Privacy Policy

1. INTRODUCTION

1.1. This Privacy Policy sets out how Ditsong: Museums of South Africa (DMSA) will treat your personal information whether provided to us or collected by us through other means in the ordinary use of our products and/or services. It includes access to our website (www.ditsong.org.za) (“Website”). This Privacy Policy describes our approach and practices in respect of your personal information and our treatment thereof.
1.2. Terms not specifically defined in this Privacy Policy shall bear the meaning ascribed thereto in the Protection of Personal Information Act (“POPI”) (No. 4 of 2013).
1.3. DMSA is committed to protecting the privacy of its data subjects and ensuring that all information is used reasonably, securely, in a manner that is relevant to our business activities, in the interests of our data subjects and in accordance with applicable laws. In adopting this Privacy Policy, we wish to balance our legitimate interests and your reasonable expectation of privacy.
1.4. This Privacy Policy must be read together with any other document or agreement that describes the manner in which we, in specific circumstances, collect or process personal information about you. This will enable you to understand the manner in which DMSA will process your personal information.
1.5. This Privacy Policy supplements such other documents and agreements but does not supersede them and in the event of any conflict, ambiguity or inconsistency between this Privacy Policy and such other documents and agreements, the terms of the particular document or agreement will prevail. Should you wish to discuss any aspect of this Privacy Policy, please contact Pfarelo Maduguma, who has been appointed as the Deputy Information Officer of DMSA, at pfarelo@ditsong.org.za.
1.6. Ditsong: Museums of South Africa (DMSA) is a national public entity, which is an amalgamation of eight museums, seven in Tshwane and one in Johannesburg. These museums have diverse collections covering the fields of fauna and flora, palaeontology, military history, cultural history, geology, anthropology and archaeology.
The eight museums are:

• DITSONG: National Museum of Natural History
• DITSONG: Tswaing Meteorite Crater
• DITSONG: National Museum of Military History
• DITSONG: National Museum of Cultural History
• DITSONG: Kruger Museum
• DITSONG: Sammy Marks Museum
• DITSONG: Willem Prinsloo Agricultural Museum
• DITSONG: Pioneer Museum

1.7 DMSA’s mandate includes:

• Collection, conservation and safe management of national heritage collections on behalf of the South African nation.
• Carry out research and publish such information for the cultural, social and economic use locally and internationally.
• Design, implement and manage exhibitions and public programmes with a view to supporting the national educational curriculum, economic development and other socio-economic objectives of the Government.
• Render heritage-based service to other museums (national, provincial, local and private) as well as to individuals and tertiary institutions.

1.8 In order to conduct our business activities, including efficiently managing and marketing the museums and collections under our custodianship, DMSA must collect and use your personal information for various reasons.

2. GENERAL PRINCIPLES OF OUR PRIVACY POLICY
2.1 This Privacy Policy describes how DITSONG: Museums of South Africa (DMSA) collects, uses, discloses, retains and protects personal information, in accordance with POPIA and other relevant laws.
2.2 The Privacy Policy applies to DMSA’s website, applications, forms, documents, products and services which reference this Privacy Policy. It also supplements any other privacy policies which may apply in respect of DMSA’s processing of personal information.
2.3 POPIA defines personal information as “information which relates to an identifiable, living, natural person and where it is applicable, an identifiable, existing juristic person”. This includes, but is not limited to, your name, sex, gender, address, contact details, identity number and medical or health information. Personal information does not include information that does not identify a person (including in instances where that information has been anonymised). The personal information that we collect about you may differ on the basis of the products and services that you receive from DMSA.
2.4 DMSA will not use your personal information for any other purpose, other than that which is disclosed by you, unless you give DMSA your express written permission to do so, or unless DMSA is permitted or required to do so by law. DMSA respects your privacy and your personal information, for this reason, we will take care to protect it and keep it confidential.
2.5 This Privacy Policy is only available in English. Copies in other official languages may be made available by the Information Officer on request. To help DMSA comply, a process for handling requests is explained in this Policy.
2.6 Please note that, due to legal and other developments, the DMSA may amend these terms and conditions from time to time. The version of the terms and conditions effective for this Privacy Policy are indicated by the effective date incorporated in the title of this Privacy Policy. It is your duty to remain appraised of the current version of this Privacy Policy. The date indicated in the heading of this Privacy Policy is the effective date that governs the browsing and use of this Privacy Policy from that date until the next revision of this Privacy Policy becomes effective.

2.7 You must accept all the terms of this policy when you register for, our use the Website or any of our services. If you do not agree with anything in this policy, then you may not register for or use the Website. By accepting this policy, you are deemed to have read, understood, accepted, and agreed to be bound by all its terms.

3. THE INFORMATION WE COLLECT AND HOW WE USE IT
3.1 The DMSA may collect, acquire, receive, record, organise, collate, store, retain, update, change, retrieve, read, process, further process, analyse, use and share your personal information in the manner as set out in this Privacy Policy. When we perform one or more of these actions, we are “processing” your personal information.

3.2 DMSA collects and processes personal information relative to the provision of its services, and for direct marketing purposes, and undertakes to collect such information in a legal and reasonable manner. The type of information we collect will depend on the need for which it is collected and will be processed for that purpose only. Examples of the types of personal information we may process include (depending on the products and services you may receive from us as a result of the type of data subject you may be in relation to DMSA):
3.2.1 Identity Information which may include information concerning your name, username or similar identifier, title, date of birth, gender, race, and legal status, medical aid information (in the case of employees and their dependents), as well as copies of your identity documents, photographs, identity number or registration number and your qualifications, employment records, personal information of spouses and children required for pension plans, medical aid plans, contact details and health information of visitors and staff for the purposes of Covid-19 symptom checking.
3.2.2 Contact Information which may include your billing addresses, delivery addresses, e-mail addresses and telephone numbers, next-of-kin contact details, residential address details for payroll and other HR purposes, as well as company secretarial information that has been disclosed in relation to you.
3.2.3 Financial Information which includes bank account details, salary information, income tax numbers, and pension information for administration of our employee pension fund.
3.2.4 Transaction Information which may include details about payments made to or received from you.
3.2.5 Technical Information which includes your Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website;

3.2.6 Usage Information which may include information as to your access to and use of the Website, products and services.
3.2.7 Location Information which may include geographical information from your access device as defined below (which is usually based on the GPS or IP location).
3.2.8 Marketing and Communications Information which includes your preferences in respect of receiving marketing information from us and our third parties and your communication preferences.
3.2.9 Aggregated Data – DMSA may also process, collect, store and/or use aggregated data, which may include historical or statistical data (“Aggregated Data”) for any purpose (for example, sending BEE or employment statistics to regulatory bodies to which we are subject, as per their requirements). Aggregated Data may be derived from your personal information but is not considered personal information, as this data does not directly or indirectly reveal your identity. However, if we combine or connect aggregated data with your personal information in a manner that has the result that it can directly or indirectly identify you, we will treat the combined data as personal information, which will be managed in accordance with this Privacy Policy.

3.3 In certain instances, we may need consent to process your personal information. If you give us your consent for a specific context, you are free to withdraw this consent at any time. Please note that where you have withdrawn your consent, this will not affect the processing that took place prior to such withdrawal and it will not affect the processing of your personal information where consent is not required.

3.4 You may refuse to provide us with your personal information in which case we may not be able to provide you with the required service or would have to terminate our business relationship. The supply of certain items of personal information, especially those collected to comply with regulation, is legally mandatory.

4. HOW WE COLLECT INFORMATION
We collect personal information in the following ways:
4.1 Through direct or active interactions with you:
4.1.1 We may require that you submit certain information to enable you to access certain portions of the Website, to make use of our services (for example, as customers), to purchase our goods or services, to facilitate the conclusion of an agreement with us, or as is necessary for the fulfilment of our statutory or regulatory obligations. We also collect personal information directly from you when you communicate directly with us, for example via e-mail, physical visits, telephone calls, feedback forms, site comments or forums.
4.1.2 If you contact us, we reserve the right to retain a record of that correspondence, which may include personal information.
4.1.3 The personal information that we actively collect from you may include any of the personal information listed under Section 3 of this Privacy Policy.

4.2 Through automated or passive interactions with you:
4.2.1 We may passively collect certain of your personal information from the access device that you use to access and navigate the Website (each “Access Device”), by way of various technological applications, for instance, using server logs to collect and maintain log information.
4.2.2 We also use cookies and anonymous identifiers which enable our computer system to recognise you when you next visit the Website to distinguish you from other users and to improve our service to you, and which can be used to enhance the content of the Website and make it more user-friendly, as well as to give you a more personalised experience.
4.2.3 A cookie is a small piece of data (an alphanumeric identifier) which our computer system transfers to your access device through your web browser when you visit the Website and which is stored in your web browser. When you visit the Website again, the cookie allows the site to recognise your browser. Cookies may store user preferences and other information.
4.2.4 You may disable the use of cookies by configuring your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do so, you may not be able to enjoy all of the features and functionality of the Website.
4.2.5 The personal information that we passively collect from your access device may include your identity information, your contact information, your technical information, your usage information, your location information and your marketing and communications information, or any other personal information which you permit us, from time to time, to passively collect from your access device.

4.3 From third parties or public sources:
4.3.1 DMSA receives personal information about you from various third parties and public sources, including (without limitation):
– publicly available publications which include details of researchers;
– publicly available governmental publications; and
– academic and research institutions’ websites which contain details of academics who are active in the academic fields related to the sectors that DMSA operates in.

4.3.2 Owners or information system administrators of third-party websites that have links to the DMSA Website, may collect personal information about you when you use these links. DMSA does not control the collection or use of personal information by third parties and this Privacy Policy does not apply to third parties. DMSA does not accept any responsibility or liability for third-party policies or your use of a third-party app, platform or service.

4.3.3 DMSA also uses certain social networking services such as Facebook, WhatsApp, Instagram and Twitter to communicate with the public. When you communicate with DMSA through these services, that social networking service may collect your personal information for its own purposes. These services may track your use of our digital channels on those pages where the links are displayed. If you are logged in to those services (including any Google service) while using our digital channels, their tracking will be associated with your profile with those service providers. These services have their own privacy policies which are independent of DMSA’s Privacy Policy and practices. Please ensure that you fully acquaint yourself with the terms of any such third-party privacy policies and practices.

5. HOW WE USE YOUR PERSONAL INFORMATION
5.1 We use the personal information that we collect from you to maintain and improve the Website and to improve the experience of our users, to facilitate the sale of our products and the provision of our services and to fulfil our statutory and regulatory obligations. We may also use your personal information to:

• retain and make information available to you on the Website;
• maintain and update our customer, or potential customer, databases;
• establish and verify your identity on the Website;
• operate, administer, secure and develop the Website and the performance and functionality of the Website;
• inform you about any changes to the Website, this Privacy Policy or other changes that are relevant to you;
• create user profiles and to analyse and compare how you and other users make use of the Website, including your browsing habits, click-patterns, preferences, frequency and times of use, trends and demographic information;
• provide you with marketing material that is relevant to you;
• for security, administrative and legal purposes;
• comply with our statutory obligations, including submissions to the B-BBEE Commission, as well as engaging with regulatory authorities;
• for customer relations purposes;
• conduct DMSA’s recruitment and hiring processes, which includes the conducting of criminal record and credit checks, referrals, the capturing of job applicant’s details and the providing of status updates to job applicants;
• fulfil any contractual obligations that we may have to you or any third party;
• communicate with you and retain a record of our communications with you and your communications with us;
• analyse and compare the types of access devices that you and other users make use of and your physical location;
• for other lawful purposes that are relevant to our activities or regulatory functions;
• collect information for consolidation and reporting purposes which can be sent to the Executive Authority and Parliament;
• for statistical analysis and research purposes;
• for audit and record-keeping purposes;
• enhance your experience when interacting with the DMSA and to help us improve our offerings to you;
• conduct market research and provide you with information about our products and services from time to time via email, telephone or other means (for example, invite you to events).

5.2 DMSA will restrict its processing of your personal information to the original purpose for which it was collected, unless DMSA reasonably considers that it is necessary to process it for another purpose that is compatible with the original purpose. DMSA may, where permitted or required to do so by applicable legislation, process your personal information without your knowledge or consent, and will do so in accordance with the further provisions of this Privacy Policy.

6. COMPULSORY PERSONAL INFORMATION AND CONSEQUENCES OF NOT SHARING WITH US
6.1. Where DMSA is required to process certain personal information by law, or in terms of a contract that we have with you, and you fail to provide such personal information when requested to do so, DMSA may be unable to perform in terms of the contract we have in place or are trying to enter into with you. In this case, DMSA may be required to terminate the contract and/or relationship, upon notification to you, which termination will be done in accordance with the terms of the contract and all applicable legislation.

7. SHARING YOUR PERSONAL INFORMATION
7.1. We will not intentionally disclose your personal information, whether for commercial gain or otherwise, other than with your permission or as permitted by applicable law or in the manner as set out in this Privacy Policy.

7.2. DMSA may share your personal information under the following circumstances:
7.2.1 with our agents, advisers, service providers and suppliers that have agreed to be bound by this Privacy Policy or similar terms, which offer the same level of protection as this Privacy Policy;
7.2.2 with our employees, suppliers, service providers, contractors and agents if and to the extent that they require such personal information in the provision of services for or to us, which include hosting, development and administration, technical support and other support services relating to the Website or the operation of DMSA’s business. We will authorise any personal information processing done by a third party on our behalf, amongst other things by entering into written agreements with those third parties governing our relationship with them and containing confidentiality and non-disclosure provisions;
7.2.3 to enable us to enforce or apply any other contract between you and us;
7.2.4 to protect our rights, property or safety or that of our customers, employees, contractors, suppliers, service providers, agents and any other third party;
7.2.5 to mitigate any actual or reasonably perceived risk to us, our customers, employees, contractors, agents or any other third party;
7.2.6 share with governmental agencies and other regulatory or self-regulatory bodies, if required to do so by law or we reasonably believe that such action is necessary to:
– comply with the law or with any legal process;
– protect and defend the rights, property or safety of DMSA, or our customers, employees, contractors, suppliers, service providers, agents or any third party;
– detect, prevent or manage actual or alleged fraud, security breaches, technical issues, or the abuse, misuse or unauthorised use of the Website and contraventions of this Privacy Policy; and
– protect the rights, property or safety of members of the public (if you provide false or deceptive information or misrepresent yourself, we may proactively disclose such information to the appropriate regulatory bodies and/or commercial entities).

8. PROCESSING OF PERSONAL INFORMATION
8.1. Chapter 3 of POPIA provides for the minimum conditions for lawful processing of personal information by a responsible party. These conditions may not be derogated from unless specific exclusions apply as outlined in POPIA.
8.2. DMSA needs personal information relating to both individual and juristic persons in order to carry out its business and organisational functions. The manner in which this information is processed and the purpose for which it is processed is determined by DMSA. DMSA is accordingly a responsible party for the purposes of POPIA and will ensure that the personal information of a data subject:
8.2.1 is processed lawfully, fairly and transparently. This includes the provision of appropriate information to data subjects when their data is collected by DMSA, in the form of privacy or data collection notices. DMSA must also have a legal basis (for example, consent) to process personal information;
8.2.2 is processed only for the purposes for which it was collected;
8.2.3 will not be processed for a secondary purpose unless that processing is compatible with the original purpose;
8.2.4 is adequate, relevant and not excessive for the purposes for which it was collected;
8.2.5 is accurate and kept up to date;
8.2.6 will not be kept for longer than necessary;
8.2.7 is processed in accordance with integrity and confidentiality principles; this includes physical and organisational measures to ensure that personal information, in both physical and electronic form, are subject to an appropriate level of security when stored, used and communicated by DMSA, in order to protect against access and acquisition by unauthorised persons and accidental loss, destruction or damage;
8.2.8 is processed in accordance with the rights of data subjects, where applicable. Data subjects have the right to:
– be notified that their personal information is being collected by DMSA. The data subject also has the right to be notified in the event of a data breach;
– know whether DMSA holds personal information about them, and to access that information. Any request for information must be handled in accordance with the provisions of this Policy;
– request the correction or deletion of inaccurate, irrelevant, excessive, out of date, incomplete, misleading or unlawfully obtained personal information;
– object to DMSA’s use of their personal information and request the deletion of such personal information (deletion would be subject to DMSA’s record keeping
requirements);
– object to the processing of personal information for purposes of direct marketing by means of unsolicited electronic communications; and
– complain to the Information Regulator regarding an alleged infringement of any of the rights protected under POPIA and to institute civil proceedings regarding the alleged non-compliance with the protection of his, her or its personal information.

9. DATA SECURITY
9.1. Storage and transfer of your Information

DMSA intends to protect the integrity and confidentiality of your personal information. DMSA has implemented appropriate technical and organisational information security control measures (including, but not limited to, using encryption for transmission to keep information secure, accurate, current, and complete). However, we cannot guarantee the security of any information that is transmitted to the organisation online and you do so at your own risk.

9.2. Transfer across borders
Some of the persons to whom we disclose your personal information may be situated outside of the Republic of South Africa (RSA) in jurisdictions that may not have similar data protection laws to that of the RSA. In this regard, we may send your personal information to service providers outside of the RSA for storage or processing on DMSA’s behalf. However, we will not send your information to a country that does not have information protection legislation similar to that of the RSA, unless we have ensured that the recipient agrees to effectively adhere to the principles for processing of information in accordance with POPIA.

9.3. Clickstream analytics
9.3.1 In the interests of better customer service, DMSA may collect anonymous information from visitors to its websites. Google Analytics or cookies may be used to analyse trends and statistics and to provide better customer service on our Website.

9.3.2 The information, referred to as traffic data, which may be collected includes

• Your IP address;
• The search terms you have used;
• The pages accessed on the Website and the links you have clicked on;
• The date and time you visited the Website;
• The referring website (if any) which you clicked through to our Website;
• The type of website browser you use; and
• Activities while visiting our Website.

9.4. Cookies
9.4.1 What are cookies?
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (for example, a computer or smartphone) when you access a website. It allows the website to recognise your device and store some information about your preferences or past actions.

9.4.2 How are cookies used?
Cookies ‘remember’ information about you. The information helps the DMSA to understand how our Website users are utilising our services, assisting us in improving it. With it, we can remember your preferences, previous website usage and browsing history, and keep this in mind when providing you with content. Because of this, we can bring you an enhanced experience and customised content and services. Cookies allow us to measure how many times a page has been visited, whether a page has been visited on the Website through an advertisement or by other means.

9.4.3 How to disable cookies?

Chrome
a. Click the Customize and control Google Chrome menu button in the upper right-hand corner of the browser bar.
b. Click “Settings.”
c. Scroll down to Privacy and Security
d. Click “Site Settings”.
e. Click “Cookies and site data”.
f. In the Privacy and Security section, click Content Settings.
g. Customise settings so as to block cookies.

Edge
a. Click the Settings and more button in the upper right-hand corner of the browser bar.
b. Click Settings.
c. Click Privacy and Security.
d. In the Cookies section, turn on “Block third-party cookies” or add desired sites in “Block” section to block the cookies.

Internet Explorer 11
a. Click Tools or the gear icon in the upper right-hand corner of the top of the browser bar.
b. Select Internet Options.
c. Click the Privacy tab and then the Advanced button on that tab.
d. Customise settings so as to reflect your preferences.

Firefox
a. Click the Open menu button in the upper right-hand corner of the browser bar.
b. Click Options.
c. Click Privacy and Security.
d. Customise settings so as to reflect your preferences.

9.5. Right of access to information
The Promotion of Access to Information Act (PAIA), coupled with POPIA, offer an individual the right to access information held by a public or private body in certain instances. This right can be exercised in accordance with the DMSA Access to Information Manual.

9.6. Correction of your information
In accordance with POPIA, you have a right to correct any of your personal information held by DMSA. This right should be exercised in accordance with the procedure outlined in the Access to Information Manual.

9.7. Objection to processing of your information
In accordance with POPIA, you may object to our processing of your personal information on reasonable grounds relating to your particular situation, unless legislation provides for such processing.

9.8. Marketing
Where you provide your personal information to DMSA in the context of a sale of our products or services, you agree to us sending you information on news, trends, services, events and promotions, always subject to your right to opt out of receiving such marketing materials at the time your information is collected and on each subsequent marketing communication thereafter. You may object to receiving direct marketing from DMSA at any time by contacting the DMSA’s Deputy Information Officer or the Marketing and Communications Manager. Where you choose to exercise your right to opt out of direct marketing, please allow up to 21 working days for DMSA to effect that change.

10. CONTACT INFORMATION OF DITSONG: MUSEUMS OF SOUTH AFRICA
10.1 Should you have a question or complaint regarding the processing of your personal information, your
complaint may be submitted to:

11. THE INFORMATION REGULATOR
Whereas we would appreciate the opportunity to first address any complaints regarding our processing of your personal information, you have the right to complain to the Information Regulator, whose contact details are:
The Information Regulator (South Africa)
JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
PO Box 31533, Braamfontein, Johannesburg, 2017

Complaints email: complaints.IR@justice.gov.za
General enquiries email: inforeg@justice.gov.za