1. DEFINITIONS
1.1. Applicable Laws means all laws, regulations with which the NSFAS is required to comply.
1.2. Chief Executive Officer means the executive officer appointed by the NSFAS board in terms of section 9 of the NSFAS Act.
1.3. Data Subject means the person to whom Personal Information relates.
1.4. NSFAS Act means the National Student Financial Aid Scheme Act 56 of 1999.
1.5. NSFAS means the National Student Financial Aid Scheme established in accordance with the NSFAS Act. NSFAS is a Public Body for purposes of PAIA and POPIA.
1.6. PAIA means the Promotion of Information Act 2 of 2000.
1.7. PAIA Regulations means the regulations published in GNR.757 of 27 August 2021 relating to the Promotion of Access to Information, 2021 (Government Gazette No. 45057).
1.8. Personal Information means information relating to an identifiable, living, natural person, and (where applicable) an identifiable, existing juristic person, including the name, race, gender, marital status, address and identifying number of a person, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.
1.9. Policy means this privacy policy published in terms of POPIA.
1.10. POPIA means the Protection of Personal Information Act 4 of 2013.
1.11. Processing or Process means any activity that involves the use of Personal Information. It includes any operation or activity or any set of operations, whether or not by automatic means, concerning Personal Information, including:
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as restriction, degradation, erasure or destruction of information.
1.12. Public Body means
(a) any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
(b) any other functionary or institution when
(i) exercising a power or performing a duty in terms of the Constitution or a provincial
constitution; or
(ii) exercising a public power or performing a public function in terms of any legislation.
1.13. Responsible Party means a public or private body or any other person which, alone or in
conjunction with others, determines the purpose of and means for Processing Personal
Information.
1.14. Special Personal Information means Personal Information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence; or any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings.
2. INTRODUCTION
2.1. The NSFAS is a Responsible Party, as contemplated in POPIA, insofar as it Processes Personal Information in order to give effect to its mandate under the NSFAS Act and to carry out its general operations and public functions.
2.2. As a Responsible Party, the NSFAS is committed to ensuring compliance with all Applicable Laws, including POPIA, and to uphold the privacy rights of all persons whose Personal Information it Processes.
2.3. This Policy outlines the mechanisms in place to ensure lawfulness, transparency, and accountability when the NSFAS Processes Personal Information, by setting out the manner in which the NSFAS ensures the lawful Processing of Personal Information, in a manner that does not infringe on the privacy of the Data Subject.
2.4. Please note that the NSFAS is a public body and processing of personal information is necessary for the proper performance of a public law duty as contemplated in section 11(1)(e) of POPIA.
3. AVAILABILITY OF THIS POLICY
3.1. This Policy can be accessed at the NSFAS’s website, using the following link: www.nsfas.org.za or by requesting a copy from the NSFAS’s Information Officer and / or Deputy Information Officer, whose details appear in clause 5 below.
3.2. This Policy may also be inspected at the NSFAS Head Office, located at The Halyard Building, 4 Christian Barnard Street, City Centre, Cape Town, 8000. The NSFAS reserves the right to update and amend this Policy, without further notice to any third parties. Any changes to this Policy shall be published on the NSFAS’s website, located at www.nsfas.org.za.
4. SCOPE
4.1. This Policy sets out the manner in which the NSFAS will Process Personal Information, including Special Personal Information, of Data Subjects.
4.2. This Policy applies to all individuals whose Personal Information the NSFAS Processes, including eligible students, applicants for the NSFAS funding, the NSFAS funders, third parties with whom the NSFAS engages, such as independent contractors, and the NSFAS employees and interns.
4.3. Please note that the NSFAS is required to Process Personal Information in order to give effect to its functions and for reasons outlined in this Policy. Should any Data Subject object to NSFAS Processing their Personal Information or withdraw their consent for the NSFAS Processing their Personal Information, the NSFAS may not be able to carry out its functions in relation to that Data Subject.
4.4. Please note further that the NSFAS is a public body and may be lawfully entitled to process certain Personal Information in terms of section 11(1)(e) of POPIA in particular (as well as any other Applicable Laws), even if a data subject has not consented thereto in terms of section 11(1)(a) of POPIA.
5. INFORMATION OFFICER, DEPUTY INFORMATION OFFICER(S) AND CONTACT DETAILS
5.1. The Chief Executive Officer is the designated Information Officer for NSFAS. The Information Officer’s details are as follows:
Office of the Chief Executive Officer of the NSFAS:
Address: The Halyard Building, 4 Christian Barnard Street, City Centre, Cape Town, 8000
Tel: 080 006 7327
Email: paiarequests@nsfas.org.za
The Chief Executive Officer has, in accordance with section 17(3) of PAIA, delegated their powers and duties conferred or imposed on them by PAIA to the
Chief Information Officer of the NSFAS.
The Deputy Information Officers details are as follows:
Office of the Chief Information Officer of the NSFAS
Address: The Halyard Building, 4 Christian Barnard Street, City Centre, Cape Town, 8000
Tel: 080 006 7327
Email: paiarequests@nsfas.org.za
6. TYPES OF PERSONAL INFORMATION COLLECTED BY THE NSFAS
NSFAS collects the following types of Personal Information:
6.1. Identity data: name and registration number of any company or entity if the Data Subject is a juristic person, first name and surname and identity number if the Data Subject is a natural person or the representative of a natural person;
6.2. Contact data: address, email address, contact number;
6.3. Financial data: bank account, credit profile, and credit history;
6.4. Medical and biometric data: medical history, biometric data, and related information;
6.5. Education and employment data: related to education and employment history, including academic transcripts;
6.6. Preference data: personal opinions, views or preferences;
6.7. Transaction data: details about payments and ongoing engagements with the NSFAS;
6.8. Historic information: information about previous residences, employment history, and related information;
6.9. Technical data: includes all types of cookies, IP address, login data, browser type and version, time-zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used to access this Website, as well as information about users’ visits, including the full URLs, clickstream to, through and from NSFAS’s website (including date and time), products viewed or searched for, page response times, errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from the page;
6.10. Profile data: username and password, applications made, Data Subjects’ interests, preferences, feedback and survey responses;
6.11. Usage data: information about how Data Subjects use the NSFAS’s website;
6.12. Marketing and communications data: preferences in receiving marketing from the NSFAS and communication preferences;
6.13. Correspondence: all data exchanged when corresponding with the NSFAS;
6.14. Special Personal Information: relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, wellbeing, disability, religion, conscience, belief, culture, language and birth;
6.15. Criminal history.
7. MANNER OF COLLECTING PERSONAL INFORMATION
7.1. The NSFAS collects Personal Information either directly from Data Subjects or indirectly where it is required to do so to exercise its public functions or authorised to do so in terms of POPIA or any Applicable Laws.
8. PURPOSE OF PROCESSING PERSONAL INFORMATION
8.1. The NSFAS was established in accordance with the NSFAS Act and performs a public function in accordance therewith.
8.2. The NSFAS exists to provide financially eligible students at TVET colleges and public universities. It does so by the NSFAS identifying eligible students, providing bursaries and collecting past student loan repayments to replenish the funds available for future generations of students. The NSFAS supports access to, and success in, higher education and training for students from poor and working-class families who would otherwise not be able to afford to study.
8.3. In terms of section 4 of the NSFAS Act, the functions of the NSFAS are: 8.3.1. to allocate funds for loans and bursaries to eligible students;
8.3.2. to develop criteria and conditions for the granting of loans and bursaries to eligible students in consultation with the relevant Minister;
8.3.3. to raise funds as contemplated in the NSFAS Act;
8.3.4. to recover loans;
8.3.5. to maintain and analyse a database and undertake research for the better utilisation of financial resources;
8.3.6. to advise the relevant Minister on matters relating to student financial aid; and
8.3.7. to perform other functions assigned to it by the NSFAS Act or by the relevant Minister.
8.4. All Personal Information Processed by the NSFAS will be for the purpose of carrying out its functions, as recorded in this Policy and as mandated under the NSFAS Act and any Applicable Laws.
9. USE OF PERSONAL INFORMATION
9.1. The NSFAS may Process Personal Information for the purposes of:
9.1.1. providing Data Subjects with the services, products or offerings they have requested, and notifying Data Subjects about important changes to these services, products or offerings;
9.1.2. managing accounts or relationships and complying with instructions or requests;
9.1.3. detecting and preventing fraud and money laundering and/or in the interest of security and crime prevention;
9.1.4. assessing and dealing with complaints and requests;
9.1.5. operational, marketing, auditing, legal and record keeping requirements;
9.1.6. verifying the identity of Data Subjects;
9.1.7. transferring or Processing Personal Information outside of the Republic of South Africa to such countries that may not offer the same level of data protection as the Republic of South Africa, including for cloud storage purposes and the use of any of the NSFAS websites;
9.1.8. complying with Applicable Laws, including lawful requests for information received from local or foreign law enforcement, government and tax collection agencies;
9.1.9. recording and/or monitoring telephone calls and electronic communications to/with the NSFAS in order to accurately carry out instructions and requests, to use as evidence and in the interests of crime prevention;
9.1.10. conducting market research and providing information about the NSFAS products or services from time to time via email, telephone or other means (for example, events);
9.1.11. where Data Subjects have unsubscribed from certain direct marketing communications, ensuring that we the NSFAS does not sent such direct marketing to those Data Subjects again;
9.1.12. disclosing Personal Information to third parties for reasons set out in this Policy or where it is not unlawful to do so;
9.1.13. monitoring, keeping record of and having access to all forms of correspondence or communications received by or sent from the NSFAS or any of its employees, agents or contractors, including monitoring, recording and using as evidence all telephone communications between Data Subjects and the NSFAS;
9.1.14. improving or evaluating the effectiveness of the NSFAS business or products, services or offerings; and
9.1.15. performing the functions of the NSFAS as generally recorded in this Policy and under the Applicable Laws.
10. DISCLOSURE OF PERSONAL INFORMATION
10.1. The NSFAS will, generally, not disclose Personal Information to any third parties, except to the extent permitted in POPIA, including where required by any Applicable Laws.
10.2. NSFAS may, however, share Personal Information with selected third parties, who act as operators appointed in accordance with the provisions of POPIA and who Process the information on behalf the NSFAS. If any Data Subject does not agree to this, they must contact the NSFAS at the address provided under clause 5. Please note that, should any Data Subject not agree to this, the NSFAS may be unable to render further services to them.
11. RETENTION OF PERSONAL INFORMATION
The NSFAS will retain Personal Information indefinitely, unless otherwise prescribed by any Applicable Laws.
12. ACCESS TO AND TREATMENT OF PERSONAL INFORMATION
12.1. Data Subjects may request details of Personal Information which the NSFAS holds about them in accordance with the procedures prescribed under PAIA. If any Data Subject would like to obtain a copy of their Personal Information held by the NSFAS, please review the NSFAS’s PAIA Manual located at www.nsfas.org.za.
12.2. Should any Data Subject have any queries and objections about the manner in which their Personal Information is processed, or should they wish to access, correct, or request the deletion and / or destruction of their personal information with the NSFAS, or to exercise any of their other rights under any Applicable Laws, including POPIA, please contact the NSFAS’s Deputy Information using the information provided under clause 5.
12.3. Data Subjects should be aware that, even if they object to the NSFAS Processing their Personal Information, the NSFAS may still be lawfully entitled and / or required to do so in accordance with POPIA and / or any Applicable Laws.
13. COMPLAINTS
13.1. Should any Data Subject have a complaint about the manner in which the NSFAS is Processing their Personal Information, they may contact the NSFAS’s Deputy Information using the information provided under clause 5.
13.2. If any Data Subject is dissatisfied with the manner in which the NSFAS has handled their complaint, they may also lodge a complaint with the Information Regulator, using the contact details listed below:
Email: complaints.IR@justice.gov.za
Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg
