the information, and only process the necessary information.
  • Concerning external projects (projects not hosted on V4 Creative’s server), erase all the access credentials in V4 Creative’s possession within two hours of the customer signing off on the project.
  • Always password-protect your computer on start-up and when waking from sleep or screen-saver mode; always activate sleep or the screen saver, or log out when leaving your computer unattended.
  • Each employee is to use a securely generated unique password for each different access portal. The use of a password manager may be employed to create and store these passwords and enable employees to utilise more complex passwords.
  • Never share confidential data, including personal information, with another employee, unless authorised by management.
  • Never store confidential data, including personal information, on portable storage devices such as portable hard drives, USB flash drives, CDs, DVDs, mobile phones, and personal digital assistants.
  • Never store confidential data, including personal information, on a laptop unless there is a legitimate business purpose.
  • Avoid sending confidential data and never send personal information in an electronic mail message; Password-protect or encrypt email attachments that contain confidential or sensitive data.
  • Never transmit confidential data, including personal information, to third-party service providers, unless all of the following conditions are met:
    • There is a legitimate business purpose;
    • The data is encrypted during transmission (such as using a secure website or secure file transfer protocol);
    • The recipient encrypts or stores the data on a secured host or in a secured location.
  • All systems must be protected with an approved, licensed anti-virus software product that it is kept updated according to the recommendations.
  • Terminated employee accounts must be disabled upon termination.
    • All computer hardware that is written off or handed in by terminated employees should be cleared of all confidential data or personal information.

3. Acceptable use and General Guidelines for the use of Electronic Communications

The following actions will be considered acceptable use of e-mail and Internet facilities by Users:

  • Users shall use e-mail and Internet access primarily for business purposes related to the business. Private and personal use, in moderation, will be tolerated;
  • Equipment, systems, services and software are to be used primarily for business purposes related to the business. Common sense and good judgement should guide personal and private usage;
  • When forwarding or replying to e-mail messages, the contents of the original message should not be altered. If the contents need to be changed, then all changes must be marked as such;
  • The institution has the right to limit the size of incoming and outgoing e-mail messages and attachments, downloads and other files and may block and delete e-mail messages, downloads, attachments or other files that are larger than the set maximum size. It is the responsibility of Users to limit the size of attachments and other files to prevent overloading of the electronic mail system resources;
  • E-mail messages should be kept brief and formulated appropriately;
  • Users must check e-mail recipients before sending, forwarding or replying to messages. When distribution lists are used the sender should consider whether or not each group member really needs, or really should, receive the e-mail;
  • The subject field of an e-mail message should relate directly to the contents or purpose of the message;
  • Users must log-off or use screen-savers with passwords in times of absence from a computer terminal to avoid improper and/or illegal use;