Last updated: June 02, 2021



The Protection of Personal Information Act (POPI) is intended to balance 2 competing interests.  These are:

·        Our individual constitutional rights to privacy (which requires our personal information to be protected); and

·        The needs of our society to have access to and to process (work with) our personal information for legitimate purposes, including the purpose of doing business.

This Compliance Manual sets out the framework for DERRYN BRIGG CONSULTING’s compliance with POPI, and to inform the reader of what information is collected, the purpose for which it is collected and provide the privacy commitments for storing and processing any personal information gathered.

Where reference is made to the “processing” of personal information, this will include any activity in which the information is worked with, from the time that the information is collected, up to the time that the information is destroyed, regardless of whether the information is worked with manually, or by automated systems.

DERRYN BRIGG CONSULTING is committed to the protection and security of data and personal information (PI) it gathers from any potential and confirmed clients, suppliers, vendors, contractors, students, employees or potential employees and persons (referred to as individuals/organisations herein), entering our online platforms. DERRYN BRIGG CONSULTING endeavors to have practices and structures embedded in our operations and technologies to ensure the protection of any personal information provided to us, through any channel be it online or directly to us.


In accordance with the Protection of Personal Information Act (POPI) 4 of 2013 (POPI Act), DERRYN BRIGG CONSULTING is committed to protecting all the PI we process from loss, misuse and unauthorised access, disclosure, alteration and destruction. We follow practices to ensure safeguards are in place for all information we collect, including electronic and physical personal information records. We install these practices through:

·        Fostering a culture of accountability to ensure all privacy controls are implemented and due process followed.

·        Always specifying the purpose for collecting PI, and only collecting that which is necessary to fulfil that purpose. We adhere to and data retention and destruction record schedule to ensure that we do not retain information any longer than we need to.

·        We limit the processing of PI to only the reasons for which were specified at collection and will only allow further processing if it is compatible with the original purpose, or permission is collected beforehand and a record of consent is kept.

·        We ensure the quality of PI by providing means of updated PI to individuals and organisations whenever required, and records are kept up to date.

·        We comply with the sections of the Promotion of Access to Information Act 2 of 200 (PAIA) that provides for openness and transparency in maintaining a records manual and allowing for access to information; as well as ensuring individual and organisations are made aware of the channels used to collect their information and may follow any of the prescriptions of PAIA to update, have access to correct information and lodge a complaint regarding their PI.

·        Measures are in place to minimise the threat to privacy should something happen to the PI we possess, including response Plans, providing updates on any breaches that may affect PI and how we can minimise impacts, to the individuals and organisations affected.

·        We have appropriate Security Safeguards such as infrastructure and operations security measures in order to protect the PI we possess.

·        Gathering prior authorisation from the regulator in order to process Special Personal Information, such as children and health information while ensuring that sufficient controls are in place to provide specialised care to such PI.

DERRYN BRIGG CONSULTING undertakes the following:

1.        We undertake to follow POPI at all relevant times and to process personal information lawfully and reasonably, so as not to infringe unnecessarily on the privacy of our clients.

2.            We undertake to process information only for the purpose for which it is intended, to enable us to do our work, as agreed with our clients.

3.            Whenever necessary, we shall obtain consent to process personal information.

4.            Where we do not seek consent, the processing of our client’s personal information will be following a legal obligation placed upon us, or to protect a legitimate interest that requires protection.

5.            We shall stop processing personal information if the required consent is withdrawn, or if a legitimate objection is raised.

6.            We shall collect personal information directly from the client whose information we require, unless:

6.1         the information is of public record, or

6.2         the client has consented to the collection of their personal information from another source, or

6.3         the collection of the information from another source does not prejudice the client, or

6.4         the information to be collected is necessary for the maintenance of law and order or national security, or

6.5         the information is being collected to comply with a legal obligation, including an obligation to SARS, or                          

6.6         the information collected is required for the conduct of proceedings in any court or tribunal, where these proceedings have commenced or are reasonably contemplated; or

6.7         the information is required to maintain our legitimate interests; or

6.8         where requesting consent would prejudice the purpose of the collection of the information; or

6.9         where requesting consent is not reasonably practical in the circumstances.

7.            We shall advise our clients of the purpose of the collection of the personal information.

8.            We shall retain records of the personal information we have collected for the minimum period as required by law unless the client has furnished their consent or instructed us to retain the records for a longer period.

9.            We shall destroy or delete records of the personal information (so as to de-identify the client) as soon as reasonably possible after the time period for which we were entitled to hold the records have expired.

10.         We shall restrict the processing of personal information:

10.1       where the accuracy of the information is contested, for a period sufficient to enable us to verify the accuracy of the information;

10.2       where the purpose for which the personal information was collected has been achieved and where the personal information is being retained only for the purposes of proof;

10.3       where the client requests that the personal information is not destroyed or deleted, but rather retained; or

10.4       where the client requests that the personal information be transmitted to another automated data processing system.

11.         The further processing of personal information shall only be undertaken:

11.1       if the requirements of paragraphs 3; 6.1; 6.4; 6.5 or 6.6 above have been met;

11.2       where the further processing is necessary because of a threat to public health or public safety or to the life or health of the client, or a third person;

11.3       where the information is used for historical, statistical or research purposes and the identity of the client will not be disclosed; or

11.4       where this is required by the Information Regulator appointed in terms of POPI.

12.         We undertake to ensure that the personal information which we collect and process is complete, accurate, not misleading and up to date.

13.         We undertake to retain the physical file and the electronic data related to the processing of the personal information.

14.         We undertake to take special care with our client’s bank account details, and we are not entitled to obtain or disclose or procure the disclosure of such banking details unless we have the client’s specific consent.


Where the individual/organisation is concerned, certain rights are provided regarding the PI DERRYN BRIGG CONSULTING holds; and these rights can be exercised as required, including:

1.        In cases where the client’s consent is required to process their personal information, this consent may be withdrawn. (FORM 1 – Objection)

2.            In cases where we process personal information without consent to protect a legitimate interest, to comply with the law or to pursue or protect our legitimate interests, the client has the right to object to such processing (FORM 1 – Objection), request restrictions or make corrections (FORM 2 – Correction/Deletion).

·        A client is entitled to require us to correct or delete personal information that we have, which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or which has been obtained unlawfully.

·        A client is also entitled to require us to destroy or delete records of personal information about the client that we are no longer authorised to retain.

·        Any such request must be made on the prescribed form

·        Upon receipt of such a lawful request, we must comply as soon as reasonably practicable.

·        In the event that a dispute arises regarding the client’s rights to have information corrected, and in the event that the client so requires, we must attach to the information, in a way that it will always be read with the information, an indication that the correction of the information has been requested but has not been made.         

·       We must notify the client who has made a request for their personal information to be corrected or deleted what action we have taken as a result of such a request.      


3.            All clients are entitled to lodge a complaint regarding our application of POPI with the Information Regulator.

4.            FORM 3 shall be completed by each client when we accept a mandate of any sort, to obtain the client’s consent to process their personal information while we do our work for them, unless this consent has been obtained within another document signed by the client.

5.            All clients may request access to their information following the DERRYN BRIGG CONSULTING PAIA manual processes (available on our website

·        On production of proof of identity, any person is entitled to request that we confirm, free of charge, whether or not we hold any personal information about that person in our records.

·        If we hold such personal information, on request, and upon payment of a fee we shall provide the person with the record, or a description of the personal information, including information about the identity of all third parties or categories of third parties who have or have had access to the information.  We shall do this within a reasonable period of time, in a reasonable manner and in an understandable form.

·        A client requesting such personal information must be advised of their right to request to have any errors in the personal information corrected, which request shall be made on the prescribed application form. 

·        In certain circumstances, we will be obliged to refuse to disclose the record containing the personal information to the client.  In other circumstances, we will have discretion as to whether or not to do so.

·        In all cases where the disclosure of a record will entail the disclosure of information that is additional to the personal information of the person requesting the record, the written consent of the Information Officer (or his delegate) will be required, and that person shall make their decision having regard to the provisions of Chapter 4 of Part 3 of the Promotion of Access to Information Act.

·        If a request for personal information is made and part of the requested information may, or must be refused, every other part must still be disclosed.



DERRYN BRIGG CONSULTING will primarily collect information directly from the individual/organisation through an authorised representative, using specific channels or directed by an individua/organisation or additionally provided through online channels and portals, and external 3rd parties where consent has been collected to do so.

This can be done by filling out forms or by corresponding via post, email, phone or on our website, contractually working with us and a 3rd party on projects and sharing information amongst others.

We collect information from 3rd parties regarding individuals/organisations only with permission for example credit bureaus as well as any products or services of DERRYN BRIGG CONSULTING that are used.


Where appropriate, before disclosing PI to a 3rd party, we contractually require the 3rfd party to have adequate precautions and security controls in place to protect PI and data with the same level of protection as prescribed by the law.


Individuals/organisations have the right to choose whether to receive marketing material or not. When accepting to use our products and/or services or joining the organisation, marketing consent will be collected for related services, products, and offerings. If consent to opt-in/opt-out requires change, the individual/organisation will always be able to contact us to have this amended. (FORM 4 – Consent to Direct Marketing).

We do comply with the direct marketing provisions of the Consumer Protection Act No 68 of 200 (CPA) and the regulations.

DERRYN BRIGG CONSULTING may only carry out direct marketing (using any form of electronic communication) to individuals/organisations if:

1.1         they were given an opportunity to object to receiving direct marketing material by electronic communication at the time that their personal information was collected; and

1.2         they did not object then or at any time after receiving any such direct marketing communications from us.

2.            We may only approach clients using their personal information, if we have obtained their personal information in the context of providing services associated with our business to them, and we may then only market related services to them.

3.            We may only carry out direct marketing (using any form of electronic communication) to other people if we have received their consent to do so.

4.            We may approach a person to ask for their consent to receive direct marketing material only once, and we may not do so if they have previously refused their consent.

5.            A request for consent to receive direct marketing must be made in the prescribed manner and form.  (FORM 4 – Consent to Direct marketing).

6.            All direct marketing communications must disclose our identity and contain an address or other contact details to which the client may send a request that the communications cease.


1.        In order to secure the integrity and confidentiality of the personal information in our possession, and to protect it against loss or damage or unauthorized access, DERRYN BRIGG CONSULTING will continue to implement the following security safeguards:

1.1             Our business premises where records are kept must remain protected by access control, burglar alarms and armed response.

1.2             Archived files must be stored behind locked doors and access control to these storage facilities must be implemented.

1.3             All the user terminals on the internal computer network must be protected by passwords which must be changed on a regular basis.

1.4             Our email infrastructure must comply with industry standard security safeguards, and meet the General Data Protection Regulation (GDPR), which is standard in the European Union.

1.5             Vulnerability assessments must be carried out on our digital infrastructure at least on an annual basis to identify weaknesses in our systems and to ensure we have adequate security in place.

1.6             DERRYN BRIGG CONSULTING does not currently employ any staff however any potential future staff will be trained to carry out their duties in compliance with POPI, and this training will be ongoing. It will be a term of the contract with every staff member that they must maintain full confidentiality in respect of all of our clients’ affairs, including our clients’ personal information. Employment contracts for staff whose duty it is to process a client’s personal information, must include an obligation on the staff member (1) to maintain the Company’s security measures, and (2) to notify their manager/supervisor immediately if there are reasonable grounds to believe that the personal information of a client has been accessed or acquired by any unauthorised person. (See FORM 5 for an example of the relevant addendum/clause to be used in these contracts.)

1.7             The processing of the personal information of any potential future staff members will take place in accordance with the rules contained in the relevant labour legislation. The digital work profiles and privileges of staff who have left employ will be properly terminated.

1.8             The personal information of clients and staff will be destroyed timeously in a manner that de-identifies the person.

2.            These security safeguards will be verified on a regular basis to ensure effective implementation, and these safeguards will be continually updated in response to new risks or deficiencies.


1.        Should it appear that the personal information of a client has been accessed or acquired by an unauthorized person, DERRYN BRIGG CONSULTING will notify the Information Regulator and the relevant client/s, unless we are no longer able to identify the client/s.  This notification must take place as soon as reasonably possible.

2.            Such notification must be given to the Information Regulator first as it is possible that they, or another public body, might require the notification to the client/s be delayed.

3.            The notification to the client will be communicated in writing in one of the following ways, with a view to ensuring that the notification reaches the client:

               3.1               by mail to the client’s last known physical or postal address;

               3.2               by email to the client’s last known email address;

               3.3               by publication on our website or in the news media; or

               3.4               as directed by the Information Regulator.

4             This notification to the client will give sufficient information to enable the client to protect themselves against the potential consequences of the security breach, and must include:                                                                

               4.1               a description of the possible consequences of the breach;

4.2               details of the measures that we intend to take or have taken to address the breach;

4.3               the recommendation of what the client could do to mitigate the adverse effects of the breach; and

4.4               if known, the identity of the person who may have accessed, or acquired the personal information.  


1.        Special rules apply to the collection and use of information relating to a person’s religious or philosophical beliefs, their race or ethnic origin, their trade union membership, their political persuasion, their health or sex life, their biometric information, or their criminal behaviour.

2.            DERRYN BRIGG CONSULTING does not collect, store or process any of this Special Personal Information without the client’s consent, or where this is necessary for the establishment, exercise or defense of a right or an obligation in law.

3.            Having regard to the nature of our work, it is unlikely that we will ever have to process special personal information, but should it be necessary the guidance of the Information Officer will be sought.


1.      We may only process the personal information of a child if we have the consent of the child’s parent or legal guardian.

2.      Having regard to the nature of our work, it is unlikely that we will ever have to process special personal information, but should it be necessary the guidance of the Information Officer will be sought.


1.        Our Information Officer is DERRYN BRIGG who is the OWNER of DERRYN BRIGG CONSULTING. Such authorisation shall be made on the prescribed form (Form 6 – Authorisation of Information Officer).  Our Information Officer’s responsibilities include:

1.1               Ensuring compliance with POPI.

1.2               Dealing with requests which we receive in terms of POPI.

1.3               Working with the Information Regulator in relation to investigations.

2.            DERRYN BRIGG CONSULTING does not have any Deputy Information Officers.

3.            Our Information Officer, DERRYN BRIGG was registered with the Information Regulator prior to taking up their duties. (Form 7 – Information Officer Registration). Should a Deputy Information Officer be required in the future the prescribed form will be completed (FORM 8 – Designation and delegation to Deputy Information Officer)

4.            In carrying out their duties, our Information Officer will ensure that:

4.1               this Compliance Manual is implemented;

4.2               a Personal Information Impact Assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;

4.3               that this Compliance Manual is developed, monitored, maintained and made available;

4.4               that internal measures are developed together with adequate systems to process requests for information or access to information;

4.5               that internal awareness sessions are conducted regarding the provisions of POPI, the Regulations, codes of conduct or information obtained from the Information Regulator; and

4.6               that copies of this manual are provided to persons at their request, hard copies to be provided upon payment of a fee (to be determined by the Information Regulator).

5.            Guidance notes on Information Officers have been published by the Information Regulator (on 1 April 2021) and our Information Officer must familiarize themselves with the content of these notes.


1.        In the following circumstances, DERRYN BRIGG CONSULTING will require prior authorisation from the Information Regulator before processing any personal information:

1.1         In the event that we intend to utilise any unique identifiers of clients (account numbers, file numbers or other numbers or codes allocated to clients for the purposes of identifying them in our business) for any purpose other than the original intention, or to link the information with information held by others;

1.2         if we are processing information on criminal behaviour or unlawful or objectionable conduct;

1.3         if we are processing information for the purposes of credit reporting (this will be important if we are making reports to assist with tenant profiling, for example, to TPN or ITC).

1.4         if we are transferring special personal information or the personal information of children to a third party in a foreign country, that does not provide adequate protection of that personal information.

2.            The Information Regulator must be notified of our intention to process any personal information as set out in paragraph 1.1 above prior to any processing taking place and we may not commence with such processing until the Information Regulator has decided in our favour.  The Information Regulator has 4 weeks to make a decision but may decide that a more detailed investigation is required.  In this event the decision must be made in a period as indicated by the Information Regulator, which must not exceed 13 weeks. If the Information Regulator does not make a decision within the stipulated time periods, we can assume that the decision is in our favour and commence processing the information.


1.        We may not transfer a client’s personal information to a third party in a foreign country, unless:

               1.1         the client consents to this, or requests it; or

1.2         such third party is subject to a law, binding corporate rules or a binding agreement which protects the personal information in a manner similar to POPI, and such third party is governed by similar rules which prohibit the onward transfer of the personal information to a third party in another country; or

1.3         the transfer of the personal information is required for the performance of the contract between ourselves and the client; or

1.4         the transfer is necessary for the conclusion or performance of a contract for the benefit of the client entered into between ourselves and the third party; or

1.5         the transfer of the personal information is for the benefit of the client and it is not reasonably possible to obtain their consent and that if it were possible the client would be likely to give such consent.


1.        POPI provides for serious penalties for the contravention of its terms.  For minor offences a guilty party can receive a fine or be imprisoned for up to 12 months.  For serious offences the period of imprisonment rises to a maximum of 10 years.  Administrative fines for the company can reach a maximum of R10 million. 

2.            Breaches of this Compliance Manual will also be viewed as a serious disciplinary offence.

3.            It is therefore imperative that we comply strictly with the terms of this Compliance Manual and protect our client’s personal information in the same way as if it was our own.


·        Initial letter to client

·        Form 1 – Objection to the Processing of Personal Information

·        Form 2 – Request for correction or deletion of personal information

·        Form 3 – Consent to process Personal Information

·        Form 4 – Application for consent to direct marketing

·        Form 5 – Addendum to the DERRYN BRIGG CONSULTING letter of appointment (if applicable).

·        Form 6 – Authorisation of Information Officer

·        Form 7 – Information Officer’s registration form


·        Form 8 – Designation and delegation to Deputy Information Officer (if applicable).


1.    Introduction to PAIA and Derryn Brigg Consulting

The Promotion to Access Information Act, 2000 is a freedom of information law in South Africa. It gives the constitutional right of access to any information held by the state and any information held by private bodies that is required for the exercise and protection of any rights.

In order to promote effective governance of private bodies, it is necessary to ensure that everyone is empowered and educated to understand their rights.

Section 9 of the PAIA Act recognises that such a right may have restrictions to the types of access that they may request. These include but are not limited to:

1.      Limitations aimed at reasonable protection of Privacy, commercial confidentiality, and good governance.

2.      In a manner that balances the right to any other rights, including rights contained within the constitution.

2.    Derryn Brigg Consulting (DBC)

Derryn Brigg t/a Derryn Brigg Consulting is a Sole Proprietor offering independent business consulting services including but not limited to business planning, strategy, mentorship and general business advice.

3.    Company Contact Details

This section highlights the points of contact should a request be made in accordance to PAIA. Person designated/ duly authorised:

Requestor to contact the Information Officer in the event of requesting such information in accordance with PAIA.

Information Officer details for request:

Derryn Brigg


4.    The Act

This section describes the rights to the requestor under the Promotion of Access to Information Act (PAIA) and the procedures to adhere to:

The Act grants a requestor access to records of a private body, if the record is required for the exercise or protection of any rights. If a public body lodges a request, the public body must be acting in the public interest. Requests in terms of the Act shall be made in accordance with the prescribed procedures, at the rates provided. The Forms and Tariff are dealt with in paragraphs 6 and 7 of the Act.

Requestors are referred to the Guide in terms of Section 10 which has been compiled by the South African Human Rights Commission (SAHRC), which will contain information for the purposes of exercising Constitutional Rights. The Guide is available from the SAHRC.

The contact details of the Commission are:

Postal Address: Private Bag 2700, Houghton, 2041

Telephone Number: +27-11-877 3800

Fax Number: +27-11-403 0625


5.    Applicable Legislation

This section highlights applicable legislation that to:

  • Basic Conditions of Employment Act No 75 of 1997
  • Companies Act No 61 of 1973
  • Employment Equity Act No 55 of 1998
  • Labour Relations Act No 66 of 1995
  • Regional Services Council Act No 109 of 1985
  • Skills Development Levies Act No 9 of 1999
  • Skills development Act No 67 of 1998
  • Unemployment Contributions Act No 4 of 2002
  • Unemployment Insurance Act No 63 of 2001
  • Value Added Tax Act No 89 of 1991
  • Intellectual Property Laws Amendment Act 2013
  • Occupational Health and Safety Act No 85 of 1993

6.    Derryn Brigg Consulting Documents

This section highlights the various records that are kept with the business, their respective retention periods and accessibility to the records.





General Business records

Registration and Incorporation Documents


Not accessible

Patents, trademarks, copyright registrations


Not accessible

Property records


Accessible via PAIA with justifiable reason

Company documents


Accessible via PAIA with justifiable reason

Tax documents


Accessible via PAIA with justifiable reason

Staff Documents

Staff Files – Employment contracts, employee personal details, banking details, income tax numbers etc.

For length of employment and 5 years post termination/retirement/death

Accessible via PAIA with justifiable reason

Financial Business Records

Financial Statements

5 years

Accessible via PAIA with justifiable reason

Tax Returns and Filings

5 years

Accessible via PAIA with justifiable reason

Audit Reports

5 years

Accessible via PAIA with justifiable reason

Cash Books

5 years

Accessible via PAIA with justifiable reason

Charts of Accounts

5 years

Accessible via PAIA with justifiable reason


5 years

Accessible via PAIA with justifiable reason

Bank reconciliations

5 years

Accessible via PAIA with justifiable reason

Client account details – invoices, credit notes

5 years

Accessible via PAIA with justifiable reason

Bank records & statements

5 years

Accessible via PAIA with justifiable reason

Insurance records

Company insurance details

Permanently or for length of cover

Accessible via PAIA with justifiable reason


Policy Documents


Accessible via PAIA with justifiable reason

General Company Information



In the public domain

7.    Grounds for Refusal to access records

Derryn Brigg Consulting may refuse the request for the information and the basis thereof are noted below:

1.      Mandatory protection of privacy of a third party that is a natural person

2.      Mandatory protection of privacy of Commercial information of a third party (e.g. trade secrets, financials, bound by confidentiality agreements)

3.      Mandatory protection of individuals and protection of property

4.      Commercial information of the private body

5.      Request for information that is clearly frivolous or vexatious, or which involve unreasonable diversion of resources shall be refused.

8.    Requestors

There are two types of requestors:

  1. Personal Requestors: a personal requestor is one who is seeking access to a recording containing personal information about the requestor; Derryn Brigg Consulting shall assist with such a request subject to the form of request.
  2. Other Requestor: This requestor is entitled to request access to information on their parties, however Derryn Brigg Consulting is not obliged to do so unless otherwise lawfully bound by it, however, will review each request on a case-by-case basis.

9.    Form of Request {Section 51(1)(e)}

This section aims to highlight the process in which the requestor may go about requesting information from Derryn Brigg Consulting:

  • To facilitate the processing of your request, kindly use the prescribed form in Annexure A of this manual.
  • Address your request to the Information Officer as indicated in Section 2 of this document.

Provide sufficient details to enable Derryn Brigg Consulting to identify:

  • The records requested;
  • The requestor (or if an agent is lodging, proof of capacity);
  • The form of access required:
  • The postal address of the requestor in the Republic
  • If the requestor wishes to be informed of the decision in any manner (in addition to written) and the particulars thereof;
  • The right which the requestor is seeking to exercise or protect, with an explanation of the reason the record is required to exercise or protect the right.

10.         Prescribed fees {Section 51(1)(f)}

Derryn Brigg Consulting reserves the right according to Section 51 (1)(f) of the Act to charge a nominal fee. Please refer to Annexure B.

The following applies to requests (other than personal requests):

  • A requestor is required to pay the prescribed fees  before a request will be processed
  • If the preparation of the record requested requires more than the prescribed hours (six), a deposit shall be paid (not more than one third of the access fee which would be payable if the request were granted).
  • A requestor may lodge an application with a court against the tender/payment of the request fee and/or deposit. Records may be withheld until the fees have been paid.

11.         Privacy

In accordance with the Protection of Personal Information Act of 2013, Derryn Brigg Consulting apply reasonable measures in accordance with the law in protecting Personal Information. In this process, we prescribe to our privacy standards as described in our POPI Policy and will ensure that whilst we follow the rule of law as prescribed by the Promotion of Access to Information Act, we will ensure that all records are secured during the process.

Contact Us If you have any questions about our policies, You can contact us:

By email: