Handling of Personal Information

Data Privacy Notice

THE WEBSITE https://www.thecortexhub.africa/ IS OWNED BY Cortex Hub PTY

We care about your privacy.

This Privacy Notice explains how we collect and use your personal data. Please read it carefully. If you have any questions about this Privacy Notice, or if you want to enforce your rights, please get in touch with us at media@thecortexhub.africa or (+27) 87 265 8561.

This section provides a brief summary. To find out more, please read out Information Security Policy Below.

Cortex Hub is an Innovation Hub with the sole location at 33 Church Street, East London, Eastern Cape, South Africa.

 

The controller of personal data collected through our website is Cortex Hub. If your personal data is collected offline, then the  Cortex Hub will be the controller of your personal data.

Your personal data may also be shared between Incubates based out of the Hub. Don't worry; we've put measures in place to keep your personal data safe, whichever associated in-house partner entity processes it.

What Personal Identifiable Information (PII) do we Process?
 

Our forms generally require the following personal information for some of the initiatives or programs that we run.

  • Email Address

  • First Name

  • Last Surname

  • Personal E-mail

  • Contact Number

  • Gender

  • Country

  • LinkedIn Profile link

  • Twitter Profile link

  • Facebook Profile link

 

.. and any other detail which may occasionally be required from time to time specific to a project.

"Personal data" in this Privacy Notice has the same meaning as in the Protection of Personal Information Act (POPI Act).

 

Essentially, it means information which is connected to a living individual who can be identified from that information, either by itself or when combined with other data likely to come into our possession. Personal data can include information collected by certain cookies or tracking technologies if it builds up a profile of you.

We collect and use personal data in order to carry out a business which provides educational services. Any other activities and processing which we carry out are to support this primary aim. Our purposes and lawful grounds for processing your personal data vary depending on our relationship with you and the activity in question. We will never sell your personal data.

We will only keep your personal data for as long as necessary to fulfil the purposes for which we collected and continue to process it and to satisfy any legal, accounting or reporting requirements.

Where applicable, we respect your data protection rights, including to request access, rectification, restriction, deletion or "porting" of your data, and to object to our use of your data, including for marketing. We do not make decisions about you based on electronic profiling. You also have the right to complain to the applicable data protection Supervisory Authority, but please contact us first so that we can address your concerns.”

Information Security Policy

1.1 Introduction
This document encompasses the security surrounding confidential company information and is distributed to all company employees. All company employees read this document in its entirety and sign the form confirming they have read and understand this policy fully. This document is reviewed and updated by Management on an annual basis or, when relevant, to include newly developed security standards into the policy and distribute it to all employees and contractors as applicable.


1.2 Information Security
Cortex Hub handles sensitive personal information daily. Sensitive Information must have adequate safeguards in place to protect it, to protect personal privacy, to ensure compliance with various regulations and to guard the future of the organisation.
Cortex Hub commits to respecting the privacy of all its customers and to protecting any data about customers from outside parties. To this end management are committed to maintaining a secure environment in which to process personal information so that we can meet these promises.
Employees and Volunteers handling sensitive personal data ensure that they:

  •  Handle Company and personal information in a manner that fits with their sensitivity;

  •  Are aware that Cortex Hub reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;

  • Do not use e-mail, internet and other company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;

  • Do not disclose personnel information unless authorised;

  • Protect sensitive personal information;

  • Keep passwords and accounts secure;

  • Request approval from management prior to establishing any new software or hardware, third party connections, etc.;

  • Do not install unauthorised software or hardware, including modems and wireless access unless they have explicit management approval and this is managed through local admin access rights / manager approval;

  • Always leave desks clear of sensitive personal data and lock computer screens when unattended;

  • Ensure information security incidents are reported, without delay, to a company Director for incident response locally.

  • All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.

  • We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.

 

1.3 Acceptable Use Policy
The management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Cortex Hub’s established culture of openness, collaboration, trust and integrity. Management is committed to protecting the employees, partners and personnel from illegal or damaging actions by individuals, either knowingly or unknowingly.

  •  Employees are responsible for exercising good judgment regarding the reasonableness of personal use.

  • Employees should take all necessary steps to prevent unauthorized access to confidential data which includes sensitive personal data.

  • Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.

  • All PIN entry devices should be appropriately protected and secured so they cannot be tampered with or altered.

  • Because information contained on portable computers is especially vulnerable, special care should be exercised when taken off site.

  • Postings by Employees from a Company email address to newsgroups or any form of public/online media should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Cortex Hub, unless posting is in the course of business duties.

  • Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

1.4 Disciplinary Action
Violation of the standards, policies and procedures presented in this document by an employee will result in disciplinary action, from warnings or reprimands up to and including termination of employment. Claims of ignorance, good intentions or using poor judgment will not be used as excuses for non-compliance.


1.5 Protect Stored Data & working in a Secure Area
All sensitive personal data stored and handled by Cortex Hub and its employees must be securely protected against unauthorised use at all times. Any sensitive personal data that is no longer required for business reasons is discarded in a secure and irrecoverable manner.
Access to the Hub is controlled via keys and biometric. All Cortex Hub staff as well as receiving a fob also have a key to our office. As our premises are in a shared area we always ensure the threshold door (i.e. the door to our office) is locked with a key when the office is unattended.

 

1.6 Classification of Information procedure
1.6.1 Information Classification and the treatment of Data & Media
All Cortex Hub’s Data and Media containing data is treated as confidential. Except for public data.
Directories are configured to reflect this. Consideration is given to all documents when they are created whether they are confidential or public. By default, all documents are treated as confidential in the first instance to avoid the risk of data loss/leakage.
Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to Cortex Hub if disclosed or modified.
Sharing of data (either by written or oral means) by Cortex Hub personnel (or authorised entities such as resellers) is treated in the strictest confidence. All emails sent from @cortexhub .africa or .com registered email accounts contain the following statement:

"NOTICE: This email, contents of, including any attachments are strictly confidential and may contain privileged information, please do not distribute without seeking permission from Cortex Hub first.  If you are not the intended recipient of this email message, please notify the sender immediately and do not distribute, disclose or otherwise use this email and any attachments."

Categories of data/media include:
 Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure such as personnel data;
 Public data is information that may be freely disseminated. An example of this data is information on our website and that held at Companies House which is freely available for all.
Company data might include information like Company accounts, trade agreements, supplier contracts etc.
Client Data part I might include information like client contracts, pricing information etc.
Client Data part II – Additionally, due to the nature of our business we do receive clients staff and or prospective staff records where the client submits sample files for analysis. This information is held separately on our servers with restricted access based upon staff profiles.

All staff are aware of the confidential nature of our business and non-adherence is a disciplinary offence.
Any breaches should be treated as an incident and escalated to a director immediately.

1.7 Access to the sensitive personal data:
All access to sensitive personal data should be controlled and authorised. Any job functions that require access to personal data are clearly defined.
 Access to sensitive personal information such as Passport, Visa, Biometric card etc. data is restricted to employees that have a legitimate need to view such information.
 No other employees should have access to this confidential data unless they have a genuine business need.
 If personal data is shared with a Service Provider (3 rd party) then a list of such Service Providers are maintained as detailed in Appendix D.
Cortex Hub has a written agreement (part of our contract) that includes an acknowledgement is in place that the Service Provider is responsible for the personal data that the Service Provider possess.
Cortex Hub ensures that there is an established process including proper due diligence in place before engaging with a Service provider.

1.8 Physical Security
Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
Media containing sensitive personal information must be handled and distributed in a secure manner by trusted individuals.
Visitors must always be escorted by a trusted employee when in areas that hold sensitive personal information.
Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where personal data is accessible. “Employee” refers to full-time and part-time employees, temporary employees and any other volunteer personnel, and consultants who are “resident” on Cortex Hub sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration who are not an employee of Cortex Hub, usually not more than one day.
Strict control is maintained over the external or internal distribution of any media containing sensitive personal data and has to be approved by management
 Strict control is maintained over the storage and accessibility of media. All computers that store sensitive personal data must have a password protected screensaver enabled to prevent unauthorised use. (can be enforced in group policies).

1.9 Encryption Policy
The value of the data that requires protection and the system storing the data need to be considered carefully.
Physical security refers to being able to control access to the system’s storage media. All encryption methods detailed are applicable to desktop and mobile systems.
A defence in-depth approach is recommended when evaluating and deploying encryption products. Where hardware allows Cortex Hub ensures that a full disk and/or boot disk encryption is combined with file/folder encryption in order to provide two “layers” of encryption to protect data in the event the first layer is compromised.
We take a pragmatic view which requires:

  • For computers taken off site the use of Bitlocker disk encryption will be used together with Windows password security, and finally a timed screen saver lock function. The unlock key for the Bitlocker disk encryption will be stored (where available) in the TPM. A backup is stored on our servers under the control of our IT director.

  • For mobiles, tablets we insist that at a minimum the phones have a password/fingerprint/equivalent prompt to log into the device with timed lock out. Where deemed necessary by Cortex Hub our IT director will advise on an appropriate encryption software.

  • For sensitive files (e.g. personnel records) these are stored in the MD’s personal file directory and kept in a locked cabinet to prevent unauthorised access. Where deemed necessary by Cortex Hub our IT director will advise on an appropriate encryption software.

Our Office Manager evaluates market developments in security and recommends appropriate response/defensive measures that are practically implementable to the board for consideration.
 

1.10Backup Policy
Data control is a critical process for Cortex Hub. All electronic files are backed up continuously via a removable hard drive. The drive is removed from the premises each week and kept off site by either the Office Manager or a designated person. In the event of server failure then backup will be installed on External servers by our Office Manager Restores are tested at least annually.

 

1.11Protect Data in Transit
All sensitive personal data must be protected securely if it is to be transported physically or electronically.

  • Sensitive personal data (Passport, visa, Biometric card etc.) must never be sent over the internet via email, instant chat or any other end user technologies except where encryption is used.

  • The transportation of media containing sensitive personal data to another location must be authorised by management, logged and inventoried before leaving the premises. Where external parties are engaged only secure courier services may be used for the transportation of such media. The status of 
    the shipment should be monitored until it has been delivered to its new location.

1.12Protect data transmission
All sensitive communications are either password protected or require digital certification.
Where the client request we will use their security protocol if possible to help with data protection (e.g. use of encrypted email communication)

 

1.13Disposal of Stored Data
All data must be securely disposed of when no longer required by the Cortex Hub, regardless of the media or application type on which it is stored.
A process exists to permanently delete on-line data, when no longer required.
Any confidential data held on paper which is no longer required is shredded and incinerated.
Cortex Hub has procedures for the destruction of electronic media. These require:

  • All personal data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or the physical destruction of the media;

  • If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.

  • 1.14Security Awareness and Procedures
    The policies and procedures outlined below are incorporated into company practice to maintain a high level of
    security awareness. The protection of sensitive data demands regular training of all employees and contractors.

  • Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.

  • Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document.

Company security policies are reviewed annually and updated as needed.

1.15Security Management / Incident Response Plan
'Security incident' means any incident (accidental, intentional or deliberate) relating to our communications or information processing systems. The attacker could be a malicious stranger, a competitor, or a disgruntled employee, and their intention might be to steal information or money, or just to damage our company.
The Incident response plan has to be tested once annually. Copies of this incident response plan are made available to all relevant staff members, and steps taken to ensure that they understand it and what is expected of them. These go hand in hand with the Business continuity plan in Section 2.1
Employees of Cortex Hub are expected to report to the Office Manager for any security related issues.
When a security incident occurs, or is suspected, the Managing Director should investigate as mentioned in the following:

  • Try to identify at a high level what damage has been done. Has sensitive information about Cortex Hub or its customers possibly been stolen, or changed without permission, or destroyed/deleted? Make an estimate of how sensitive this information is, and how many people have possibly been affected.

  • Upon confirmation that a security breach has occurred, the Office Manager will alert senior management and begin informing all relevant parties that may be affected by the compromise.

  • If there is no immediate threat, start a written event log by noting date and time of all actions.

  • The first priority is to limit the damage to our customers and company, but the next highest priority should be to try and preserve information about the attack.

  • If the attack affected computers, make every effort to NOT use the computers: DO NOT log on to them, DO NOT turn them off (this is because doing so destroys forensic evidence of what the attackers did and how they did it.). DO disconnect them from all networks and connections.

 If it is absolutely critical that the computers be used, make copies of any relevant files on a backup drive, DVD, or similar, before using them again.
 

1.16 Network security
 Firewall technology is implemented where the Internet enters the Cortex Hub network to mitigate known and on-going threats. Firewalls are also implemented to protect local network segments and the IT resources that attach to those segments such as the business network, and open network.
 The firewall rules are reviewed as necessary.
 No direct connections from Internet to personal data environment are permitted. All traffic has to traverse through a firewall.

1.17 System and Password Policy
All users, including contractors and vendors with access to Cortex Hub systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords. The IT Director is responsible for the selection of the most appropriate password methodology.

  • All system-level passwords (e.g., root, enable, Windows Administrator, application administration accounts, etc.) must be changed on at least a 6 or 12-monthly basis.

  • All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every six months.

  • Where SNMP is used, the community strings must be defined as something other than the Standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively.

  • Passwords are comprised of a minimum of 6 characters which must be a combination of uppercase, lowercase, numerical and special characters.

1.18System change control procedure
This section specifically relates to our own in-house developed software release process. (User software, e.g. Microsoft, Antivirus etc., is controlled by user profiles/privileges by our Office Manager.) All projects undertaken consider any impact on data security.
See our secure development policy for controls around unit testing. UAT and acceptance of software changes developed. For a client release of software the following steps are taken (usually via email):

  • Our Development director will notify that there is a tested release available to be released to our end clients

  • A company director (usually the Operations director) will check support capacity of Cortex Hub and;

    • If staffing levels are adequate 

    • testing has been confirmed as passed

    • give sign off copying our service personnel

    • Software is released to clients

    • Support are placed on high level and monitor for any exceptions

Periodically (usually every month) Cortex Hub sends out a newsletter which will highlight events or changes as well as general news updates to our clients.

1.19 Retention of Data
Data is only kept where necessary.
Categories of data/media include:
Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure such as personnel data; this is kept indefinitely.
Public data is information that may be freely disseminated. An example of this data is information on our website and that held at Companies House which is freely available for all. No deletion policy
Company data might include information like Company accounts, trade agreements, supplier contracts etc. – this data is kept for the trading life of the company.
Client Data part I might include information like client contracts, pricing information etc. – should a client leave Cortex Hub then the data is kept for 6 years. Managed by our Operations director.
Client Data part II – Additionally, due to the nature of our business we do receive clients staff and or prospective staff records where the client submits sample files for analysis. This information is held separately on our servers with restricted access based upon staff profiles. Once the query has been dealt with the data is deleted by the Operations director on a monthly basis.

1.20 Anti-virus policy
All machines must be configured to run the latest anti-virus software as approved by Cortex Hub. The preferred application to use will be advised as automatically distributed by our servers, which is configured to retrieve the latest updates to the antiviral program automatically on a daily basis. The antivirus software has periodic scanning enabled for all the systems.
Master Installations of the Antivirus software are setup for automatic updates and periodic scans E-mail with attachments coming from suspicious or unknown sources should not be opened. All such e-mails and their attachments should be deleted from the mail system as well as from the trash bin. No
one should forward any e-mail, which they suspect may contain a virus

1.21 Patch Management Policy
All Workstations, servers, software, system components etc. owned by Cortex Hub must have up-to-date system security patches installed to protect the asset from known vulnerabilities.

  • Wherever possible all systems, software must have automatic updates enabled for system patches released from their respective vendors. Security patches have to be installed within one month of release from the respective vendor. Enforced by group policy.

  • Any exceptions to this process have to be documented.

1.22 Remote Access policy
 It is the responsibility of Cortex Hub employees, contractors, vendors and agents with remote access privileges to Cortex Hub’s corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Cortex Hub.
All hosts that are connected to Cortex Hub internal networks via remote access technologies are monitored on a regular basis.

1.23 Wireless Policy
Installation or use of any wireless device or wireless network intended to be used to connect to any of Cortex Hub networks or environments is prohibited.
 If any violation of the Wireless Policy is discovered as a result of the normal audit processes, Cortex Hub has the authorisation to stop, cease, shut down, and remove the offending device immediately and discipline staff involved.

 

If the need arises to use wireless technology it should be approved by Cortex Hub and the following wireless standards have to be adhered to:

  1. Default SNMP community strings and passwords, passphrases, Encryption keys/security related vendor defaults (if applicable) should be changed immediately after the installation of the device and if anyone with knowledge of these leaves Cortex Hub.

  2. The firmware on the wireless devices are updated as per vendors release schedule.

1.24 Roles and Responsibilities
The Office Manager is responsible for overseeing all aspects of information security, including but not limited to:

  • creating and distributing security policies and procedures

  • monitoring and analysing security alerts and distributing information to appropriate information security and business unit management personnel

  • creating and distributing security incident response and escalation procedures.

  • maintaining a formal security awareness program for all employees that provides multiple methods of communicating awareness and educating employees (for example, posters, letters, meetings).

  • periodic reviews of access levels and advise the company directors if revisions are required

System and Application Administrators shall:

  • monitor and analyse security alerts and information and distribute to appropriate personnel  administer user accounts

  • monitor and control all access to data

The Human Resources Officer (or equivalent) is responsible for tracking employee participation in the security awareness program, including:
 facilitating participation upon hire and at least annually ensuring that employees acknowledge in writing that they have read and understand Cortex Hub’s
information security policy

The Managing Director (or equivalent) will ensure that for service providers with whom personal information is shared have written contracts include acknowledgement or responsibility for the security of personal data by the service provider

1.25 Transfer of sensitive Information Policy
All third-party companies providing critical services to Cortex Hub must provide an agreed Service Level Agreement.
All third-party companies providing hosting facilities must comply with Cortex Hub’s Physical Security and Access Control Policy.
All third-party companies which have access to sensitive personal information must

  1. Acknowledge their responsibility for securing the sensitive personal data.

  2. Acknowledge that the sensitive personal data must only be used for assisting the validity of documentation.

  3. Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.

  4. Provide full cooperation and access to conduct a thorough security review after a security intrusion.

 

1.26 User Access Management
Access to Cortex Hub is controlled through management approval.

  • Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is not permitted.

  • There is a standard level of access; other services can be accessed when specifically authorized by management.

  • The job function of the user decides the level of access the employee has to personal data.

  • A request for service must be made in writing by email. The request is free format, but must state:

    • Name of person making request:

    • Job title of the newcomers and workgroup:

    • Start date:

    • Services required (default services are: MS Outlook, MS Office and Internet access):

  •  Each user is given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure. The user signs the form indicating that they understand the conditions of access.

  • Access to all Cortex Hub systems is provided by IT and can only be started after proper procedures are completed.

  • As soon as an individual leaves Cortex Hub’s employment, all his/her system logons are revoked.

  • As part of the employee termination process HR (or line managers in the case of contractors) will inform IT operations of their date of leaving.