Girls and Boys Town SA – Group Privacy Policy

This policy explains, in detail, the nature of the personal data that we require in order to effectively provide relevant services and how our organisation uses your data to effectively deliver non-profit services which enable us to assist those in need.

The policy also provides an overview of the way in which data is collected and subsequently stored or destroyed and includes the details of the security measures that we have in place as well as the process to be followed should a breach occur.

This policy aims to promote the purposes of The Protection of Personal Information Act (Act No. 4 of 2013) by ensuring that people are protected from harm through the protection of their personal information and giving effect to the constitutional right to privacy.

This policy applies to you if you are:

  • a visitor to our website;
  • a beneficiary of our services
  • a donor; or
  • an employee of Girls and Boys Town SA

Your rights under this Privacy Policy include:

  1. The right to find out whether we hold your personal information and if we do, you have the right to request access to any of your personal information that we hold;
  2. The right to request, where necessary, that we correct, update, destroy or delete your personal information;
  3. The right to object, on reasonable grounds, to the processing of your personal information;
  4. The right to be notified that your personal information is being collected or that your personal information has been accessed or acquired by an unauthorised person (please refer to our data breach protocol for details).
  5. The right to submit a complaint to the Information Regulator if you believe that there has been interference with the protection of your personal information, or that an independent adjudicator who may be resolving your complaint against us, has not decided the matter correctly;
  6. Lastly, you have the right to institute civil proceedings against Girls and Boys Town SA if you believe that we have interfered with the protection of your personal information.

How Do we Comply with the 8 Conditions set out by the Protection of Personal Information Act?

  1. Accountability: Girls and Boys Town SA complies with and adheres to POPIA.
  2. Processing Limitation: Girls and Boys Town SA processes personal information only when a legitimate basis exists, this information is processed in a fair, lawful, and non-excessive manner.
  3. Purpose specification: Girls and Boys Town SA only processes personal information for the specific purposes of delivering not-for profit services related to the assistance of youth in need. A list of these purposes is outlined in detail in this policy, which explains the lawful purpose that for which our organisation may use personal information.
  4. Further processing limitation: Girls and Boys Town SA does not process personal information for a secondary purpose unless that secondary purpose is compatible with the original intended purpose and necessary to action processes outlined in this policy.
  5. Information quality: Girls and Boys Town SA makes every reasonable effort to ensure that the personal information that we process is complete, accurate, up to date and in no way misleading. We rely on data subjects who provide us with information as well as the third party operators that we engage with to ensure the same when sending us any personal information.
  6. Openness: Girls and Boys Town SA ensures that data subjects are aware of the processing of their personal information, including the source and purpose of its collection, which is all explained in this policy.
  7. Security safeguards: Girls and Boys Town SA has made every effort to ensure that the integrity and confidentiality of personal information is protected by taking appropriate, reasonable, technical and organisational measures. Examples of our security measures include data encryption and implementing a “clean desk” policy which all of our employees must adhere to
  8. Data subject participation: Girls and Boys Town SA ensures that data subjects have access to their personal information upon request. Data subjects may also request the deletion or correction of any of their personal information.

For which data subjects is personal information collected?

  • Youth that we assist
  • Parents and/ or caregivers of the youth that we assist
  • Donors/Benefactors
  • Regional committee members
  • Board members
  • Employees of Girls and Boys Town SA

What Personal Data do we collect?

  • Personal Identification information
    • Full name
    • ID number
    • Gender
    • Occupation
    • Parental work information
    • Youth school and grade


  • Contact information
    • Cellphone number
    • Email address
    • Residential and postal address


  • Banking details
    • Debit/credit card information from parents/caregivers
    • Debit/credit card information from donors/benefactors

How do we collect your data?

We collect certain information from donors/benefactors upon registration. When a person decides to support our organization, they complete a debit order form. This can be done online via our website

The debit order form can also be form can also be found on our website; completed manually, or electronically, and then emailed to us; hand delivered or posted to head office or one of our branches.

The information contained within the forms received (either electronically or by other means) is manually captured by a branch administrator on the Ivory Donor Management System.

Upon registering on our website or manually completing a debit order form, data subjects are informed of the data which needs to be entered and they must acknowledge that they give us permission to make use of the personal information that they provide us with when you register.

Personal information collected on the youth that we assist is collected with the express permission of the children’s parent, legal guardian or caregiver. We do ensure that we receive liability/consent forms from these parents/caregivers for each of the children whom we assist.

How will we use your data?

Please note that we are a non-profit organization and that all data received/stored is used for the purpose of creating opportunities and caring for the youth of South Africa by providing them with opportunities to grow and develop into responsible citizens, able to contribute to family and community life in the spirit of peace, dignity, tolerance, equality and solidarity with others.

The data collected is used by various branches and regional offices within Girls and Boys Town SA which all adhere to this privacy policy.

Who do we share your data with?

Data is only shared when necessary with our service level providers. All service level providers have relevant data protection methods in place to ensure the security of personal information and are subject to our service level agreement Addendum in which they agree to protect the confidential information and process data in accordance with POPIA and in line with the standards that Girls and Boys Town SA adhere to (as outlined in this privacy policy). Our service level providers include:

  • Think Network (provide IT services and monitor server)
  • TouchBasePro (provide electronic communication support services)
  • Mercantile(Process Debit Orders)
  • iVeri (Nedbank) (Process Credit Cards)
  • Sarveshan Naidoo (FR System Developer)
  • Embrio (Postal Mailing)

How do we store your data?

All electronic data is stored on a central database. The server is hosted at the MTN Data Centre and managed by the IT Administrator of Girls and Boys Town SA and monitored by a 3rd party (Think Networking Pty Ltd).  Physical access to these facilities is restricted.  The following data security protocols are in place to protect data from unauthorised access or unlawful processing:

  • Username for server is not the standard Administrator.
  • Password is made up of 16 characters long, which is multi character including Capitals, letters, numeric and Acsii symbols.
  • Server is Firewall enabled. Protected with Eset File Server.
    • Disabling Eset Antivirus requires an alternate password to the one used by the admin account.
  • Additional protection is governed by Cyber Protect software.
  • Remote access is managed by static IP addresses only
    • This is managed by Think Networking.
  • Backups are actioned daily, with Previous versioned enabled.


All capturing of information is done manually by a branch administrator. This information is captured on the Ivory Donor Management System

Information contained in a non-electronic format (i.e. hard copies) is kept on file on office premises. These documents are stored in filing cabinets to which only authorized persons (branch managers and branch administrators) have access.

How long do we keep your data?

Section 14 of The Protection of Personal Information Act (Act No. 4 of 2013) states that records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:

  • retention of the record is required or authorised by law;
  • the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
  • retention of the record is required by a contract between the parties thereto; or
  • the data subject or a competent person where the data subject is a child has consented to the retention of the record.

Please note that Girls and Boys Town SA does not delete or destroy any data which we receive. This is because as Girls and Boys Town SA (as the responsible party) reasonably require records to be kept for lawful purposes related to our functions and activities as a charitable organization.

Data relating to personal information is obtained directly from the data subjects themselves and not from 3rd party sources (e.g. a donor provides us directly with their own personal information when they complete a debit order form and guardians of the children whom we assist directly provide us with information relating to the child).

We have taken additional steps to ensure that data subjects are made aware of the fact that Girls and Boys Town SA retains personal information and that by providing us with their personal information they consent to the retention of records. This has been done by adding a disclaimer which explains as such to our website and forms that we use to collect data.

Protocol that will be followed should a data breach occur

A data breach is a security incident of unauthorised release of private and sensitive information.  Data breaches can expose personal information, financial information, software codes, and even intellectual property.

Section 22 of The Protection of Personal Information Act sets out that security compromises (data breaches) occur anytime that there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person (which in turn triggers the comprehensive, mandatory data breach reporting obligations of the responsible party as soon as reasonably possible).

The reporting obligations require the Responsible Party (Girls and Boys Town SA) to notify the Information Regulator as well as the data subject(s) concerned (unless the identity of the data subject(s) cannot be established).

The Information Regulator may allow/direct the responsible party to publicise the fact of any compromise to the integrity or confidentiality of personal information, if the Regulator has reasonable grounds to believe that such publicity would protect a data subject who may be affected by the compromise.

In line with the requirements of POPIA, the below outlines the procedure that all employees are obligated to follow after discovering a data breach:

  1. Immediately notify line manager/director/other person of authority in the organisation.
  2. Co-operate fully regarding the nature of the loss and all important or required details.
  3. The line manager/director/person of authority will immediately contact the Information Officer, Debra May Swartz and the IT department.
  4. Immediate action will be taken regarding the safety and security of information and preventing any loss of information.
  5. The Information Officer will notify the Information Regulator as soon as is reasonably possible (within 72 hours) as well as any parties whose personal information has been accessed or acquired by an unauthorised party.
  6. The notification will, at the very least, contain the following information:
    1. A description of the possible consequences of the security compromise;
    2. A description of the measures taken or proposed to be taken by the responsible party to remedy the security breach;
    3. A recommendation of the measures that any party whose personal information was leaked in the security compromise should take in order to mitigate the possible adverse effects of the security compromise;
    4. The identity of the unauthorised person, if known, who accessed or acquired the personal information.
  7. If the personal information of individuals in the European Union (EU) is affected by a data breach in South Africa, the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, requires the responsible party to notify the supervisory authority in the EU without undue delay, and at the latest within seventy-two hours after having become aware of the security breach. The notification in this case must:
    1. Describe the nature of the breach;
    2. State the categories and number of persons affected by the breach;
    3. State the contact details of the data protection officer where further information can be obtained;
    4. Describe the likely consequences of the breach; and
    5. Describe the measures taken or proposed to be taken by the Company to remedy the breach, including measures to mitigate its possible adverse effects.
  8. A full investigation will be undertaken to analyse the nature and reason for the breach with documentation of the incident response and notification.
  9. Security policies and procedures must be reviewed and adjusted where necessary.
  10. Evidence of education and awareness programs undertaken by employees is to be provided where applicable.
  11. A security risk analysis will be implemented and risk mitigation plans revisited.
  12. Should the breach be caused by a vendor, the vendor agreements will be analysed and amended.
  13. Evidence of corrective action will be provided.
  14. A full report regarding the nature and reason for the breach will be provided to the managing committee of Girls and Boys Town SA and made available to affected parties where necessary.
  15. Simulation testing may be undertaken.


Girls and Boys Town SA attempts to avoid sending unsolicited marketing material to the general public, however, we do make use of direct marketing for the purposes of fund raising. This is due to the nature of our business being a non-profit/ charitable organization which relies on donations from the public as a source of funding

In accordance with Section 69 of POPIA which governs direct marketing; all of Girls and Boys Town SA’s communication contains the details of the identity of the sender and/or the person on whose behalf the communication has been sent; as well as an address and contact details to which the recipient may send a request that any further/ similar communications from Girls and Boys Town SA will cease.

Other marketing material and company newsletters are only sent to data subjects who are on our database.  The majority of our database consists of our donors/benefactors.

Should a data subject no longer wish to receive marketing material from Girls and Boys Town SA, they do have the option to unsubscribe by simply clicking the “unsubscribe” option at the bottom of communications received via email. All the unsubscription requests are sent to TouchBasePro (the service provider) who manages and cleans the data, removing those who wish to unsubscribe from the relevant mailing list(s).


How to contact us

Our information officer:

Debra May Swartz, the IT Administrator of Girls and Boys Town SA, is the appointed Information officer.

General Contact Numbers:

Girls and Boys Town SA Head Office


Physical Address                                             11 Lemon Street, Sunnyside, Johannesburg, 2092

Postal Address                                                 P.O. Box 91661 Auckland Park, 2006

Email Address                                        

Contact Number                                              (011) 482 2655

The South African Human Rights Commission PAIA Unit

Address                                                             Private Bag 2700, Houghton, 2041

Email Address                                        

Contact Number                                              (011) 484-8300

Facsimile                                                          (011) 484-0582

The Information Regulator (South Africa)        

Address                                                             P.O Box 31533, Braamfontein, Johannesburg, 2017

Email Address                                         OR

Contact Number                                              (010) 023-5207


Want to help? Make a Donation.