Over the last few months, National Treasury has engaged with stakeholders on the proposed two-pot retirement system. On 20 September 2022, it provided the Standing Committee on Finance with a Draft Response Document which includes responses to some comments received on the two-pot system.
While there are matters still to be decided by Treasury and we will see the development of the two-pot system before it is finalised, Treasury has given further insight into its thinking on several issues.
All responsible parties (including retirement funds) are required to notify affected data subjects (e.g., members) and the Information Regulator as soon as there are reasonable grounds to believe that an unauthorised party has unlawfully accessed or acquired personal information.
This is often called a security compromise or ‘a data breach’.
It is the responsible party that is required by law to notify breaches to affected data subjects and the Information Regulator – not their operators. For example, where an administrator is acting as the fund’s operator (e.g. it is paying benefits) and a data breach occurs, the administrator must immediately report this to the fund and the fund must attend to the required notification to both affected data subjects and the Information Regulator.
Funds should also follow their own data breach processes which may be set out in one of its processes or policies.
There have been a number of cases to date where funds, or their service providers, have notified the Information Regulator of breaches. The Information Regulator can decide whether to take enforcement action, such as referring the matter to the Enforcement Committee. We are not aware, at the date of writing, of a fund that has been referred to the Enforcement Committee when it reported a breach.
By law, breaches must be notified “as soon as reasonably possible after the discovery of the compromise”.
Failure to report timeously is a breach of the Protection of Personal Information Act.
On 12 August 2022, the Information Regulator issued:
The notification includes (among other things) the following information:
Cookies are small text files that are stored on your device (computer, tablet, or mobile phone) when you visit certain websites. They are widely used to enhance your online experience by remembering your preferences and actions over time. Cookies are not harmful and do not contain personal information like your name or payment details.
You have the option to manage your cookie preferences. You can usually modify your browser settings to accept, reject, or delete cookies. Please note that if you choose to block or delete cookies, some features of our website may not function properly.