Effective Date: 16/03/2026 Last Updated: 16/03/2026
GovSkills Academy is a premier provider of capacity-building and specialised digital training programmes for South African municipalities, public institutions, and government officials. In the execution of our mandate to deliver high-quality, verifiable education in fields such as Integrated Development Planning (IDP), Local Economic Development (LED), and Municipal Finance, we process the personal information of learners, municipal coordinators, facilitators, and suppliers.
We recognise that the right to privacy is a fundamental human right enshrined in Section 14 of the Constitution of the Republic of South Africa, 1996. Furthermore, we are irrevocably committed to strict adherence to the Protection of Personal Information Act No. 4 of 2013 (POPIA). This policy serves as the official framework governing how GovSkills Academy collects, processes, stores, and destroys personal information, ensuring that all data processing activities are conducted lawfully, reasonably, and transparently.
The primary objective of this POPIA Compliance Policy is to:
Establish a clear, legally sound framework for the processing of personal information within GovSkills Academy.
Ensure all employees, contractors, and third-party operators understand their legal obligations regarding data protection.
Protect GovSkills Academy from the compliance risks associated with data breaches, including reputational damage, regulatory fines, and civil litigation.
Provide municipal clients and individual learners with absolute assurance that their personal data is managed with the highest degree of security and confidentiality.
This policy applies comprehensively to all internal and external stakeholders interacting with GovSkills Academy’s data ecosystems. This includes:
Internal Staff: All full-time and part-time employees, directors, and executives.
Contractors: Freelance facilitators, curriculum developers, web designers, and IT consultants.
Operators: Third-party service providers who process personal information on behalf of GovSkills Academy (e.g., cloud hosting providers, learning management system developers, and payment gateways).
This policy covers all personal information processed by GovSkills Academy, regardless of the medium. It applies to electronic records stored on our digital learning platform, emails, physical paper records, financial transaction histories, and academic performance data.
To ensure clarity and uniform interpretation of this policy, the following statutory definitions from POPIA apply:
“Data Subject” refers to the person (natural or juristic) to whom the personal information relates. In our context, this includes enrolled learners, municipal clients, and staff members.
“Responsible Party” refers to the entity that determines the purpose of and means for processing personal information. For the purposes of this policy, GovSkills Academy is the Responsible Party.
“Operator” refers to a person or entity who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
“Processing” means any operation or activity concerning personal information, including collection, receipt, recording, structuring, storage, updating, distribution, and erasure.
“Personal Information” means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person.
“Special Personal Information” means highly sensitive information concerning a data subject’s religious beliefs, race, ethnic origin, trade union membership, political persuasion, health, sex life, biometric information, or criminal behaviour.
GovSkills Academy strictly adheres to the eight core conditions for the lawful processing of personal information as mandated by Chapter 3 of POPIA. All internal processes, platform architectures, and municipal onboarding procedures are designed around these conditions.
GovSkills Academy assumes ultimate accountability for ensuring that the conditions for lawful processing are fully implemented. The appointed Information Officer is responsible for auditing internal systems, enforcing compliance, and acting as the primary liaison with the Information Regulator. We ensure that our training platform, administrative portals, and data storage solutions are structurally compliant by design.
Personal information is processed by GovSkills Academy only in a fair, lawful, and non-intrusive manner.
Minimisation: We collect only the data that is strictly necessary to provide our educational services, issue professional certificates, and maintain financial records.
Justification: Processing is only undertaken if justified by a clear legal ground. Primarily, this includes fulfilling a contractual obligation (delivering a purchased course to a learner or municipality), complying with statutory requirements, pursuing our legitimate business interests, or processing data with the explicit consent of the data subject.
We collect personal information for specific, explicitly defined, and lawful purposes.
Data collected during the enrolment process is used exclusively to provision access to the digital learning platform, track academic progress, generate compliance reports for municipal employers, and issue verifiable certification.
Data subjects are made fully aware of the purpose of collection at the point of data entry via our Privacy Policy and website terms.
Once the purpose has been fulfilled, and subject to statutory retention periods, the information is securely archived, de-identified, or destroyed.
GovSkills Academy prohibits the “further processing” of personal information in a manner that is incompatible with the original purpose of collection.
Information collected for the purpose of municipal training will never be sold, rented, or distributed to third-party marketers or external commercial entities.
If GovSkills Academy intends to use existing data for a new purpose (e.g., launching a new alumni newsletter), we will conduct a compatibility assessment. If the new purpose is not closely related to the original training mandate, explicit opt-in consent will be obtained from the data subject.
We take reasonably practicable steps to ensure that the personal information we process is complete, accurate, not misleading, and updated where necessary.
Learners are granted direct access to their user profiles within the digital learning platform, empowering them to review and update their contact details and professional designations.
Municipal coordinators are required to ensure the accuracy of the personnel rosters they submit for bulk enrolments.
GovSkills Academy operates with absolute transparency. We maintain an accessible, publicly available Privacy Policy on our website that details:
The specific categories of information we collect.
The names and locations of our third-party operators (e.g., payment gateways).
The rights of the data subject.
The contact details of our Information Officer. Where necessary, point-of-collection notices are displayed to ensure learners are aware of how their assessment scores and progress data will be shared with their municipal employers.
Protecting the integrity and confidentiality of personal information is our highest operational priority. GovSkills Academy implements rigorous technical and organisational measures to prevent loss, damage, or unauthorised access to data.
Technical Safeguards: All digital interactions are secured via SSL/TLS encryption. Our Learning Management System (LMS) and databases are hosted on secure servers featuring enterprise-grade firewalls, intrusion detection systems, and automated vulnerability scanning.
Organisational Safeguards: Employee access to the backend database is strictly governed by the principle of “least privilege.” Administrative personnel can only access the data required to perform their specific duties. All staff are required to sign strict non-disclosure agreements (NDAs) and undergo POPIA compliance training.
Operator Security: We enter into binding, written Data Processing Agreements with all third-party operators, mandating that they establish and maintain security measures equivalent to or exceeding those of GovSkills Academy.
We facilitate the exercising of data subject rights without undue delay or administrative friction. Learners and municipal clients have the right to request access to their records, demand the correction of erroneous data, or request the deletion of their profiles (subject to overriding retention laws). Detailed procedures for these requests are outlined in Section 7 of this policy.
Given the nature of our business as a professional municipal training academy, GovSkills Academy generally does not require, nor do we intentionally collect, Special Personal Information (e.g., race, trade union membership, health status, or political affiliation).
If a specific government skills-development grant or municipal reporting requirement mandates the collection of such information (e.g., demographic data for Broad-Based Black Economic Empowerment (B-BBEE) reporting), we will only process this data if:
The data subject has provided explicit, written consent.
The processing is strictly necessary for the establishment, exercise, or defence of a right or obligation in law.
The courses and certifications provided by GovSkills Academy are designed exclusively for adult professionals and civil servants. We do not offer services to individuals under the age of 18. Consequently, we do not knowingly collect or process the personal information of children. If it is discovered that a minor has bypassed our age restrictions to create an account, their data will be immediately and permanently purged from our servers.
Achieving sustained POPIA compliance requires a coordinated organisational effort. The following roles are established within GovSkills Academy to govern data protection.
In accordance with Section 55 of POPIA, GovSkills Academy has appointed a designated Information Officer. This individual is formally registered with the Information Regulator of South Africa. The duties of the Information Officer include:
Developing, publishing, and maintaining this POPIA Compliance Policy.
Conducting regular internal data privacy impact assessments.
Ensuring that comprehensive data mapping exercises are undertaken to track the flow of personal information through the organisation.
Facilitating POPIA awareness training for all staff members.
Acting as the primary point of contact for data subjects and the Information Regulator regarding any queries, access requests, or breach notifications.
The executive leadership of GovSkills Academy is responsible for fostering a culture of privacy and allocating sufficient financial and technological resources to ensure the Information Officer can execute their mandate effectively.
Every employee and contractor working for GovSkills Academy is legally and contractually obligated to handle personal information strictly in accordance with this policy. Non-compliance constitutes a severe breach of contract and may result in immediate disciplinary action, termination of employment, or civil litigation.
GovSkills Academy respects the statutory rights granted to data subjects under POPIA and the Promotion of Access to Information Act (PAIA).
Data subjects may request confirmation of whether GovSkills Academy holds personal information about them. Furthermore, they may request a detailed record or description of the information held, as well as the identities of all third parties who have had access to it.
Procedure: Requests must be submitted in writing to the Information Officer using the prescribed Form 2 as published by the Information Regulator. We reserve the right to verify the identity of the requester before disclosing any records.
Timeframe: We will respond to all access requests within the statutorily mandated timeframe of 30 days.
Data subjects have the right to request the correction of inaccurate, irrelevant, excessive, or outdated information. They may also request the destruction or deletion of their personal data if GovSkills Academy is no longer authorised to retain it.
Procedure: Requesters must submit Form 2 to the Information Officer. Upon verification, the technical team will amend the database or securely delete the record.
Exceptions: We may decline a deletion request if the retention of the data is required by law (e.g., South African Revenue Service tax records) or is necessary to maintain the integrity of a municipal compliance report previously submitted.
Data subjects may object, on reasonable grounds, to the processing of their personal information where we rely on “legitimate interests” as our justification. Objection to direct marketing is absolute; if a user unsubscribes from our mailing list, all marketing communication will cease immediately.
Despite rigorous security architectures, the threat of cyber-attacks and human error remains. GovSkills Academy has established a strict protocol for managing suspected or actual data breaches (Security Compromises).
Any employee or contractor who suspects that personal information has been compromised must report it to the Information Officer immediately. The technical team will initiate an emergency containment protocol to isolate affected servers, revoke compromised access credentials, and prevent further data leakage.
If there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, GovSkills Academy is legally obligated under Section 22 of POPIA to notify:
The Information Regulator: Notification will be made as soon as reasonably possible after the discovery of the compromise.
The Affected Data Subjects: Notification will be made in writing via email or posted prominently on our website.
Any breach notification issued by GovSkills Academy will be transparent and actionable, providing:
A description of the possible consequences of the security compromise.
A description of the measures taken (or proposed to be taken) by the Academy to remedy the breach.
A recommendation of the measures that the data subject should take to mitigate the possible adverse effects (e.g., changing passwords or monitoring credit reports).
The identity of the unauthorised person who accessed the data, if known.
To deliver a world-class digital learning experience, GovSkills Academy utilises global cloud infrastructure and best-in-class software solutions. As such, personal information may be transmitted to, or stored on, servers located outside the borders of the Republic of South Africa.
GovSkills Academy will only transfer personal information to a foreign jurisdiction if one of the following conditions is met:
The third party receiving the data is subject to binding corporate rules, an international agreement, or foreign legislation that provides an adequate level of data protection substantially similar to POPIA (e.g., the General Data Protection Regulation (GDPR) in the European Union).
The data subject consents specifically to the cross-border transfer.
The transfer is strictly necessary for the performance of the educational contract between GovSkills Academy and the learner or municipality.
GovSkills Academy will not retain personal information for any longer than is necessary for achieving the purpose for which it was collected.
Learner Academic Records: Retained indefinitely to allow learners to verify their credentials and access replacement certificates throughout their careers in the public sector.
Financial and Billing Data: Retained for a minimum of five (5) years to comply with the statutory requirements of the South African Revenue Service (SARS) and the Companies Act.
Inactive Prospects: Data collected from requests for training proposals that do not result in a contract will be purged after 24 months.
When personal information has reached the end of its retention lifecycle, it must be destroyed securely.
Digital Records: Will be permanently deleted from all active databases and overwritten on backup servers to prevent recovery.
Physical Records: Any paper-based records containing personal information will be destroyed using cross-cut shredding prior to disposal.
This POPIA Compliance Policy is a living document. The Information Officer will review this framework annually, or immediately following any significant changes to South African data protection legislation, directives issued by the Information Regulator, or major alterations to our digital learning infrastructure.
Updates to this policy will be communicated to all internal staff, and the revised version will be published on the GovSkills Academy website.
