Updates: Two-pot System and POPIA

Updates: Two-pot System and POPIA

A: An update on the two-pot system

Changes to the two-pot system as a result of engagement with stakeholders

Over the last few months, National Treasury has engaged with stakeholders on the proposed two-pot retirement system.  On 20 September 2022, it provided the Standing Committee on Finance with a Draft Response Document which includes responses to some comments received on the two-pot system.

While there are matters still to be decided by Treasury and we will see the development of the two-pot system before it is finalised, Treasury has given further insight into its thinking on several issues.

Treasury’s responses and proposals

    • The implementation date of 1 March 2023 has been changed to 1 March 2024.
    • It is mandatory for all funds to apply the two-pot system.
    • Treasury stated that Government is, subject to conditions to be decided, open to allowing some of what has already been built up by a member in a fund before 1 March 2024 to be transferred into the member’s savings pot so as allow the member access to it. This proposal will receive attention going forward.
    • From 1 March 2024, one-third of net (i.e. after costs) contributions will on a mandatory basis go into the savings pot and the remaining two-thirds of net contributions into the retirement pot.
    • As retrenchments are involuntary, Treasury has proposed that, subject to conditions related to Unemployment Insurance Fund benefits and income the member is in receipt of, limited withdrawals, paid as an annuity, be permitted from the retirement pot if the member is retrenched.
    • More work will be done to understand how the two-pot system should be applied to defined benefit funds (including public sector funds).
    • The minimum annual withdrawal from the savings pot remains R2 000 (before fees). These withdrawals may be done annually on a rolling annual basis.
    • A statutory minimum amount is applied to smaller retirement benefits on retirement (the de minimis amount) and retirement benefits below this amount are not required to be annuitised. This will continue in the two-pot system. The current proposal is that the statutory minimum amount will be applied to any amounts that would have been required to be annuitised on retirement (had the minimum amount not been applied).
    • Section 37D deductions, such as housing loans/guarantees and divorce orders, require further consideration.
    • Treasury’s intention appears to be to preserve the accrued right of older members of funds whose ongoing contributions to a provident fund are still not subject to compulsory annuitisation (because they were 55 years or older on 1 March 2021 and a member of the same provident fund when compulsory annuitisation became law). Such members may be given a choice of whether to opt into the two-pot system, to have ongoing access to a savings pot, or stay out of it, with their current accrued rights, and not have access to an ongoing savings pot. This will need to be clarified by Treasury going forward.

B. POPIA: a prescribed form for breach notifications to the Information Regulator

What is a breach?

All responsible parties (including retirement funds) are required to notify affected data subjects (e.g., members) and the Information Regulator as soon as there are reasonable grounds to believe that an unauthorised party has unlawfully accessed or acquired personal information.[1]

This is often called a security compromise or ‘a data breach’.

The information officer registration portal on the Information Regulator’s website is now working

please go to https://inforegulator.org.za/ and register if you have not already.

The responsible party must notify breaches

It is the responsible party that is required by law to notify breaches to affected data subjects and the Information Regulator – not their operators. For example, where an administrator is acting as the fund’s operator (e.g. it is paying benefits) and a data breach occurs, the administrator must immediately report this to the fund and the fund must attend to the required notification to both affected data subjects and the Information Regulator.

Funds should also follow their own data breach processes which may be set out in one of its processes or policies.

There have been a number of cases to date where funds, or their service providers, have notified the Information Regulator of breaches. The Information Regulator can decide whether to take enforcement action, such as referring the matter to the Enforcement Committee. We are not aware, at the date of writing, of a fund that has been referred to the Enforcement Committee when it reported a breach.

Timing of the notification

By law, breaches must be notified “as soon as reasonably possible after the discovery of the compromise”[2].

Failure to report timeously is a breach of the Protection of Personal Information Act.

When notifying breaches to the Information Regulator, the new prescribed form MUST be used

On 12 August 2022, the Information Regulator issued:

  1. a Security Compromise Notification Form – this is the mandatory form the fund must use to notify any breach to the Information Regulator.
  2. a guideline to the Security Compromise Notification Form – the Guideline provides information about completing the form.
    • The form is available on the Information Regulator’s website https://inforegulator.org.za/ under the tab of POPIA forms. It is a fillable PDF form.
    • If you can’t fit all the information on the form, you may attach documents to your email.
    • The fund will need to update the Information Regulator on any new information relating to the breach.
    • Once completed, the form should be emailed to the Information Regulator using the following email address: POPIACompliance@inforegulator.org.za.
    • The Information Regulator will acknowledge the notification and issue a reference number.
    • There is no prescribed form for notification to data subjects of a breach.

The notification includes (among other things) the following information:

    • The date of the incident and an explanation for any delay in reporting the incident to the Information Regulator.
    • Whether the security compromise is confirmed or alleged.
    • The type of incident (for example, loss, damage, destruction or unlawful access or processing of personal information).
    • The categories of personal information that are potentially compromised.
    • The number of data subjects impacted by the incident.
    • the method of communication used to notify any affected data subjects.
    • a description of the measures that the responsible party intends to take or has taken to address the security compromise; and
    • a declaration by the responsible party that the information is accurate, true, and correct.


Welcome to our website.

1. Introduction

This Cookie Policy explains how we use cookies and similar technologies on our website axioconsult.com. This policy is designed to help you understand what cookies are, how we use them, and the choices you have regarding their use.

2. What Are Cookies

Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.

3. How We Use Cookies

We use cookies for various purposes, including:

    • Essential Cookies: These cookies are necessary for the basic functioning of our website. They enable you to navigate our site, use its features, and access secure areas.
    • Analytical/Performance Cookies: These cookies help us understand how visitors use our website. They provide information about which pages are visited most frequently, how long visitors stay on each page, and whether they encounter any error messages. This data helps us improve the performance and usability of our website.
    • Functionality Cookies: These cookies allow our website to remember choices you make (such as your username, language, or region) and provide enhanced, personalised features.
    • Targeting/Advertising Cookies: These cookies are used to deliver advertisements that are relevant to your interests. They may also limit the number of times you see an ad and help measure the effectiveness of ad campaigns.


4. Your Cookie Choices

You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.

5. Third-Party Cookies

We may allow third-party service providers to use cookies on our website for the purposes outlined in Section 3. These providers may also collect information about your online activities over time and across different websites.

6. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, law, or our data practices. Any changes will become effective when we post the revised policy on our website.

7. Contact Us

If you have any questions about our Cookie Policy or how we use cookies on our website, please contact us at

By continuing to use our website, you consent to the use of cookies as described in this Cookie Policy.