By Lize de la Harpe, legal adviser
In the last edition we discussed POPIA in the workplace.
In this edition we will focus on POPIA specifically in the context of retirement funds.
Who will qualify as “data subjects”?
In Part 1 (“The Role Players”)we discussed who qualifies as a “data subject” in terms of the POPIA.
Section 1 of POPIA defines a “data subject” as the person to whom the personal information relates. Personal information refers to information relating to an identifiable, living natural person or juristic person.
In the context of retirement funds, the term data subject will include not only fund members, but alsotheir dependents, heirs and nominated beneficiaries.
The retirement fund and its administrator – who is the responsible party?
As also discussed in Part 1, a “responsible party” is defined as a public or private body which, alone or in conjunction with others, determines the purpose of and means for processing personal information.
Put simply: it’s the person/entity who decides what personal information must be processed and how it is processed.
It is clear when looking at the definition of responsible party that it includes retirement funds and participating employers.
So where does the fund appointed administrator fit in?
Remember, POPIA defines an operator as the person (natural or juristic) who processes personal information for a responsible party in terms of contract or mandate, without coming under the direct authority of the responsible party.
As we know, a retirement fund is a separate legal entity which consist of a board of trustees who are jointly responsible for the administration of the fund. The retirement fund may however delegate this function to a registered administrator. However, despite such delegation, it is the retirement fund who will ultimately decide and specify to the administrator (in the service level agreement concluded between the parties) how to perform this function and the purpose of the personal information to be processed.
The administrator of the retirement fund therefore will therefore typically act as an operator for the purposes of the act. Having said that, it does often happen in practice that the fund leaves it up to the discretion of the administrator to determine “the purpose of and means” for processing personal information. In this instance, the administrator would also act as responsible party! It is therefore critical to evaluate the service level agreement in place between the fund and its appointed administrator in order to properly evaluate the capacity of the administrator.
Agreements between the fund and its service providers
As you know, POPIA sets specific requirements for the processing of personal information by operators. As such, the retirement fund as the responsible party must enter into a written contracts with the service providers of the fund who acts as operators. These contracts must:
- Ensure that the service provider establishes and maintains the required confidentiality and security measures which apply to the retirement fund (as set out in section 19); and
- place a contractual obligation on the service provider to inform the retirement fund if there was unauthorized access or disclosure of personal information.
The service providers, in turn, must:
- process personal information only with the knowledge or authorisation of the fund; and
- treat personal information as confidential, unless required by law or in the course of the performance of their duties.
Processing of personal information
POPIA applies to the processing of personal information of a data subject by (or on behalf of) a responsible party.
In its simplest form – processing covers everything imaginable that can be done with personal information. It includes (but is not limited to) the collection, receipt, collation, storage, updating, retrieval, use, destruction and the alteration or distribution of a record which has personal information in it.
As you well know by now, the processing (and further processing) of personal information is
only lawful if it complies with the eight Conditions as set out in Chapter 3 of the act. Accordingly, the processing of personal information by retirement funds and administrators must at all times comply with the eight Conditions as set out in the act.
Examples of processing by a retirement fund and/or its appointed administrator include but are not limited to the following:
- the collection of information as part of the member application process;
- tracing beneficiaries;
- reviewing requests for retirement; and
- identifying potential dependents for the distribution of s in terms of section 37C of the Pension Funds Act.
Types of personal information to be processed
As discussed in Part 2 (“Types of Personal Information”), the act distinguishes between 3 categories of personal information, being:
- Personal information in general;
- Special personal information; and
- Personal information of children.
Let’s look at each in more detail specifically in the context of retirement funds.
General personal information
General personal informationof members, dependents and their nominated beneficiaries would include information such as the person’s race, gender, sex, pregnancy, marital status, age, physical and mental health, disability, religion, culture and language of the person, information about the persons education or medical, financial, criminal or employment history, any identifying numbers (ID number, telephone numbers, email address, physical address, etc) and a persons’ biometric information.
Special personal information
Retirement funds and administrators will also from time to time be required to process personal information that qualifies as special personal information as set out in section 26 of the act, which is afforded a higher degree of protection than the processing of general personal information.
Special personal information includes information about a data subject’s religious or philosophical beliefs, race or ethnic origin, health or sex life, biometric info and/or criminal behaviour.
The processing of special personal information is prohibited UNLESS one of the exemptions as set out in section 27 applies (*as listed in Part 2 – see copy attached). One of these exemptions relates to the processing of such information where it is necessary to establish, exercise or defend a right or obligation in law.
Also take note that, in addition to these general exemptions as referred to above, there are also certain specific exemptions which apply in respect of different types of special personal information. (*PS: if you’d like more info on these exemptions, take a look at section 28 to 33 of the act).
Personal information of children
Special rules apply to the processing of personal information of children. A “child” is defined as anyone under the age of 18 who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning him- or herself.
The processing of personal information of children is prohibited UNLESS one of the exemptions as set out in section 35 applies, being:
- the processing is carried out with the prior consent of a competent person; OR
- the processing is necessary to establish, exercise or defend a right or obligation in law (for example where the trustees of a fund must determine whether children are entitled to fund s in terms of section 37C of the Pension Funds Act); OR
- the processing is necessary to comply with an obligation of international public law (* for example where the responsible party has to comply with a request made in aid of the protection of children’s rights under international treaty law); OR
- if the Regulator granted authority in terms of section 35(2); OR
- if the processing is for historical, statistical or research purposes; OR
- if the information has been deliberately made public by the child with the consent of a competent person.
Having regard to the stringent requirements for the lawful processing of the different types of information as discussed above, it is vital that retirement funds ensure trustees are adequately informed of the requirements for lawful processing thereof and that both the fund and its appointed administrator has the appropriate security measures in place to safeguard this information.
Also important to remember: retirement funds will have to ensure that all existing service level agreements between itself and its appointed administrator (and other third party service providers) are timeously reviewed in order to ensure that it sufficiently covers the parties’ respective obligations as set out in the act.
Lastly, the fund is also required to appoint an Information Officer, as discussed in Part 13 (“Information Officer”), who must be registered with the Information Regulator before taking up his or her respective duties in terms of the act.
*PS: as mentioned in Part 14 (“Information Regulator”), section 60 of the POPIA empowers the Information Regulator to (inter alia) issue codes of conduct applicable to a specific sector. In this regard, the IRFA previously indicated that it has prepared and submitted a draft code of conduct suitable for the retirement funds industry. To date, no formal draft has been published.
This concludes the POPIA editions of Simply Legal. I truly hope you have found the information helpful!