eBioNet Privacy Policy
This Privacy Policy explains how personal information is collected, used, stored, and protected on the eBioNet platform, in compliance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa.
The responsible party for your personal information is the Association for Water and Rural Development (AWARD) NPC, acting as technical host of the eBioNet platform.
1. Introduction
The Association for Water and Rural Development (AWARD) NPC ("AWARD", "we", "us", "our") is committed to protecting your personal information in accordance with the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) ("POPIA") and other applicable South African legislation.
This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you use the eBioNet Learning Management System ("the Platform") hosted at ebionet.org.
2. Responsible Party
For the purposes of POPIA, the responsible party is:
- Name: Association for Water and Rural Development (AWARD) NPC
- Registration No.: 98/03011/08
- Address: P.O. Box 1919, Hoedspruit, 1380, Mpumalanga, South Africa
- Data Protection Officer (DPO): dpo@award.org.za
3. Personal Information We Collect
We collect the following categories of personal information:
3.1. Information you provide directly
- Account registration: First name, surname, email address, username, and password (stored in hashed form);
- Profile information: City/town, country, description, profile picture, and any additional fields you choose to complete;
- Course activity: Assignments, quiz responses, forum posts, and other content you submit;
- Communications: Messages sent through the Platform's messaging system.
3.2. Information collected automatically
- Access logs: IP address, browser type, operating system, pages visited, and timestamps;
- Learning analytics: Course progress, completion status, grades, and time spent on activities;
- Cookies and session data: Essential cookies required for the Platform to function (login session, user preferences). We do not use tracking or advertising cookies.
4. Purpose and Legal Basis for Processing
We process your personal information for the following purposes, each with a lawful basis under POPIA Section 11:
| Purpose | Legal Basis (POPIA) |
|---|---|
| Creating and managing your user account | Necessary for contract performance (s11(1)(b)) |
| Providing access to courses and learning resources | Necessary for contract performance (s11(1)(b)) |
| Recording course progress, grades, and completions | Necessary for contract performance (s11(1)(b)) |
| Issuing certificates of completion | Necessary for contract performance (s11(1)(b)) |
| Communicating with you about your courses and account | Legitimate interest (s11(1)(f)) |
| Maintaining security and preventing abuse | Legitimate interest (s11(1)(f)) |
| Generating anonymised usage statistics and reporting | Legitimate interest (s11(1)(f)) |
| Complying with legal obligations | Legal obligation (s11(1)(c)) |
5. Sharing of Personal Information
We do not sell, rent, or trade your personal information. Your information may be shared in limited circumstances:
- Course facilitators and instructors: May access your name, email, course submissions, and progress for courses in which you are enrolled;
- eBioNet network partners: Anonymised and aggregated statistics may be shared with eBioNet partner organisations for reporting purposes;
- Service providers: We may use third-party service providers (e.g., email delivery, hosting) who process data on our behalf under appropriate data processing agreements;
- Legal requirements: Where required by South African law, court order, or regulatory authority.
We do not transfer personal information outside of South Africa unless adequate safeguards are in place as required by POPIA Section 72.
6. Data Retention
We retain your personal information for as long as:
- Your account remains active on the Platform;
- It is necessary to fulfil the purposes for which it was collected;
- Required by applicable law or regulation.
When your account is deleted or you request erasure, your personal information will be removed or anonymised within a reasonable period, except where retention is required by law. Course completion records may be retained in anonymised form for statistical purposes.
7. Security Measures
We implement appropriate technical and organisational measures to protect your personal information, including:
- HTTPS/TLS encryption for all data in transit;
- Passwords stored using secure one-way hashing algorithms;
- Access controls limiting data access to authorised personnel;
- Regular security updates and patches applied to the Platform;
- Server hosted in a secure environment with restricted access.
While we take all reasonable steps to protect your information, no system is completely secure. In the event of a data breach that poses a risk to your rights, we will notify you and the Information Regulator as required under POPIA Section 22.
8. Your Rights Under POPIA
As a data subject under POPIA, you have the following rights:
- Right of access (s23): You may request confirmation of whether we hold your personal information and request access to it;
- Right to correction (s24): You may request that inaccurate, irrelevant, or outdated personal information be corrected or deleted;
- Right to deletion (s24): You may request that your personal information be deleted where it is no longer necessary for the purpose for which it was collected;
- Right to object (s11(3)(a)): You may object to the processing of your personal information on reasonable grounds;
- Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time, without affecting the lawfulness of processing prior to withdrawal;
- Right to data portability: You may request your personal information in a structured, commonly used format;
- Right to complain: You have the right to lodge a complaint with the Information Regulator (see Section 11 below).
To exercise any of these rights, please contact our Data Protection Officer at dpo@award.org.za. We will respond to your request within 30 days.
9. Cookies
The Platform uses only essential cookies required for its operation:
- MoodleSession: Maintains your login session while you use the Platform;
- MOODLEID_: Remembers your username for convenience (optional).
We do not use analytics, advertising, or third-party tracking cookies. You may configure your browser to block cookies, but this may prevent the Platform from functioning correctly.
10. Children's Information
The Platform is not intended for children under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child's personal information has been collected without appropriate consent from a competent person (as defined in POPIA Section 35), we will take steps to delete that information.
11. Information Regulator
If you are unsatisfied with how we handle your personal information, you have the right to lodge a complaint with the South African Information Regulator:
- Website: https://inforegulator.org.za
- Email: complaints.IR@justice.gov.za
- Phone: 012 406 4818
- Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify you through the Platform and request your renewed acceptance where required.
13. Contact Us
For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal information, please contact:
- Data Protection Officer: dpo@award.org.za
- General enquiries: info@award.org.za
- Postal address: AWARD, P.O. Box 1919, Hoedspruit, 1380, Mpumalanga, South Africa
This Privacy Policy is effective as of February 2026.