PAIA Manual

Date of compilation: 11.12.2020

COMPUGROUP MEDICAL SOUTH AFRICA (PTY) LTD

Company registration number 2005/023029/07

("CGM") PAIA MANUAL in terms of Section 51 of The Promotion of Access to Information Act 2 of 2000 (the "Act")

INDEX

Introduction to CGM
Contact details
The Act
Applicable legislation
Schedule of records
Form of request
Fees
Form to request access to record of a private body

1. INTRODUCTION TO CGM

CGM is a 100% subsidiary of CompuGroup Medical SE & Co. KGaA. With our headquarters located in Cape Town and offices in Pretoria and Durban, CGM South Africa services the South African and African markets. We provide software solutions and services for medical and dental practices, allied health, pharmacies and hospitals.

More than 3 000 healthcare providers in South Africa as well as an increasing number of customers in Sub-Saharan African countries benefit from our product portfolio. Our healthcare experts have been delivering professional service and support in South Africa for over 10 years. During this time, we have introduced numerous innovative software solutions, including patient and practice administration, medical records, billing, electronic scripting and hospital information systems.

2. CONTACT DETAILS

Physical Address: Block 3, Upper Ground Floor, 1 Waterhouse Building, 4 Waterford Place, Century City, Cape Town, South Africa

Telephone number: 021 4861200

Website: www.cgm.com/zaf_en

Information Officers

Information Officer

Christo Groenewald | Telephone number: 021 486 1200

E-mail: christo.groenewald@cgm.com

Deputy Information Officer

Paula Kingham | Telephone number: 021 486 1200

E-mail: paula.kingham@cgm.com

3. THE ACT

This Manual has been compiled to meet the requirements of the Promotion of Access to Information Act 2 of 2000 ("the Act"), as applied in concert with the Protection of Personal Information Act 4 of 2013. The goal is to give effect to the constitutional right of individuals to access information held by a private body (in this case, CGM), if the information is required for the exercise or protection of that individual's rights. Such right of access to information is subject to justifiable limitations for the reasonable protection of privacy, commercial confidentiality, and effective, efficient good governance, balancing the right to information against other rights. . If a public body lodges a request, the public body must be acting in the public interest.

This Manual is available free of charge on CGM's website, and at the physical address listed in section 2 above.

Requests for information in terms of the Act must be made in accordance with the procedures prescribed in this document, and will be charged for at the rates outlined in section 7 below.

The South African Human Rights Commission ("SAHRC") has compiled a Guide in terms of Section 10 of the Act which gives advice on how to exercise your rights. This Guide is available from the SAHRC at:

Postal Address: Private Bag 2700, Houghton, 2041

Telephone Number: +27-11-877 3600

Fax Number: +27-11-403 0625

Website: www.sahrc.org.za

Purpose for processing data

CGM takes the privacy and protection of personal information very seriously and will only process personal information in accordance with current South African privacy legislation.

CGM processes personal information for a variety of purposes, including, but not limited to the following:

to provide any information, products, services, or support requested by data subjects;
to help identify data subjects when they contact CGM;
to maintain customer records;
to securely transmit the data of data subjects for the purpose of providing them with integrated healthcare;
to manage the back up and storage of data subjects' data on behalf of some CGM customers to support the smooth and secure running of CGM's customers' practices;
for recruitment, internship, and employment purposes;
for travel purposes;
for general administration, financial, and tax purposes;
for legal or contractual purposes;
for health and safety purposes;
to monitor access, and ensure the security of CGM's premises and assets;
to transact with suppliers and business partners;
to help CGM to improve the quality of its products and services;
to help CGM to detect and prevent fraud and money laundering;
to help CGM recover debts;
to carry out analysis and customer profiling;
to identify other products and services which might be of interest to data subjects and to inform them about our products and services.

Categories of data subjects

CGM processes the personal information of a variety of kinds of data subjects, for various reasons, including the following:

Type of data subject	Type of personal information processed
Employees	demographic information health and disability information employment contracts performance and disciplinary matters payroll physical access and surveillance training employment history criminal history background checks time and attendance correspondence
Customers and potential customers	demographic information contracts contact, training, installation, and support history banking details credit record account history correspondence practice database (exclusively for contracted support or back-up purposes)
Suppliers	demographic information of suppliers and their representatives account history product and service information contracts correspondence
Business partners	demographic information of business partners and their representatives product and service information contracts correspondence business negotiation and collaboration information

Categories of data recipients

We may share the personal information of our data subjects for the purposes outlined above with the following kinds of recipients:

contracted employees of CGM;
service providers and agents who perform services on CGM's behalf;
third parties as described below.

We do not share the personal information of data subjects with third parties unless:

obliged to do so for legal or regulatory purposes, or in connection with legal proceedings;
necessary to provide or improve a product or service for which a data subject has contracted with CGM;
selling a business to someone to whom CGM needs to transfer rights in relation to the data subject, in which case strict confidentiality agreements would be put in place to protect data subjects.

If required to share a data subject's private information with a third party as specified above, we would notify the data subject of such disclosure.

CGM's employees are required to data privacy and confidentiality principles, and are trained in this regard.

Planned trans-border flows of data

CGM only transfers personal information across South African borders with the explicit prior consent of data subjects. Specifically, CGM stores its customer data at CGM SE & Co. KGaA's server hub in Frankfurt, Germany, as per agreement.

No patient data is transmitted outside South Africa.

Information security measures to ensure confidentiality, integrity and availability of information to be processed

CGM has put high-level information technology security measures in place to protect all data, including personal information, processed by CGM. Such protection includes but is not limited to encryption, back-ups, anti-virus and anti-malware protection, redundancy, and disaster recovery plans.

CGM constantly monitors and implements its technical and organisational security measures to protect the integrity, security, and accessibility of data processed by it. Any third parties with whom CGM interacts for the provision of such services are required to be bound by legislation similar to that in South Africa regarding the protection of personal information, or alternatively be bound by agreements which bind them to an equivalent level of competency and care.

4. APPLICABLE LEGISLATION

No.	Act
1	Basic Conditions of Employment Act 75 of 1997
2	Broad-based Black Economic Empowerment Act 53 of 2003
3	Companies Act 71 of 2008
4	Compensation for Occupational Injuries and Diseases Act 130 of 1993
5	Competition Act 89 of 1998
6	Consumer Protection Act 68 of 2008
7	Electronic Communications and Transactions Act 25 of 2002
8	Employment Equity Act 55 of 1998
9	Income Tax Act 58 of 1962
10	Insolvency Act 24 of 1936
11	Labour Relations Act 66 of 1995
12	Medical Schemes Act 131 of 1998
13	National Credit Act 34 of 2005
14	Occupational Health Act 61 of 2003
15	Prescription Act 68 of 1969
16	Promotion of Access to Information Act 2 of 2000
17	Protected Disclosures Act 26 of 2000
18	Skills Development Act 97 of 1998
19	Skills Development Levies Act 9 of 1999
20	Unemployment Insurance Contributions Act 4 of 2002
21	Value Added Tax Act 89 of 1991

5. SCHEDULE OF RECORDS

Kind of record	Subject	Availability
Business	CIPC records (including company registration, officers, intellectual property) audited financial statements tax records asset register statutory records operational records internal policies and procedures financial records product development information management planning information, budgets information technology system records information technology disaster recovery and implementation plans	1.2 4 2 4 2 4 2 4 4 4 4 4
Marketing	product information manuals media releases company website marketing plans	1 2 1 1 4
Personnel	personal information provided by personnel personal information provided by third parties employment contracts internal evaluation, performance management and disciplinary records statutory records regarding UIF, PAYE, B-BBEE, EE, Health and Safety correspondence with and about personnel training schedules and material remuneration records facilities management documentation	3 4 4 3 2,3 3,4 2,3 3,4 2
Legal	agreements and memoranda of understanding litigation records legal opinions legal correspondence	4 4 4 4
Customer	personal information provided by customers about themselves and their practices customer contracts customer databases (including health and other personal information of customers' patients) credit records account records correspondence with and about customers	3 4 3,4 3 3 3,4
Other parties	personal information provided by suppliers and contractors contracts accounting records	3 4 3

Key to record access levels

Access level	Classification	Description
1	Public	Unrestricted availability
2	Internal use	Administrative records relating to the running of the business with little interest or value to outside parties, to which outside parties may be granted limited access, depending on the circumstances.
3	Restricted access	Personal information of an individual or juristic person requested by the data subject of that information.
4	Highly confidential	Legally privileged document, or document likely to harm an individual, compromise the safety of individuals or property, or harm the commercial or financial interests of the company or a third party.

6. FORM OF REQUEST

To facilitate the processing of your request, please use the form included as section 8 of this document.

Please address your request to the Information Officer at the details given in section 2 above.

Provide sufficient details to enable CGM to identify:

the record(s) requested;
the requester (and if an agent is lodging the request, proof of capacity);
the form of access required;
the postal, e-mail address, and contact number of the requester in the Republic of South Africa;
indication of whether the requester wishes to be informed of the decision, how they wish to be informed, and what kind of information they want about the decision;
the right which the requester is seeking to exercise or protect, with an explanation of the reason the record is required to exercise or protect the right.

Once received, CGM will assess your request taking the balance of rights into account, and the degree of access reasonably possible for the kind of record relative to the table in section 5 above. CGM will then notify you as to whether it is willing and/or able to release the requested records to you.

If you are not satisfied with the response from CGM, you can apply to the Information Regulator for relief.

7. FEES

When the Information Officer of CGM receives a request on the official form for information in terms of PAIA, the Information Officer will send the requester (other than a personal requester) a notice requiring the requester to pay the prescribed request fee of R50.00 before further processing the request.

A further access fee will be payable before the requested record is released. The quantum of this fee is calculated taking reproduction costs, search and preparation time, and postal costs (if relevant).

If preparation of the record requested will take more than six hours, a deposit of one third of the access fee will be payable in advance of provision of the record, with the balance payable on delivery. The Information Officer will provide the details of the account into which the payment must be made on the invoice for the access fee.

Schedule of fees

For every photocopy of an A4-sized page or part thereof R1.10

For every printed copy of an A4-sized page or part thereof held electronically R0.75

For a copy in a computer-readable form on a CD R70.00

For a copy in a computer-readable form on a flash drive R100.00

For a transcription of visual images for an A4-sized page or part thereof R40.00

For a copy of a visual image R60.00

For a transcription of an audio record per A4-sized page or part thereof R20.00

For a copy of an audio record R30.00

To search for and prepare the record for disclosure, R30.00 per hour or part thereof.

Click here to download form to request information.