Page 41 - SAMRC Strategic Plan
P. 41
PART B: SAMRC STRATEGIC FOCUS
continued
10.4.2.10. Data Processing has an obligation to comply with POPIA in terms
In terms of its business operations, the SAMRC of how personal information of data subjects is
needs to collect and use certain information about collected, handled and stored. To comply with the
individuals or juristic persons, including Board law, all the SAMRC (the organisation) employees
members, employees, research participants, (the employees) and persons acting on behalf of the
members of the public, politicians, suppliers, clients SAMRC (the operators) will always be subject to, and
and many other stakeholders that the organisation act in accordance with, the following summarised
has relationship with and those that it may require guiding principles:
to contact. As it conducts its business, the SAMRC
PRINCIPLE DESCRIPTION
Accountability Compliance with POPIA to avoid potential to harm the organisation’s reputation
or make the organisation vulnerable to lawsuits seeking compensation. Hence,
safeguarding personal information is the duty of everyone.
Processing limitation The employees and operators shall ensure that personal information under their control
is processed in a fair, lawful, and non-excessive manner, and only with the informed
consent of the data subject, and only for a specifically defined purpose.
Further processing limitation Personal information shall not be processed for a secondary purpose unless that
processing is compatible with the original purpose or additional consent obtained from
the data subject.
Information quality The employees shall take reasonable steps to ensure that all personal information
collected is complete, accurate and not misleading.
Open communication The employees shall take reasonable steps to ensure that data subjects are notified/
aware that their personal information is being collected including the purpose for which
it is being collected and processed.
Security safeguards The employees and operators shall manage the security of their filing/storage systems
to ensure that personal information is adequately protected. To this end, security
controls will be implemented to minimise the risk of loss, unauthorised access,
disclosure, interference, modification, or destruction.
Data subject participation A data subject may request the correction or deletion of his/her or its personal
information held by the organisation (amongst other data rights).
10.4.2.11. Communication systems of financial and risk management and
Communication is integral to the effective internal control”.
functioning of the SAMRC. The SAMRC values
open and transparent communication with all The authority and purpose for risk management is
key stakeholders, including the public, media, established in the PFMA and Treasury Regulations
government, universities, funders and other (TR), Section 27.2.1 states, inter alia: “the accounting
stakeholders. authority must ensure that a risk assessment is
conducted regularly to identify emerging risks of
10.4.2.12. Risk Management the public entity. A risk management strategy, which
The Public Finance Management Act (PFMA), Act must include a fraud prevention plan, must be used
1 of 1999 (as amended by Act 29 of 1999), Section to direct internal audit effort and priority and to
51(1)(a)(i) states “an accounting authority for a determine the skills required of managers and staff
public entity must ensure that that public entity has to improve controls and to manage these risks.”
and maintains effective, efficient and transparent
40 SAMRC STRATEGIC PLAN 2025/26 – 2029/30
