There are mainly three role players involved.

(a) The Fund (which is the responsible party in terms of POPIA),

(b) The participating employer, the administrator, other relevant service providers, advisers and members on the Joint Forum (which are operators or authorised persons in terms of POPIA), and

(c) The member (which is a data subject in terms of POPIA).

The Fund is committed to the adherence and compliance of POPIA and is committed to ensuring the protection of the personal information of members. The purpose of this policy is to ensure that the Fund and its operators and authorised persons process personal information responsibly and in a manner which demonstrates its commitment to upholding the right to privacy of members and Fund Officers, subject to justifiable limitations.

It further establishes a common standard on the appropriate protection of personal information of members and provides general principles regarding the right of individuals to privacy and to reasonable safeguarding and protection of their personal information. This policy also specifies minimum requirements and standards that are to be adhered to with regard to the processing of personal information by operators and authorised persons.

The Fund may outsource services related to its data protection and IT management to its respective service providers. The Board of Management, however, remains committed to minimising and managing the risks relating to maintaining and protecting all Fund data:

• In accordance with its sensitivity and the risk to which it is exposed, and
• In a manner which is consistent with all relevant legal, regulatory and contractual requirements.

The Board of Management is equally committed to minimising and managing the operational risks that result from the Fund’s operations with specific reference to data and IT systems.

The Board of Management, in its commitment to comply with POPIA, will require that the Fund’s operators and authorised persons adhere to the lawful processing of personal information in line with POPIA.

This policy is applicable to the protection and processing of personal information throughout the information life cycle, from the point of first collection of personal information until the time that such information is destroyed or de-identified. The policy applies to the Fund, its members, the Board of Management, all service providers contracted with the Fund to deliver various services for the Fund and its members and authorised persons.

The Board of Management will take reasonable steps to ensure lawful processing of all personal information of members, taking into account these key principles:

• 5.1 Accountability: The Fund is accountable for ensuring that the provisions of applicable data protection laws and the requirements outlined in this policy are complied with through implementing appropriate practices, policies and procedures.
• 5.2 Processing limitation: Information must be adequate, relevant and not excessive and processed with consent, unless required in order to comply with legislation. Where processing is in line with applicable legislation (such as the Pension Funds Act) and the Fund rules to process personal information without necessarily having to obtain the specific consent of the member or fund officer, the Fund and operators may process personal information without obtaining prior consent.
  
  The Fund will only share a member’s personal information with service providers or authorised persons if the Fund is required to do so in terms of its rules (for instance risk benefits rebroking data), TFID, by law, in connection with any legal proceedings or any prospective legal proceedings.
  
  Personal information will not be retained for longer than is necessary to achieve the purpose for which it is processed unless authorised or required by applicable laws. Personal information will not be processed for a secondary purpose, unless that secondary purpose is compatible with the original purpose or authorised by data protection laws.
• 5.3 Purpose: Personal information will be collected for a specific, explicitly defined and lawful purpose relating to the function or activity of the Fund and notified to the member. Where the Fund discloses personal information to operators and authorised persons, they will be obliged to use that personal information only for the reasons and purposes it was disclosed for.
• 5.4 Information quality: Personal information collected must be complete, accurate, not misleading and updated when required, having regard to the purpose for which the information was collected.
• 5.5 Openness: Members will be informed of the collection of personal information and purpose of collection. This includes that all necessary disclosures as required by applicable data protection laws and this policy are made.
• 5.6 Security measures: The integrity and confidentiality of Fund data will be secured and the Board of Management must be comfortable that there are reasonable security safeguards against risks such as loss of, unauthorised access, destruction, use, amendment or disclosure of personal information.
• 5.7 Data subject participation: A member or fund officer will have the right to request details of any of his/her personal information held by the Fund.
• 5.8 Special personal information: Special personal information that is collected or processed will be treated with the highest of care and in good faith.
• 5.9 Sharing of personal information: When personal information is shared with operators or authorised persons (including permitting access, transmission or publication), it will only be shared with reasonable assurance that the recipient has suitable privacy and security protection controls in place as required by data protection laws.

• 6.1 Special personal information are categories of personal information that are afforded a higher level of protection by data protection laws. Particular care will be taken in protecting special personal information from loss, damage, unauthorised use, disclosure or access.
• 6.2 Subject to any other justifications under data protection laws which may exist in relation to special personal information (or a certain category of special personal information), special personal information will only be processed and disclosed to operators or authorised persons with the consent of the member (or a competent person in respect of a child).

• 7.1 The Board of Management will ensure that the service agreements with all operators provide that operators process Fund data in accordance with this policy and applicable data protection laws.
• 7.2 The service agreement should take into account the following:
  • 7.2.1 The nature of the operator’s services and exposure to the Fund data in terms of data protection laws.
  • 7.2.2 All Fund data must be treated by its operators and authorised persons as confidential and not used for any purpose other than for the performance of any service in terms of the Fund’s agreements with the operators and authorised persons and as allowed by any applicable law.
  • 7.2.3 No disclosure to third parties of the Fund data may be made by the operators and authorised persons save to the extent that such disclosure may be required by law, is in line with applicable legislation or with the prior written consent of the Fund.
  • 7.2.4 The operators and authorised persons must put in place a process to ensure that all business-related correspondence and data are officially handed over by any of its existing employees before their last day of service.
  • 7.2.5 Operators and authorised persons must maintain the confidentiality of correspondence sent and received via any medium by ensuring that sensitive personal information is correctly addressed, sent only to authorised persons and is password protected where necessary.
  • 7.2.6 Compliance with all relevant laws in respect of the collection, storage, security, destruction and deletion of any record containing personal information, for example, information no longer required for the purpose for which it was collected or for which the legal obligations for retention have passed, must, subject to clause 9 of this policy, be destroyed via secure means such as cross-cut shredding (for paper records) or permanent erasure via suitable and agreed mechanisms for electronic records.
  • 7.2.7 Compliance with all policies and procedures pertaining to the protection, privacy, storage, retention, handling, processing and destruction of data, including personal information, which apply to the Fund and to which the operators or authorised persons are subject.
  • 7.2.8 Adequate recourse to the Fund, including a right to terminate, indemnification for breach and/or appropriate insurance cover for cyber security breaches, where the operator or authorised person is not complying with the requirements set forth in the agreement.
  • 7.2.9 The requirement to immediately inform the Fund (via the Fund’s Information Officer) of any actual or suspected security event or compromise to personal information in its possession.
  • 7.2.10 The requirement, on the Fund’s instructions, via the office of the Fund’s Information Officer, to notify the affected fund officers or members and/or the Information Regulator of any actual or suspected security event or compromise.
• 7.3 All operators and authorised persons will be required to adhere to POPIA, this policy and all other data protection laws. Depending on the service they provide to the Fund, operators and authorised persons are required:
  • 7.3.1 To adhere to POPIA and put in place the necessary security processes and measures to safeguard Fund data.
  • 7.3.2 To:
    • (a) Have adequate protection against external system attacks, viruses and any other similar risks
    • (b) Have reliable and comprehensive offsite data protection as part of their disaster recovery plans in place to mitigate the risk of physical destruction of property, information and systems
    • (c) Develop and maintain adequate measures to protect against inappropriate access to systems, data and any other sensitive information through appropriate storage facilities, password requirements, building-entry systems, IT firewalls and other similar processes and/or systems
    • (d) Maintain the necessary cyber insurance to cover a data breach in which members’ personal information is stolen by a hacker or cybercriminal
  • 7.3.3 To minimise the possible risks emanating from a failure or delay in delivering IT processes or information needed for business transactions and operations, the risks of hardware failure, network outages and power outages are addressed to ensure that business as usual can continue with minimal interruption should such events occur.
  • 7.3.4 The impact of a force majeure has been considered as part of their disaster recovery programme to mitigate the risk of not having an appropriate workforce able to access backup systems.
  • 7.3.5 To minimise the possible risks emanating from the slow or inefficient operation of IT processes supporting business transactions and operations, that they have:
    • (a) Put in place a process to ensure the adequacy and efficiency of their system architecture and capabilities
    • (b) Take adequate steps to prevent network congestion which can introduce inefficiencies and compromise service delivery
    • (c) Demonstrate the ability to reduce system design inefficiencies and system process inefficiencies where such inefficiencies are identified
  • 7.3.6 Feedback as to whether they have undergone an ISAE 3402 audit and if so, the results of such audit must be provided to the Fund for consideration. Operators who have not undergone an ISAE 3402 audit must provide written confirmation that their disaster recovery plans and IT systems are sound and tested regularly. Such confirmation should be provided by a third party, such as an external auditor, where possible.
  • 7.3.7 Their compliance to the applicable regulatory requirements regarding the collection and processing of personal information.
  • 7.3.8 Collecting personal information is adequate, relevant and not excessive and with consent, unless required in order to comply with legislation.
  • 7.3.9 Processing personal information is done in a manner compatible with the purpose for which it was collected.
  • 7.3.10 Personal information that is collected or processed is treated with the highest of care as prescribed by POPIA and in good faith.
  • 7.3.11 An individual’s consent is obtained to process their personal information when personal information is being collected to provide Fund benefits to the member unless required in order to comply with legislation.
  • 7.3.12 Personal information is kept accurate, complete and up to date and reliable for their intended use.
  • 7.3.13 Reasonable security safeguards have been developed against risks such as loss, unauthorised access, destruction, use, amendment or disclosure of personal information.
  • 7.3.14 Personal information is only shared with authorised persons where such sharing is compatible with the initial purpose for the processing and with reasonable assurance that the authorised persons have suitable privacy and security protection controls in place in accordance with data protection laws regarding personal information.
• 7.4 Administrators and other service providers must confirm in intervals of three years that they have a disaster data recovery plan in place.

The Fund, as the responsible party, will adopt the following measures and/or procedures to achieve compliance with the provisions of POPIA and any other data protection laws:

• 8.1 Create and maintain awareness amongst its Fund Officers about its information security policies and procedures through onboarding processes and ongoing security awareness drives.
• 8.2 Members will be informed of the collection of personal information and the purpose of collection and be made aware of the rights conferred upon them as data subjects under data protection laws.
• 8.3 The Fund will develop an access request procedure, which will apply to data subject access requests under data protection laws. Such procedures will be documented, made available to Fund Officers and members and describe the end-to-end process from the initiation of an access request by a data subject, to the execution of such request.
• 8.4 Where data protection laws prescribe forms for access requests, the Fund will ensure that such forms are placed on its website and are readily available via all member communication channels.
• 8.5 A compliance framework will be developed, implemented, monitored and maintained.
• 8.6 At a frequency as determined by the Board of Management, a personal information impact assessment will be done to ensure adequate measures and standards are in place to comply with the conditions for lawful processing.
• 8.7 A general cautionary note will be included in the agendas of meetings of the Board of Management and sub-committees to indicate that the Fund information is “strictly confidential” and that no personal information of members of the Fund and Fund Officers may be made available to third parties other than the contracted operators of the Fund and the authorised persons.
• 8.8 Each Fund Officer must undertake to comply with the provisions of POPIA in the form prescribed by the Board of Management from time to time.
• 8.9 The duty of participating employers to comply with the provisions of POPIA when dealing with Fund matters and personal information of members will be incorporated with TFID.
• 8.10 The Board of Management will maintain a retention and destruction policy which details the different types of records and the different periods applicable to such records. This policy will be incorporated in the POPIA addendum to the SLA with the administrator.
• 8.11 Operators:
  • 8.11.1 The provisions in clause 7.2 will be taken into account in all written agreements with operators as well as TFID.
  • 8.11.2 Declarations in terms of clause 7.3 will be obtained from operators at a frequency as determined by the Board of Management.
• 8.12 The Fund will document and implement specific procedures, processes and controls for lodging and handling complaints related to the processing of personal information. This policy will be incorporated in the POPIA addendum to the SLA with the administrator.
• 8.13 The Fund will inform Fund Officers and members of complaints procedures through their website, member brochures or other documents, which must be readily available and easy to understand. The complaint resolution process must be explained, and contact information for members to reach the Fund must be provided.
• 8.14 All personal information leaving secure environments is adequately protected by using appropriate technologies, like encryption or physical controls, within the Sanlam network. Appropriate requirements and or arrangements will be made for authorised persons and Fund Officials who are not within the Sanlam network.
• 8.15 Members’ names and ID numbers will be excluded from all generic Fund reports and only member numbers will be used instead.
• 8.16 Where specific member names are needed such as for pension funds, adjudicator complaints and the distribution of death benefits to beneficiaries, the Fund reports must be password protected.
• 8.17 All personal information that is not relevant to the Board of Management’s decision-making must be removed from Fund reports.
• 8.18 Special care must be taken by Fund Officers to protect the contents of the agenda packs of the Board of Management and sub-committee meetings against unauthorised access.
• 8.19 Board members shall not share or transfer personal information to a third party without the written consent of the Board of Management or as required by law.
• 8.20 All attachments to emails containing personal information of members must be password protected before it is sent to any person.
• 8.21 Special care must be taken that documents used in resolving any issue of the Fund be disposed of and destroyed in in terms of the Fund’s retention and destruction policy.
• 8.22 Where a board member becomes aware or suspicious of any security event such as any unauthorised access, interference, modification, destruction or the unsanctioned disclosure of personal information, he or she must immediately report this event or suspicion to the information officer.
• 8.23 Where there are reasonable grounds to believe that a security event has occurred and to the extent required by applicable laws, the information officer will ensure that the Information Regulator and the affected Fund Officers, employers or members are notified as soon as reasonably possible.

• 9.1 The Fund and/or its operators and authorised persons will ensure that Fund data which they process, is processed (including captured, used, disclosed, stored and destroyed) in a secure and confidential manner appropriate to the classification of the information, in accordance with the relevant provisions of data protection laws.
• 9.2 In order to comply with data protection laws, the Fund or its operators and authorised persons:
  • 9.2.1 Must keep records of the personal information it has collected, correspondence or comments in an electronic or hardcopy file format. Personal information may be processed for as long as necessary to fulfil the purposes for which that personal information was collected and/or as permitted or required by applicable law;
  • 9.2.2 May retain personal information for longer periods for statistical, historical or research purposes, and should this occur, the Fund and/or its operators and authorised persons will ensure that appropriate safeguards have been put in place to ensure that: (i) All recorded personal information will continue to be processed in accordance with this policy and the applicable laws, and (ii) the records of personal information shall not be used for any other purposes; and
  • 9.2.3 Must, once the purpose for which the personal information was initially collected and processed no longer applies or becomes obsolete, and there is no legitimate reason for retention of such personal information, ensure that it is deleted, destroyed or de-identified.
• 9.3 Where the Fund or its operators and authorised persons no longer need personal information for achieving the purpose for which it was initially collected or subsequently processed, but retains such personal information for the purposes of proof, the Fund or its operators and authorised persons will not be required to delete or destroy such information, but must restrict the processing of such personal information from further circulation, publication or use and ensure that there are appropriate security safeguards consistent with the requirements of this policy and data protection laws in respect of such personal information.

Members have the right to access the personal information that the Fund or an operator holds about them. Members and Fund Officers also have the right to request the Fund operators to update or correct their personal information. The Fund and its operators must take all reasonable steps to confirm a member’s identity before providing details of their personal information to them or making changes to their personal information.

The Fund’s complaints procedure described in clauses 8.12 and 8.13 must, at a minimum, contain the following:

• 11.1 Members must be encouraged to submit their complaints/enquiries which relate to the processing of personal information, directly to the Fund’s Information Officer instead of approaching the Information Regulator, in order to give the Fund the opportunity to swiftly and efficiently address the complaint/enquiry internally and outside of the public domain.
• 11.2 A member or fund officer must be able to direct a challenge regarding an alleged infringement of their rights to the Fund’s Information Officer. The Fund must therefore establish procedures to receive and respond to enquiries or challenges to its policies and practices relating to the handling of personal information. These procedures must be easily accessible and simple to use.

• 12.1 The Fund will appoint an information officer.
• 12.2 The information officer’s duties and responsibilities will be set out in a written agreement.
• 12.3 The information officer may designate a deputy information officer(s) to assist with fulfilling his/her responsibilities and may delegate his/her responsibilities to a deputy information officer, provided that any such delegation:
  • 12.3.1 Must be in writing;
  • 12.3.2 Does not prohibit the information officer from exercising the power concerned or performing the duty concerned himself or herself; and
  • 12.3.3 May at any time be withdrawn or amended in writing by the information officer.

• 12.4 The Board of Management is responsible for monitoring and overseeing the implementation of this policy.
• 12.5 Non-compliance with this policy may result in possible termination of agreement and mandates of operators and authorised persons and disciplinary action against Fund Officers.