Today the sound of the Isigubhu, again rings out over Africa.  Together we are taking a stand against Fraud, Corruption and Cyber Crime. Whistle-blowing is about “raising a concern about unethical or dishonest conduct within an organisation, or outside an organisation, and which conduct has an impact on the organisation’s operations”.  Secondly organisations also has a legal obligation towards their employees, clients and suppliers to notify them if their Personal Information was illegally accessed during a cyber security breach.  These are key tools to promoting individual responsibility and organisational accountability in combating fraud and corruption and Cyber Crime.

 Together we are beating the drum against corruption and Cyber Crime.

 

Introduction to Tipoffs

Beat the Drum

FAQ’s

Know your Rights

Data Subject & Breach Services

The POPI Act

Liquidation Services

Contact Us

Isigubhu

In the day of our forefathers, when Africa was still dark and mysterious, the sound of the Isigubhu (the drum) would often ring out over the mountains, echo in the valleys and startle the springbok herds on the grass plains. The Isigubhu’s news echoed from one village to the next bringing news of a newborn chief, a king being crowned or to warn one another of pending danger.

Beating the Drum Against Corruption

FAQs

For your convenience, we compiled a list of the most frequently asked questions, and provided a detailed answer to each. If you need an answer to any other question, please contact TipOff’s directly at 0800 112 432.

drums1

  • Why the hotline?

    close
    Why the hotline?

    Answer:

    A client establishes a hotline to provide its stakeholders (clients, contractors, employees, other public entities and the public) with a mechanism whereby they could voice any suspicion of unethical behaviour totally anonymous, without fear of victimisation in any way. This hotline is part of a client’s commitment to zero tolerance against dishonest and unethical behaviour of any of our stakeholders.

  • What is whistle-blowing?

    close
    What is whistle-blowing?

    Answer:

    Whistle-blowing is about “raising a concern about unethical or dishonest conduct within an organisation, or outside an organisation, and which conduct has an impact on the organisation’s operations”. It is a key tool to promoting individual responsibility and organisational accountability in combating fraud and corruption.

  • Who may make use of the hotline?

    close
    Who may make use of the hotline?

    Answer:

    It is not only for employees of a client, but all stakeholders.

  • What should be reported through this hotline?

    close
    What should be reported through this hotline?

    Answer:

    Any knowledge or suspicion of unethical behaviour. Unethical behaviour is a collective term and includes fraud, corruption, theft, nepotism, conflicts of interest, non-compliance with CIDB rules and regulations, favouritism, discrimination, fruitless, wasteful and unauthorised expenditure, abuse of position, any dishonest behaviour, somebody apparently living beyond his means etc.

  • What should not be reported through this hotline?

    close
    What should not be reported through this hotline?

    Answer:

    1. Service complaints regarding CIDB service.

    2. Enquiries such as seeking advice on contractual matters, CIDB legislation or CIDB-related issues.

    The service complaints and enquiries referred to above should be reported to CIDB’s Help Desk (number 0860 1033 53) who will refer the matter to the appropriate CIDB functionary for resolution. If you are unsure whether to submit your report to the CIDB call centre or Tip-Off centre, but still suspect dishonest or unethical activities, please submit your report to the Tip-Off centre.

  • Must I be able to prove my suspicion before calling the hotline?

    close
    Must I be able to prove my suspicion before calling the hotline?

    Answer:

    No. The information contained in your report will be verified and followed up by experienced investigators. You only need to have a reasonable suspicion. This means that you must have information at your disposal (which may yet be unproven) that triggered your suspicion of somebody acting dishonestly or unethically.

  • What is going to happen to my report?

    close
    What is going to happen to my report?

    Answer:

    Legal experts will review your report, and experienced investigators will investigate the suspicion. If the investigation culminates in evidence indicating any criminal, civil or labour law contraventions, we will take the necessary action in line with our commitment to zero tolerance, and the prescription contained in our regulatory framework.

  • Will I really remain anonymous?

    close
    Will I really remain anonymous?

    Answer:

    Yes. The call centre (including the facsimile, postal and e-mail reporting options) is hosted and managed by an external service provider, off site. Strict confidentiality rules apply, even if you provide your personal details to the call centre agents on the condition that dissemination is allowed only to the investigators.

    If you do not provide your personal details to the call centre agents, they would not know your identity, and there will be nothing to disclose. The call centre agents are experienced, and strict confidentiality rules have been included in their employment agreements.

    If you wish to remain anonymous, take care to not disclose the information at your disposal in a way that may give away your identity. By saying “… in the 33 years I have been employed as …”; or “…from my office adjacent to Peter’s …” you will certainly risk being identified.

    Only the external service provider has keys to the Post Office Box where reports may be made through the postal system.

  • If I select to disclose my identity, will I be protected against victimisation?

    close
    If I select to disclose my identity, will I be protected against victimisation?

    Answer:

    Yes, as long as you are bona fide in submitting your report. This means that you should not have any ulterior motives for reporting and act in good faith (e.g. not conjuring a report against somebody on the basis of revenge etc.). Your suspicion should also be reasonable (see question 6 above for what amounts to a reasonable suspicion).

    All whistle-blowers should borne in mind that the victimisation of whistle-blowers is an irregularity and may amount to misconduct (which is a dismissible offence in terms of the Labour Relations Act) and may even result in civil litigation.

    ODAC is a section 21 company, whose mission is to promote transparent democracy, foster a culture of corporate and government accountability, and assist people in South Africa to realise their human rights, specifically relating to whistle-blowing, and the protection afforded by the Protected Disclosures Act. To this end, ODAC has established a helpline through which free, independent and confidential advice is provided to individuals, organisations and businesses which have concerns about misconduct and criminal or unethical conduct in the workplace. The helpline number is 0800 525 352 (0800 LALELA). You may also submit questions to ODAC through its web-based helpline (hyperlink).

    You may also report perceived victimisation to the call centre, which will be investigated.

  • How and where can I report my suspicions?

    close
    How and where can I report my suspicions?

    Answer:

    Your suspicion(s) can be reported in any of the following ways:

    1. Call us toll-free at 0800677772 between 06h00 and 10h00. We also offer 24 hour accessibility through a voice recorded answering service.

    2. Send us a toll-free fax at 088 012 644 1027.

    3. Email us at cidb@tipoffsatwork.co.za.

    4. If you prefer, you may also send us mail at PO Box 10312, Centurion, 0046.

  • How and where can I report my suspicions?

    close
    How and where can I report my suspicions?

    Answer:

    Your suspicion(s) can be reported in any of the following ways:

    1. Call us toll-free at 0800677772 between 06h00 and 10h00. We also offer 24 hour accessibility through a voice recorded answering service.

    2. Send us a toll-free fax at 088 012 644 1027.

    3. Email us at cidb@tipoffsatwork.co.za.

    4. If you prefer, you may also send us mail at PO Box 10312, Centurion, 0046.

  • If I decide to submit a report, what information will I be asked to provide?

    close
    If I decide to submit a report, what information will I be asked to provide?

    Answer:

    Whistle-blowers should bear in mind that the objective of the tip-off line is to utilise the information contained in their reports in an investigation. Thus, there should be sufficient detail to enable the following up of this matter. You will be asked to provide as much detail as possible, as this will assist the investigators in successfully concluding the investigation. For an idea of what will be asked (or what information you should provide if you opt to report via the Post Office Box), please visit our website (hyperlink), where a list of questions is provided.

    If you are unsure whether you have sufficient information, we advise that you still report the matter.

  • Can I obtain feedback on what had happened to my report?

    close
    Can I obtain feedback on what had happened to my report?

    Answer:

    Yes you may require feedback by calling the call-centre on the same number you used for your report. Please note that, to protect your identity as a whistle-blower, no information will be given out without the caller providing a password, and the reference number of the call. The password is the same password provided by the caller when the report had been submitted initially.

    Feedback may also be requested through this website (hyperlink). We encourage you to make use of a free e-mail service (such as Hotmail or Yahoo) to create a temporary e-mail account using a pseudonym, so that the investigators may correspond with you as necessary. This may be helpful in providing you with feedback and pursuing your suspicion.

Knowing Your Rights

Things to Remember

  • The law prohibits legal action being taken against whistleblowers because they have made a disclosure which is protected by the law.
  • Callers/Whistleblowers can make a disclosure anonymously without anyone knowing their personal details.
  • The information provided will be kept confidential both at the call centre and at the case management centre. Limited access is allowed for officials only who work at these venues.
  • Contact details are only provided to investigators where callers request to be contacted for further information.
  • Because of the security protocols of the system, no person can be victimized for making a disclosure in good faith. The call centre operators are all security-vetted and access to the centre is limited. Communication with Departments is done in a secure and confidential manner.

Important Notice

In accordance with section 3 of the Protected Disclosures Act, No. 26 of 2000, no employee may be subjected to occupational detriment by his or her employer on account, or partly on account of having made a protected disclosure. If a disclosure is protected it means that any ‘’occupational detriment’’ that the employee who made the disclosure subsequently suffers as a result of the disclosure will attract a legal remedy. People who are victimized in breach of the Act, whether they are dismissed or not, can refer a dispute to the Commission for Conciliation, Mediation and Arbitration for conciliation and thereafter to the Labour Court. People who are dismissed for making a protected disclosure can either claim compensation up to a maximum amount of two years salary or reinstatement. People who are not dismissed but who are disadvantaged in some other way as a result of making a protected disclosure can claim compensation or ask the court for any other appropriate order.

Services

Data Subject Access Request (DSAR)

Companies gather information on users and customers that use their services. Using this information, they generate what is referred to as data subjects (users’ and customers’ digital profiles). This data can include, addresses, contact details, ID numbers, and more. Data subjects, as per sections 18 and 53 of the Promotion of Access to Information Act, can submit a Subject Access Request (SAR) to any company inquiring what personal data they have on them. We can assist you in compiling a SAR for your data, and if needs be, scan their systems to ensure that you’ve retrieved all your personal data.

ABC Security Incident - March 2022

Notification of Data Breach Service

If your data infrastructure holding users’/ customers’/ employees’ personal information has been compromised, or you believe it has been breached by an unauthorised perpetrator/s, you are required by law to inform someone to direct procedures (regulator) and data subjects (users’, customers’, and employees’ digital profiles) who have been affected, and can be reached or identified. This needs to be completed as soon as possible. Unless this notification would hamper the detection of the breach or the larger investigation. You may also need to formulate a media release to inform the general public if it is a large breach, or you need to reach data subjects without a last known contact. In this published release, which you’ll be distributing to the media, you need to provide sufficient information so those affected by this breach can take protective measures (E.g. cancel credit cards), and what the company will be doing to prevent this in the future. We can help with these processes. It is a highly stressful occurrence, one that’s made immeasurably better with professional help.

Contact us for more information

The POPI Act

Introduction to POPI

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. This right includes the protection against the unlawful collection, retention, dissemination and use of personal information. To this extend the Protection Of Personal Information Act, Act 4 of 2013 was drafted and approved and comes fully into effect on 1 July 2021.

What are your rights?

A data subject has the right to:

  • request personal information that the business holds for free
  • update or destroy personal information that is incorrect, irrelevant, superfluous, misleading or unlawful; an
  • destroy a record of personal information that is unnecessary for the business to keep.

For more information see, click here.

Your Rights regarding the POPI Act

  • Data subject participation: A data subject has the right to:
  • request personal information that the business holds for free;
  • update or destroy personal information that is incorrect, irrelevant, superfluous, misleading or unlawful; and
  • destroy a record of personal information that is unnecessary for the business to keep.
  • Accountability: Businesses must ensure that the information processing principles are adhered to.
  • Processing restriction: Processing must be done lawfully, and personal information may only be processed if it is sufficient, relevant and not excessive given the purpose for which it is processed.
  • Specific purpose: Personal information must be collected for a specific, and defined and legal purpose in relation to a function or activity of the business concerned.
  • Transparency: Certain prescribed information must be provided to the data subject by the business, including the information collected, the name and address of the responsible party, the purpose for which the information is collected and whether the information provided by the data subject is voluntarily or mandatory.
  • Further processing restrictions: This is where personal information of a third party is received and transferred to another responsible party for processing.
  • Security measures: The business must protect the integrity of the personal information in its possession and under its control by ensuring that measures are in place to prevent loss of, damage to or unauthorised destruction of personal information.

Get Answers on the POPI Act

What is personal information?

Personal information is a broad term and relates to an identifiable, natural or legal entity and includes, but is not limited to:

  • Contact information – telephone number, email address etc.
  • Private correspondence
  • Biometric information – blood group etc.
  • Demographic information – age, gender, race, date of birth, ethnicity etc.
  • Opinions of and about a person or group.
  • History – employment, financial information, medical history, criminal history as well as educational history.

The POPI Act applies to every business in South Africa (even international companies that does business in South Africa) that collects, uses, stores or destroy personal information from a data subject (the natural or legal entity to whom the information belongs), whether or not such processing is automatic.

What are the obligations of businesses under the POPI-Act?

Some of the obligations include:

  • To only collect information for a specific purpose
  • to ensure that the information is relevant and up to date
  • to have reasonable security measures in place to protect the information
  • to only keep the necessary information; and
  • to allow the data subject to obtain or view his or her information on request.

Legal processing of personal information

Some of the obligations include:
What is processing?

Processing involves anything that is done with personal information and includes the collection, use, storage, dissemination, modification or destruction of personal information (regardless of whether the processing is automatic).

May personal information be sent abroad, and can information be sent back to South Africa?

The answer is yes, but there are restrictions that will depend on the laws of countries to which the information is sent and where the information comes from. It is especially cloud-based systems that can cause problems with POPI.

Should businesses provide an opt-in or opt-out option for direct marketing?

Every business should use an opt-in and opt-out option when contacting a data subject for marketing purposes. Many companies already offer the option when sending messages via SMS and many emails sent to data subjects for marketing purposes offer the option to dele the data subject’s email address. This option must be offered so that the data subject understands what he or she consents or objects to.

How long may personal information be kept by a company?

Any person’s information may not be kept longer than necessary to achieve the purpose for which it was collected.

Can a business that violates the POPI Act get into trouble?

The POPI Act has strict regulations that every company must comply with and depending on the nature of the offense, businesses as well as individuals can be punished. Offenders can be fined up to R10 million and can even be jailed. Each business has 12 months (from 1 July 2020) to fully comply with this Act.

Companies will need to pay attention to the following aspects to ensure they are on the right side of the law:

  • Reviewing and updating all customer, supplier and third-party agreements
  • Implement technical and organisational measures to protect and prevent unauthorised access to and obtaining of personal information
  • Preparation of consent documentation and private notices
  • Reconsider and/or implement measures for identified boundary flow of personal information – seek prior information from the Information Regulator and implementation of data transfer agreements
  • Developing a culture of privacy by training staff, updating and implementing of policies and procedures, and implementing awareness campaigns
  • Implementing a data breach and incident response plan and policy
  • Implementing a data access management system for the data subject in accordance with the POPI and PAIA legislation

Contact Us

If you are unable to contact us using the contact information above, simply fill out this form as a request to have one of our advisors contact you.