Protection of Personal Information Policy (POPIA)

Supreme ICT Academy (Pty) Ltd

1. Purpose and Scope

This Policy sets out how Supreme ICT Academy (Pty) Ltd, trading as Supreme ICT Academy (SICTA), collects, processes, stores, and protects personal information in compliance with:

• Protection of Personal Information Act, 2013 (Act No. 4 of 2013) – POPIA
• Quality Council for Trades and Occupations (QCTO) requirements
• Sector Education and Training Authority (SETA) requirements
• South African Qualifications Authority (SAQA) requirements

This Policy applies to all learners, employees, facilitators, assessors, moderators, clients, service providers, and other stakeholders.

2. Legislative and Regulatory Alignment

This Policy is aligned with the following frameworks:

• POPIA – Sections 8–25 (Conditions for Lawful Processing)
• QCTO Delegated Quality Assurance Model
• SETA Accreditation and Monitoring Guidelines
• SAQA NQF and Learner Records Database (NLRD) requirements

3. Purpose of Collecting Personal Information

SICTA collects and processes personal information for legitimate educational, operational, and regulatory purposes, including but not limited to:

• Learner enrolment, registration, and administration
• Delivery of accredited qualifications, skills programmes, and short courses
• Assessment, moderation, certification, and learner progression tracking
• Submission of learner records to SETA Management Information Systems (MIS) and the SAQA NLRD
• Quality assurance audits, verifications, and site visits by QCTO and SETAs
• Compliance with funding, reporting, and legislative obligations
• Communication related to training, assessments, and academic support

4. Lawful Basis for Processing

Personal information is processed lawfully in accordance with POPIA on one or more of the following grounds:

• Consent provided by the data subject
• Performance of a training or employment contract
• Compliance with legal and regulatory obligations
• Legitimate interests of SICTA as an accredited training provider
• Public interest relating to education, skills development, and quality assurance

5. Categories of Personal Information

SICTA may process the following categories of personal information:

• Identity and contact information
• Educational history and qualifications
• Assessment results and learner portfolios of evidence
• Employment and workplace placement records
• Accreditation, assessor, and moderator credentials
• Financial and billing information (where applicable)

6. Sharing of Personal Information

Personal information may be shared without consent where required for:

• SETA and QCTO learner registration and reporting
• SAQA NLRD uploads and verification
• Accreditation audits, monitoring visits, and compliance inspections
• Statutory reporting obligations
• Protection of SICTA’s legal and contractual rights

All disclosures are limited to what is strictly necessary.

7. Third-Party Processors and Service Providers

SICTA may use third-party systems and service providers such as:

• Learning Management Systems (LMS)
• Examination and certification bodies
• Cloud hosting and data storage providers
• SETA and QCTO reporting platforms

All third parties are contractually bound to comply with POPIA and maintain appropriate confidentiality and security safeguards.

8. Storage, Retention, and Security Safeguards

SICTA implements reasonable technical and organisational measures to protect personal information, including:

• Access control and role-based permissions
• Secure digital storage and backups
• Physical security of learner records
• Confidentiality agreements with staff and contractors

Learner and accreditation records are retained for periods required by:

• POPIA
• SETA and QCTO record-keeping rules
• SAQA NLRD submission requirements

9. Cross-Border Data Transfers

Where personal information is processed or stored outside South Africa (e.g., cloud platforms or international certification bodies), SICTA ensures that:

• The receiving party provides adequate data protection safeguards, or
• The transfer is authorised by POPIA and contractual safeguards are in place

10. Data Subject Rights

Data subjects have the right to:

• Access their personal information
• Request correction or deletion of inaccurate or outdated data
• Object to unlawful processing
• Withdraw consent where processing is consent-based
• Lodge a complaint with the Information Regulator

Requests must be submitted in writing to the Information Officer.

11. Data Breach Management

In the event of a personal information security compromise, SICTA will:

• Investigate and mitigate the breach
• Notify affected data subjects
• Notify the Information Regulator as required by POPIA

12. Children and Learners Under 18

Where learners are minors, SICTA processes personal information only with the consent of a parent or legal guardian, in line with POPIA and education sector requirements.

13. Information Officer

SICTA has appointed an Information Officer responsible for POPIA compliance and regulatory liaison. 

• Information Officer: Supreme ICT Academy (Pty) Ltd – Ms Phumla Mtshali
• Email: phumla.mtshali@supremeictacademy.co.za

14. Review and Amendments

• This Policy is reviewed periodically to ensure continued compliance with POPIA, QCTO, SETA, and SAQA requirements.
• The latest version published on the SICTA website supersedes all previous versions.

15. Regulatory References (Official Sources)

• POPIA – Government of South Africa https://www.gov.za/documents/protection-personal-information-act
• Information Regulator (South Africa) https://www.justice.gov.za/inforeg/
• QCTO https://www.qcto.org.za
• SAQA https://www.saqa.org.za
• SETA Oversight (DHET) https://www.dhet.gov.za