Privacy Policy (POPIA)

How SocialDesk processes personal information, lawful bases, rights, and safeguards.

# Privacy Policy (POPIA)

**Last updated:** 2026-03-04
**Applies to:** SocialDesk platform, web application, mobile access points, and related support operations.

## 1. Purpose
SocialDesk processes personal information to support social service case management, lawful service delivery, statutory reporting, and operational governance.

## 2. Responsible Party and Operator Roles
- **Responsible Party:** The organization using SocialDesk to provide social services.
- **Operator:** SocialDesk and approved technical service providers acting on documented instructions.

## 3. Information We Process
- Identity and contact information.
- Case-related records, notes, forms, attachments, and workflow actions.
- Consent records, system audit events, and usage metadata.
- Device/network security signals (for fraud prevention and integrity).

## 4. Lawful Basis for Processing (POPIA)
Processing is performed under one or more of the following:
- Data subject consent.
- Performance of a public law duty or social service mandate.
- Legal obligation and records accountability.
- Legitimate interests in security, fraud prevention, and service integrity.

## 5. Special Personal Information
Where special personal information is processed, controls include least-privilege access, purpose limitation, secure storage, and restricted disclosure.

## 6. How We Use Information
- Intake, triage, assignment, and case lifecycle management.
- Inter-organizational workflows and approved referrals.
- Reporting, quality assurance, and audit accountability.
- Security monitoring and incident investigation.

## 7. Sharing and Disclosure
Information may be disclosed only when necessary and lawful:
- To authorized officials and role-approved staff.
- To designated public bodies and approved service partners.
- To technical operators bound by confidentiality and data protection terms.
- When required by law, court order, or statutory duty.

## 8. International and Cross-Border Transfers
Cross-border processing occurs only where lawful safeguards and contractual controls are in place, with equivalent protection standards.

## 9. Security Safeguards
SocialDesk applies layered controls including:
- Role-based access control and strong authentication.
- Encryption in transit and at rest (where supported).
- Immutable or tamper-evident audit logging.
- Session controls, monitoring, and anomaly detection.
- Secure backups and recovery procedures.

## 10. Retention and Deletion
Retention periods follow legal obligations, organizational mandates, and documented retention schedules. Data is deleted, archived, or anonymized when no longer required.

## 11. Data Subject Rights
Subject to legal limitations, data subjects may request:
- Access to their personal information.
- Correction or update of inaccurate data.
- Objection to processing in specific circumstances.
- Deletion where legally permitted.
- Complaint escalation to relevant oversight authority.

## 12. Automated Decision-Making
Where workflow automation is used, final administrative actions remain subject to authorized human oversight.

## 13. Breach Notification
Security incidents are handled through a formal incident process. Notification occurs where legally required.

## 14. Contact and Requests
Privacy and rights requests should be submitted through your organization’s designated information officer or compliance contact.

## 15. Policy Updates
This policy may be updated to reflect legal, operational, or security changes. Current version metadata is published in-platform.

# Privacy Policy (POPIA) **Last updated:** 2026-03-04 **Applies to:** SocialDesk platform, web application, mobile access points, and related support operations. ## 1. Purpose SocialDesk processes personal information to support social service case management, lawful service delivery, statutory reporting, and operational governance. ## 2. Responsible Party and Operator Roles - **Responsible Party:** The organization using SocialDesk to provide social services. - **Operator:** SocialDesk and approved technical service providers acting on documented instructions. ## 3. Information We Process - Identity and contact information. - Case-related records, notes, forms, attachments, and workflow actions. - Consent records, system audit events, and usage metadata. - Device/network security signals (for fraud prevention and integrity). ## 4. Lawful Basis for Processing (POPIA) Processing is performed under one or more of the following: - Data subject consent. - Performance of a public law duty or social service mandate. - Legal obligation and records accountability. - Legitimate interests in security, fraud prevention, and service integrity. ## 5. Special Personal Information Where special personal information is processed, controls include least-privilege access, purpose limitation, secure storage, and restricted disclosure. ## 6. How We Use Information - Intake, triage, assignment, and case lifecycle management. - Inter-organizational workflows and approved referrals. - Reporting, quality assurance, and audit accountability. - Security monitoring and incident investigation. ## 7. Sharing and Disclosure Information may be disclosed only when necessary and lawful: - To authorized officials and role-approved staff. - To designated public bodies and approved service partners. - To technical operators bound by confidentiality and data protection terms. - When required by law, court order, or statutory duty. ## 8. International and Cross-Border Transfers Cross-border processing occurs only where lawful safeguards and contractual controls are in place, with equivalent protection standards. ## 9. Security Safeguards SocialDesk applies layered controls including: - Role-based access control and strong authentication. - Encryption in transit and at rest (where supported). - Immutable or tamper-evident audit logging. - Session controls, monitoring, and anomaly detection. - Secure backups and recovery procedures. ## 10. Retention and Deletion Retention periods follow legal obligations, organizational mandates, and documented retention schedules. Data is deleted, archived, or anonymized when no longer required. ## 11. Data Subject Rights Subject to legal limitations, data subjects may request: - Access to their personal information. - Correction or update of inaccurate data. - Objection to processing in specific circumstances. - Deletion where legally permitted. - Complaint escalation to relevant oversight authority. ## 12. Automated Decision-Making Where workflow automation is used, final administrative actions remain subject to authorized human oversight. ## 13. Breach Notification Security incidents are handled through a formal incident process. Notification occurs where legally required. ## 14. Contact and Requests Privacy and rights requests should be submitted through your organization’s designated information officer or compliance contact. ## 15. Policy Updates This policy may be updated to reflect legal, operational, or security changes. Current version metadata is published in-platform.