Fault reporting (24/7) | +27 21 763 7147 | hjeedgi@itcti.pr.op

[DRAFT] Privacy Notice for TENET

 

TENET respects your rights under the Protection of Personal Information Act, 2013 (POPIA) and related legislation. This privacy notice exists to ensure you know how and why we collect and process your personal information. We will never sell your personal information.

This is a general statement covering TENET’s websites, the organisation-wide systems we use to operate our business (such as our accounting, customer relations, email, and telephone systems) and your interactions with our offices. It also provides a summary of personal information that may be incidentally processed in the course of providing network services. Some TENET services or activities may have their own, more specific privacy statements, either on each service’s official website, included in the Service Definition when ordering, or made available at the appropriate time.

Sometimes TENET processes personal information on behalf of a client institution, rather than for our own purposes. In those cases, the institution decides what information is collected and why, and we simply process it on their behalf. If you have questions about personal information handled in that context, you should contact your institution directly. We will help direct you to the right person if you are unsure.

Who are we?

The Tertiary Education and Research Network of South Africa NPC (TENET) is a not-for-profit company that provides connectivity, infrastructure, and related services to South Africa’s higher education and research community.

TENET’s clients are all juristic persons (institutions such as public universities or statutory science and research councils), and as such, the personal information we hold typically relates to individuals in their capacity as representatives of those institutions.

Why we process Personal Information

We process personal information to conduct our business effectively and provide the best service we can. This includes communicating with contacts at client institutions, suppliers, government departments, and other organisations with whom we have relationships. We also process personal information to fulfil our legal and contractual obligations.

As a licensed electronic communication network (ECN) and electronic communication network service (ECNS) provider, we process network & Internet traffic data in the course of providing connectivity services to our clients. This is described further below.

As a national research and education network (NREN), we develop and maintain a suite of additional services across the following broad categories: trust, identity, and security; real-time communications; storage and cloud; brokerage; and professional services. Processing of personal information is required to operate these services and to provide the services to you or your institution.

What information do we collect about you?

The personal information we collect and process depends on the context of your interaction with us. Our core activities include the following categories of personal information

  • Contact information: names, email addresses, telephone numbers, and postal addresses of individuals who deal with TENET as representatives of their organisations. Where we hold a personal mobile number or email address, this is typically because an individual provided it for business purposes.
  • Organisational and role information: the organisation a person represents and the role they play in that organisation’s relationship with TENET (for example, a technical contact or financial signatory).
  • Events, training and meetings: When you attend an event we organise, we may require logistical information such as dietary preferences, transport arrangements, contact details, and attendance information. We may also record video of these events for internal record-keeping (e.g., to aid in producing minutes) or, where you are informed prior to the recording, to share with you or others who are unable to attend. Photographs may be taken with your permission.
  • Communications records: records of correspondence and interactions with TENET, including emails and telephone call records, where these are kept in our ticketing, customer relationship management, or other supporting systems.
  • Mailing lists and publications: where individuals have subscribed to TENET communications, we retain their contact details and subscription preferences for as long as they remain subscribed. Note that some individuals may be subscribed by virtue of their role within their institution.
  • Website usage data: standard web server logs, including timestamps, IP addresses, pages requested, and HTTP response codes. This data is collected for troubleshooting and to maintain the integrity of our web services. Our websites may also set cookies in your browser for session management and to improve your browsing experience. These cookies do not contain sensitive personal information.
  • Financial and billing information: information necessary to raise and process invoices and payments in relation to the services we provide, including information about tax and BBBEE compliance.
  • CCTV images: moving or still images taken at our office premises
  • Service usage data, logs and analytics: Many of our services require authentication and request minimal personal information to facilitate this and provide a personalised experience. In addition, many services collect diagnostic and analytical information, including how you connect to and use the service.
  • Network connectivity and management: As an I-ECN, I-ECNS and NREN, we process network traffic to deliver connectivity services. This is described separately below.
Handling of network connectivity and management information

In the course of providing network and telecommunications services, TENET processes network traffic data. This includes:

  • Network logs: standard logs generated by network infrastructure, including connection metadata, timestamps, and error records. These are used for troubleshooting, capacity planning, and security monitoring.
  • Netflow data: we retain the headers of a sample of network flows (packet metadata, not content) for a limited period. This data may include source and destination IP addresses, ports, and timestamps. It is used for network management, security incident response, and traffic analysis.
  • Aggregate network statistics: we maintain long-term statistical data on network usage at the institutional level. This data is de-identified to the extent that individual users are not identifiable, but the institution (which is itself a data subject under POPIA) remains identifiable. This data is used for capacity planning, reporting, and service improvement.

Some of our network management and security systems use automated processing to detect and respond to anomalies or security incidents. Where an automated process produces an outcome that affects you or your institution, you may contact us to request that we review the outcome.

Users of our client institutions’ networks should be aware that some of the above data may be associated with their institution, even if not with them personally. For specific queries about how your institution handles network traffic data, please contact your institution directly.

We primarily rely on legitimate interest as the legal basis for processing personal information to manage our business relationships and deliver services. Some processing is required to fulfil legal obligations (for example, retaining financial records) or to perform a contract with an institution. Where we process personal information on the basis of consent (for example, for event photography), you may withdraw that consent at any time.

Who do we share information with?

We do not sell or trade personal information to anyone. We share personal information only where necessary to carry out our business or to deliver service to you or your institution. This may include sharing personal information with the following categories of recipients:

TENET cooperates with the SANReN group of the National Integrated Cyberinfrastructure System (NICIS/CSIR) to operate the South African NREN. For operational purposes — including troubleshooting, capacity planning, and security incident response — we treat SANReN staff as part of the NREN and may share information with them as we would with our own staff. This sharing is governed by contractual arrangements between TENET and NICIS.

TENET’s subsidiary, the South African Broadband Education Network (SABEN), provides connectivity services to TVET colleges. We share personal information with SABEN to the extent necessary to deliver services to the institutions they serve.

Where we act as an agent on behalf of a client institution, we may provide that institution’s contact details to a supplier who needs to deal with them directly (for example, to co-ordinate the installation of a network service). Similarly, we may provide supplier contact details to client institutions when necessary to advance the business relationship.

We share financial and payment information with our bankers and payment processors as necessary to process transactions.

We make use of third-party software and service providers (operators) to support our operations. These providers process personal information on our behalf and are required to do so in accordance with POPIA. A partial list of current third-party processors is available on request.

Some of these processors are located outside South Africa, which means your personal information may be transferred across national borders. Where we transfer personal information internationally, we take steps to ensure adequate protection is in place — for example, by selecting processors that operate under comparable data protection frameworks and by ensuring appropriate data processing agreements are in place. They are permitted to use your personal information only for the specific purposes we have engaged them for, and not for any other purpose.

We may be required to disclose personal information to comply with a legal obligation, a court order, or a lawful request from a regulatory or law enforcement authority. We expect due process before acceding to such requests.

We use a third-party analytics service (Google Analytics) to provide insights into how users interact with various websites. This information is used to improve the user interfaces for these sites. The analytics service may set cookies in an end user’s web browser, and these cookies may contain an opaque identifier that uniquely identifies the browser. In addition, the analytics service may collect anonymous information about an end user’s browser (such as display size, version, capabilities, etc). You may opt out of this tracking.

Personal Information retention

We retain personal information for as long as necessary to fulfil the purposes described in this notice, or as required by law. In general:

  • Contact and organisational information is kept for as long as the business relationship exists, and for a reasonable period of up to a year thereafter.
  • Financial records are kept for the period required by applicable tax and financial legislation (currently a minimum of five years).
  • Network logs and netflow data are kept for a limited period for troubleshooting and security purposes, and are not retained longer than necessary for those purposes.
  • Server logs are retained for a limited period for troubleshooting purposes, typically no more than six months.
  • Long-term aggregate statistics are retained indefinitely, but at a level of aggregation that does not identify individual users.
  • Records of attendees at meetings, events and training are generally kept for no more than four years, except for mandated functions such as annual general and board meetings. Where TENET has funded attendance at such events, records may be retained for longer (up to ten years). Photographs of events will be stored and archived for an unlimited period.
  • CCTV footage from our office is retained for up to 30 days.

Where backups are made, these may include any of the logs or personal information described here. Backups are stored on separate systems with all data encrypted at rest. Decryption keys are not stored on the same system. Such encrypted backups may be retained for an additional year.

Security

We take commercially reasonable technical and organisational measures to protect personal information against unauthorised access, loss, or destruction. Access to personal information in our systems is limited to authorised TENET personnel (and our SA NREN partners, as described above) who need it to carry out their duties.

While we take reasonable measures to protect personal information, no system is entirely immune to risk. We cannot be held responsible for losses arising from events beyond our reasonable control, or from a user’s own failure to safeguard their credentials.

In the event of a personal data breach that poses a risk to data subjects, we will notify the Information Regulator and affected individuals as required by POPIA.

Corrections, objections, and deletion (your rights)

Under POPIA, you have the right to request access to the personal information we hold about you, and to have inaccurate or incomplete information corrected. In certain circumstances, you may also object to the processing of your personal information, request that we delete it (subject to any legal obligations we may have to retain it) or request that we restrict processing of your personal information while a concern or objection is being resolved.

If you have any concerns about how we handle your personal information, you are welcome to contact our information officers. You also have the right to lodge a complaint with the Information Regulator.

TENET’s PAIA Information Manual, available on our website, provides further detail on how you may exercise these rights.

Information officers

TENET’s information officer (data protection officer) can be reached at sed@itcti.pr.op.

Changes to this notice

We may update this notice from time to time to ensure the information we provide remains up to date with data protection law and the development of our business. You’ll always find the most recent privacy notice here.

Privacy statements for other services

Individual services may have their own privacy statements that provide more specific information about how personal information is handled in that context. These include, for example:

© 2026 TENET South Africa