List of active policies

Full policy

GISP Learning Portal — Privacy Policy & POPIA Compliance

Effective Date: 10 March 2026  |  Version: 2.0
Information Officer: Mr S. Jehoma  |  selwyn@gisp.org.za  |  084 515 4592

---

1. Who We Are

The Global Institute for Social Protection (GISP) is a South African registered non-profit company (NPO) based in Cape Town, dedicated to enhancing access to social protection through training and skills development programmes. GISP is a registered Skills Development Provider (SDP) operating under the QCTO qualification framework and HWSETA oversight.

This Privacy Policy governs the collection, processing, storage, and protection of personal information on the GISP Learning Portal (lms-dev.gisp.org.za), in compliance with the Protection of Personal Information Act, 2013 (POPI Act, Act No. 4 of 2013).

2. Lawful Basis for Processing (POPIA Section 11)

• Contractual necessity: to enrol you in and administer GISP training programmes
• Legal obligation: to comply with HWSETA, QCTO, and SAQA reporting requirements
• Legitimate interest: to manage the LMS, issue certificates, and improve programme delivery
• Consent: where you have given explicit consent for specific processing activities

3. Information We Collect

Identification & Contact: Full name, email, phone, address, SA ID or passport number.

Demographic (HWSETA/SETA reporting): Race, gender, disability status, province, employment status, employer name.

Professional & Academic: Highest qualification, field of study, institution, completion year, job title, years of experience.

Learning Activity Data: Enrolment dates, assessment scores, quiz attempts, assignment submissions, completion dates, login times, activity participation, certificate records.

Technical: IP address, browser type, device information, session cookies.

4. How We Use Your Information

• Register and enrol you in GISP training programmes
• Administer qualifications, assessments, and certifications
• Generate HWSETA-required learner performance and demographic reports
• Issue Portfolio of Evidence (POE) records and completion certificates
• Communicate programme updates, assessment deadlines, and notifications
• Comply with QCTO, HWSETA, SAQA, and other regulatory requirements

5. How We Protect Your Information

GISP implements role-based access controls, encrypted data transmission (HTTPS/TLS), regular system backups and security audits, and staff training on data protection obligations.

6. Sharing Your Information

GISP does not sell your personal data. We may share with: HWSETA and QCTO (statutory reporting); SAQA (NLRD submissions); payment processors; IT service providers under confidentiality agreements; and accredited assessors and moderators for quality assurance purposes.

7. Your Rights Under POPIA (Section 5)

• Be notified that your personal information is being collected (Section 18)
• Access your personal information held by GISP (Section 23)
• Request correction or deletion of inaccurate information (Section 24)
• Object to the processing of your personal information (Section 11(3))
• Withdraw consent at any time
• Lodge a complaint with the Information Regulator of South Africa

Contact: Mr S. Jehoma — selwyn@gisp.org.za — 084 515 4592

8. Information Regulator

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Email: inforeg@justice.gov.za  |  Website: www.justice.gov.za/inforeg/

9. Data Retention

• Active learner records: duration of enrolment + 5 years
• Completion and certification records: 7 years (SETA requirements)
• Financial records: 5 years (tax legislation)
• Technical/system logs: 12 months

10. Cookies

The GISP Learning Portal uses session cookies for essential functionality only. No third-party advertising cookies are used. You may manage cookies in your browser settings.

11. Third-Party Links

The portal may link to gisp.org.za and other external sites. GISP is not responsible for their privacy practices.

12. Policy Updates

This policy may be updated periodically. Registered learners will be notified of material changes via the Learning Portal.

13. Contact Us

Information Officer: Mr S. Jehoma
selwyn@gisp.org.za  |  084 515 4592
https://gisp.org.za/contact-us/
https://lms-dev.gisp.org.za

Full policy

1. Purpose

This Data Retention Policy establishes the rules and procedures governing the retention, archiving, and disposal of personal information and records processed through the GISP Learning Portal (the "LMS"), hosted at lms-dev.gisp.org.za.

The policy ensures that the Global Institute for Social Protection ("GISP") retains personal information only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law, and that such information is securely destroyed or de-identified once the retention period has expired.

2. Scope

This policy applies to all personal information and records processed through the GISP Learning Portal, including but not limited to:

• Learner registration and demographic data
• Assessment results, grades, and Portfolios of Evidence (POE)
• Course completion and certification records
• Attendance records (online and face-to-face sessions)
• System logs, access logs, and audit trails
• Forum posts, messages, and activity data
• BigBlueButton virtual classroom recordings
• Facilitator and staff records
• POPIA consent records
• Backup copies of the LMS database

This policy applies to all GISP staff, facilitators, contracted service providers, and any person who processes personal information on behalf of GISP through the LMS.

3. Legislative Framework

This policy is informed by and must be read in conjunction with the following legislation:

• Protection of Personal Information Act 4 of 2013 (POPIA), in particular Sections 14 and 19
• Promotion of Access to Information Act 2 of 2000 (PAIA)
• Skills Development Act 97 of 1998
• National Qualifications Framework Act 67 of 2008
• Employment Equity Act 55 of 1998
• Basic Conditions of Employment Act 75 of 1997
• Broad-Based Black Economic Empowerment Act 53 of 2003
• Electronic Communications and Transactions Act 25 of 2002

Where any conflict exists between this policy and applicable legislation, the legislative requirement shall prevail.

4. Key Definitions

Personal Information: Information relating to an identifiable, living, natural person as defined in Section 1 of POPIA.

Data Subject: The person to whom personal information relates, including learners, facilitators, and staff.

Responsible Party: The Global Institute for Social Protection (GISP), which determines the purpose of and means for processing personal information.

Information Officer: Mr S. Jehoma, designated in terms of POPIA to ensure compliance with the Act.

Retention Period: The period for which a record must be kept before it may be destroyed or de-identified.

De-identification: The process of removing or altering personal identifiers so that the information can no longer be attributed to a specific data subject.

Destruction: The process of permanently and irreversibly deleting or disposing of a record so that it cannot be reconstructed in an intelligible form.

5. Retention Principles

5.1 Purpose Limitation

Personal information shall not be retained for longer than is necessary to achieve the specific, explicitly defined, and lawful purpose for which it was collected (POPIA Section 14(1)).

5.2 Lawful Retention

Records may be retained beyond their primary purpose only where retention is required or authorised by law, reasonably required for lawful purposes related to GISP's functions, required by contract, or where the data subject has consented (POPIA Section 14(1)(a)-(d)).

5.3 Minimum Retention

Where a record has been used to make a decision about a data subject, it shall be retained for a period that affords the data subject a reasonable opportunity to request access to the record (POPIA Section 14(3)).

5.4 Secure Destruction

Once a retention period has expired and no further lawful basis for retention exists, the record shall be destroyed or de-identified in a manner that prevents its reconstruction in an intelligible form (POPIA Section 14(4)-(5)).

5.5 Historical, Statistical, and Research Purposes

Records may be retained beyond their standard retention period for historical, statistical, or research purposes, provided appropriate safeguards are in place to prevent use for any other purpose (POPIA Section 14(2)). In such cases, records shall be de-identified where practicable.

6. Data Retention Schedule

The following schedule sets out the retention periods applicable to data categories processed through the GISP Learning Portal. The Information Officer may, in consultation with relevant staff, adjust retention periods for categories not specified below, provided such adjustments are consistent with POPIA and applicable legislation.

Data Category	Legal Basis / Requirement	Retention Period	Disposal Method
Learner registration data (name, ID, contact, demographics)	Skills Development Act; POPIA s14; SETA reporting	7 years after course completion	Destroy securely or de-identify
SETA demographic data (race, gender, disability, province)	Skills Development Act; Employment Equity Act; B-BBEE reporting	7 years after course completion	Destroy securely or de-identify
Assessment records, grades, quiz attempts	QCTO quality assurance; NQF Act	7 years after last assessment	Destroy securely
Portfolios of Evidence (POE)	QCTO/HWSETA accreditation requirements	7 years after certification	Destroy securely
Course completion and certification records	NQF Act; SAQA/NLRD reporting	Indefinite (historical/statistical)	Retain in de-identified or summary form
Attendance records (online and face-to-face)	Skills Development Act; SETA audit	5 years after programme end	Destroy securely
Forum posts and course activity logs	LMS operational purposes	3 years after course completion	Delete from LMS database
Login and access logs	POPIA s19 (security safeguards); audit trail	2 years from date of log entry	Automated purge
POPIA consent records	POPIA s11; regulatory compliance	Duration of relationship + 5 years	Destroy securely
BigBlueButton session recordings	LMS operational / learner support	1 year after session date	Delete from server
Email notifications and system messages	LMS operational	1 year from date sent	Automated purge
User profile images and uploaded files	POPIA s14 (purpose limitation)	Account deletion + 30 days	Delete from storage
Facilitator/staff records	Basic Conditions of Employment Act; POPIA	7 years after end of engagement	Destroy securely
Backup copies of LMS database	Business continuity; POPIA s19	90 days rolling retention	Overwrite/destroy oldest backups

7. Disposal Procedures

7.1 Electronic Records

Electronic records stored in the LMS shall be permanently deleted from the Moodle database, including all backup copies, using secure deletion methods that prevent reconstruction. Where Moodle's built-in data deletion tools are available (e.g., the Privacy API's data deletion and export functionality), these shall be used. Database records shall be purged, and file system artefacts (uploaded files, recordings) shall be securely removed from the server.

7.2 Physical Records

Any printed copies of learner records, assessment documents, or POE materials shall be securely shredded using a cross-cut shredder. Confidential waste disposal services may be engaged for bulk destruction.

7.3 De-identification

Where records are retained for statistical or research purposes beyond their retention period, all personal identifiers (names, ID numbers, contact details) shall be removed or replaced with pseudonymised identifiers. De-identified records shall be stored separately from any key that could be used to re-identify data subjects.

7.4 Disposal Register

A register of all disposals shall be maintained, recording the data category, volume of records destroyed, method of destruction, date of destruction, and the name of the person who authorised and carried out the disposal. This register shall be retained indefinitely as evidence of compliance.

8. Roles and Responsibilities

Information Officer (Mr S. Jehoma): Overall accountability for this policy, approval of retention periods, authorisation of disposals, handling data subject requests, and ensuring POPIA compliance.

LMS Administrator: Implementation of retention schedules within the Moodle LMS, execution of automated purges, management of backup rotation, and maintenance of the disposal register.

Facilitators: Ensuring that learner data collected during course delivery is uploaded to the LMS and not retained in personal or local storage beyond the session in which it is collected.

Third-Party Service Providers: Compliance with this policy to the extent that they process personal information on behalf of GISP, as governed by written operator agreements in terms of POPIA Section 20-21.

9. Data Subject Rights

Data subjects retain the following rights in relation to their personal information held on the LMS:

• The right to request access to their personal information (POPIA Section 23)
• The right to request correction or deletion of personal information (POPIA Section 24)
• The right to object to the processing of their personal information (POPIA Section 11(3))
• The right to request destruction or de-identification of personal information where GISP is no longer authorised to retain it

Requests should be directed to the Information Officer at info@gisp.org.za. GISP shall respond to valid requests within a reasonable timeframe as required by POPIA.

Note: Certain records may be retained despite a data subject's request for deletion where retention is required by law (e.g., SETA audit requirements, NQF certification records).

10. Breach and Non-Compliance

Any breach of this policy, including unauthorised retention or premature destruction of records, must be reported immediately to the Information Officer. Depending on the nature and severity of the breach, GISP may be required to notify the Information Regulator and affected data subjects in terms of POPIA Section 22.

Staff or facilitators who fail to comply with this policy may face disciplinary action. Third-party service providers who breach this policy may have their agreements terminated.

11. Policy Review

This policy shall be reviewed annually or when triggered by any of the following:

• Changes to POPIA, the Skills Development Act, or other applicable legislation
• Changes to SETA or QCTO reporting requirements
• Significant changes to the data categories processed by the LMS
• A data breach or near-miss incident
• Direction from the Information Regulator

The next scheduled review date is 16 March 2027.

12. Document Information

Document Reference	GISP-POL-DRP-001
Version	1.0
Effective Date	16 March 2026
Review Date	16 March 2027
Information Officer	Mr S. Jehoma