Vacancies
Contact Us

Privacy Policy

1. Purpose

The purpose of this policy is to establish principles and controls for the effective and secure management of information within Edunation Holdings (Pty) Ltd, in support of teaching, learning, governance, and operational functions. It ensures legal compliance, data integrity, knowledge accessibility, and protection of personal and confidential information.

2. Scope

This policy applies to:

  • All information (physical and digital) generated, stored, processed, or shared across Edunation;
  • All employees, contractors, learners, parents, and third parties handling Edunation information;
  • All IT infrastructure, systems, learning platforms (e.g. Moodle LMS), and information systems (e.g. SIS, payroll, procurement, academic records);
  • All Edunation-owned or managed institutions, including schools and colleges.

3. Definitions

  • Information Asset: Any item of data or information that has value to the organisation.
  • POPIA: Protection of Personal Information Act (South Africa).
  • PAIA: Promotion of Access to Information Act.
  • Data Subject: The person to whom personal information relates.
  • Information Security: Preservation of confidentiality, integrity, and availability of information.

4. Policy Statement

Edunation is committed to safeguarding its information assets, ensuring legal compliance, enabling evidence-based decision-making, and supporting the delivery of high-quality education. The organisation promotes a data-driven culture where access, protection, and lifecycle management of information are essential to its QMS and SALE model outcomes.

5. Information Management Principles

  • Confidentiality: Information must be protected from unauthorised access.
  • Integrity: Information must be accurate, complete, and reliable.
  • Availability: Information must be accessible to authorised users when needed.• Compliance: All information handling must align with POPIA, PAIA, and educational regulations (e.g. Umalusi, DBE, QCTO, DHET).
  • Accountability: All users must be trained and held responsible for the information they handle.

6. Information Lifecycle Management

6.1 Creation and Collection

  • Only relevant and lawful information will be collected.
  • Learner, employee, and stakeholder data must be captured accurately.
  • Data must be classified upon creation as public, internal, confidential, or restricted.

6.2 Storage

  • All personal and confidential information must be stored securely on approved platforms (e.g. XERO, ZOHO, LMS, cloud-based systems).
  • Paper-based information must be stored in locked filing systems with restricted access.

6.3 Use and Access

  • Access is role-based and must follow the Delegation of Authority Policy (EA02).
  • All users must complete induction training on data privacy and system use.

6.4 Sharing and Disclosure

  • Information may only be shared internally or externally in compliance with POPIA and PAIA.
  • Data sharing agreements must be in place for all third-party processors.

6.5 Retention and Archiving

  • Retention periods shall comply with legal, academic, and financial requirements.
  • Archiving of learner records, contracts, and financial data must follow Edunation’s document management standards.

6.6 Disposal

  • Physical and digital information must be disposed of securely when no longer required (e.g. shredding, secure digital deletion).

7. Information Security Measures

  • Implementation of access controls, firewalls, encryption, and regular password changes.
  • Regular penetration tests, backups, and system integrity checks.
  • Anti-virus and endpoint protection software on all devices.
  • Incident reporting procedures for data breaches and cyber incidents (refer to IT Incident Management Procedure).

8. Legal and Regulatory Compliance

Edunation ensures compliance with the following:

  • POPIA for personal information processing.
  • PAIA for public access and transparency.
  • Umalusi and QCTO for academic records retention and data integrity.
  • COIDA, BCEA, LRA for employment-related records.
  • ISO/IEC 27001 (referenced for international alignment).

A PAIA Manual shall be maintained and made accessible to the public as required.

9. Roles and Responsibilities

Role Responsibilities
Board of Directors Approves strategy and ensures risk mitigation.
CEO Final accountability for information governance.
COO Operational oversight and implementation.
CIO/IT Manager Manages IT systems, security, and compliance with POPIA.
Data Protection Officer Monitors POPIA compliance, breach response, and training.
Principals/Heads Ensure local implementation and secure handling of learner/staff records.
All Employees Adhere to this policy and complete mandatory training.

10. Data Subject Rights and Requests

  • Individuals may request access to their personal information as per PAIA.
  • Requests must be submitted via the standard Access Request Form.
  • Edunation must respond within 30 days.

11. Training and Awareness

  • All employees and third parties must complete induction and refresher training.
  • Specific training on data privacy and cyber hygiene must be conducted annually.
  • Training records are managed by the HR Department (EB02 Policy).

12. Monitoring, Auditing, and Reporting

  • Quarterly audits of information systems and records management.
  • Monitoring of user access logs and breach incidents.
  • Annual reporting to the Board on information governance compliance.

13. Policy Breach and Disciplinary Action

Non-compliance with this policy may result in:

  • Disciplinary action per EB01 Disciplinary Procedures.• Civil or criminal penalties where laws are violated.
  • Termination of third-party contracts for breaches.

14. Policy Review and Amendment

This policy shall be reviewed every two years by the COO in consultation with the IT and

Compliance Officers. Any revisions require CEO approval.