POPIA in the context of retirement funds

by Lize de la Harpe | 28,Feb,2024 | Glacier by Sanlam, Legal, Q1 2024

The Protection of Personal Information Act, 2013 (“POPIA”) gives effect to the right to privacy as set out in the Constitution. It provides the regulatory framework within which organisations may process personal information thereby giving individuals control over how their personal information is used or disclosed.

The role players

POPIA applies to the processing of personal information of a data subject by or on behalf of a responsible party.

POPIA identifies three main role players, namely:

  • The data subject;
  • A responsible party; and
  • An operator.

The term data subject refers to the person to whom the personal information relates. In the context of retirement funds, the term data subject will include not only fund members, but also their dependants, heirs and nominated beneficiaries.

A responsible party is defined as a public or private body which, alone or in conjunction with others, determines the purpose of and means for processing personal information. In essence, it’s the person/entity who decides what personal information must be processed and how it is processed. The definition of responsible party includes retirement funds and participating employers.

 

An operator is defined as the person (natural or juristic) who processes personal information for a responsible party in terms of contract or mandate, without coming under the direct authority of the responsible party.

Processing of personal information

In its simplest form, processing covers everything imaginable that can be done with personal information, for example, the collection, collation, storage, updating, use, destruction and the alteration or distribution of a record which has personal information in it.

The processing and further processing of personal information is only lawful if it complies with the eight Conditions as set out in Chapter 3 of POPIA. Accordingly, the processing of personal information by retirement funds and administrators must always comply with the eight Conditions as set out in the Act.

Types of personal information

POPIA distinguishes between three different categories of personal information, being:

  1. Personal information in general;
  2. Special personal information; and
  3. Personal information of children.

General personal information of members, dependants and their nominated beneficiaries would include information such as the person’s age, gender, marital status and any identifying numbers (ID number, telephone numbers, email address, physical address, etc).

Special personal information includes information about a data subject’s religious or philosophical beliefs, race, health or sex life, biometric info and/or criminal behaviour. The processing of special personal information is prohibited unless one of the exemptions as set out in section 27 applies. One of these exemptions relates to the processing of such information where it is necessary to establish, exercise or defend a right or obligation in law. In addition to these general exemptions there are also certain specific exemptions which apply in respect of different types of special personal information (see section 28 to 33 of POPIA).

Special rules apply to the processing of personal information of children. The processing of personal information of children is prohibited unless one of the exemptions as set out in section 35 applies.

Where does the fund administrator fit in?

Retirement funds are separate legal entities managed by boards of trustees who are jointly responsible for the administration of the fund. A retirement fund may however delegate this function to a registered fund administrator. The administrator of the retirement fund will typically act as an operator for the purposes of POPIA.

Having said that, it does often happen in practice that the fund leaves it up to the discretion of the administrator to determine the purpose of and means for processing personal information, for example where the fund outsources the drafting and management of the member application forms to the administrator. In this instance, the administrator would also act as a responsible party. It is therefore vital to evaluate the service level agreement in place between the fund and its appointed administrator to properly evaluate the capacity of the administrator.

Agreements between the fund and its service providers

Despite the fact that the processing of personal information may be done by an operator (and not the responsible party itself), it is ultimately the responsible party who decides what must be processed and how. The responsible party therefore remains ultimately responsible for ensuring that POPIA is complied with.

POPIA sets out specific requirements for the processing of personal information by operators. Retirement funds must enter into a written contracts with the service providers who acts as operators (including the fund administrator). These contracts must:

  1. ensure that the service provider establishes and maintains the required confidentiality and security measures which apply to the retirement fund (as set out in section 19); and
  2. place a contractual obligation on the service provider to inform the retirement fund if there was unauthorised access or disclosure of personal information.

The service providers, in turn, must:

  1. process personal information only with the knowledge or authorisation of the retirement fund; and
  2. treat personal information as confidential, unless required by law or in the course of the performance of their duties.

Having regard to the stringent requirements for the lawful processing of the different types of personal information as discussed above, retirement funds must ensure that the trustees are adequately informed of the requirements for lawful processing thereof and that both the fund and its appointed administrator has the appropriate security measures in place to safeguard this information.

In addition, retirement funds must ensure that all existing service level agreements between itself and its appointed administrator (and other third party service providers) are regularly reviewed in order to ensure that it sufficiently covers the parties’ respective obligations as set out in POPIA.

 

Lize de la Harpe
Legal Advisor at Glacier by Sanlam | + posts