Over the last few months, National Treasury has engaged with stakeholders on the proposed two-pot retirement system. On 20 September 2022, it provided the Standing Committee on Finance with a Draft Response Document which includes responses to some comments received on the two-pot system.
While there are matters still to be decided by Treasury and we will see the development of the two-pot system before it is finalised, Treasury has given further insight into its thinking on several issues.
All responsible parties (including retirement funds) are required to notify affected data subjects (e.g., members) and the Information Regulator as soon as there are reasonable grounds to believe that an unauthorised party has unlawfully accessed or acquired personal information.[1]
This is often called a security compromise or ‘a data breach’.
please go to https://inforegulator.org.za/ and register if you have not already.
It is the responsible party that is required by law to notify breaches to affected data subjects and the Information Regulator – not their operators. For example, where an administrator is acting as the fund’s operator (e.g. it is paying benefits) and a data breach occurs, the administrator must immediately report this to the fund and the fund must attend to the required notification to both affected data subjects and the Information Regulator.
Funds should also follow their own data breach processes which may be set out in one of its processes or policies.
There have been a number of cases to date where funds, or their service providers, have notified the Information Regulator of breaches. The Information Regulator can decide whether to take enforcement action, such as referring the matter to the Enforcement Committee. We are not aware, at the date of writing, of a fund that has been referred to the Enforcement Committee when it reported a breach.
By law, breaches must be notified “as soon as reasonably possible after the discovery of the compromise”[2].
Failure to report timeously is a breach of the Protection of Personal Information Act.
On 12 August 2022, the Information Regulator issued:
The notification includes (among other things) the following information:
This Cookie Policy explains how we use cookies and similar technologies on our website axioconsult.com. This policy is designed to help you understand what cookies are, how we use them, and the choices you have regarding their use.
Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.
We use cookies for various purposes, including:
You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.
We may allow third-party service providers to use cookies on our website for the purposes outlined in Section 3. These providers may also collect information about your online activities over time and across different websites.
We may update this Cookie Policy from time to time to reflect changes in technology, law, or our data practices. Any changes will become effective when we post the revised policy on our website.
If you have any questions about our Cookie Policy or how we use cookies on our website, please contact us at
By continuing to use our website, you consent to the use of cookies as described in this Cookie Policy.