Page 98 - Profiles's Unit Trusts & Collective Investments - September 2024
P. 98
CHAPTER 5
ensuring FICA compliance. A specific individual with sufficient competence and seniority may be
appointed to assist with ensuring compliance, but ultimate oversight rests with executives.
Notwithstanding the rigorous requirements of the Act, the FIC recognises that detecting
ML/TF activity is not an exact science. To quote again from the guidance notes: “The risk-based
approach is not a ‘zero failure’ approach as there may be occasions where an institution has taken
all reasonable measures to identify and mitigate ML/TF risks, but it is still exploited for money
laundering or terrorist financing purposes.”
POPI
POPI, the Protection of Personal Information Act, gives effect to the constitutional right to privacy
in South Africa. The Act tries to balance the legitimate needs of entities to collect and use personal data
for business and other purposes, and the right to privacy of individuals and organisations.
Although the Act was signed into law in November 2013, the Regulator was only formalised in
February 2017. The commencement date for the act was 1 July 2020. A grace period of one year
was granted, meaning that organisations that process “personal information” had until 1 July 2021
to comply with the legislation.
Note that the implementation of Section 58(2) of POPI – and only this section – was extended
till 1 February 2022. Section 58(2) states that, where prior authorisation is required, no
information processing may be carried out until the Information Regulator has given the all clear.
Responsible Parties
POPI defines three parties (who can be natural or juristic) that are potentially involved in the
processing of personal data:
The data subject: the party to whom the information relates.
The responsible party (usually called the “controller” in other parts of the world): the party who
determines why and how to process the data (eg, a company, a government department, an NGO).
The operator (called “processors” elsewhere): a party who processes personal information on
behalf of a responsible party (eg, an IT vendor).
POPI imposes various obligations on responsible parties. Where they use third parties to
process data, such operators must comply with the POPI requirements.
The main obligations of responsible parties under POPI can be summarised as follows:
Only information needed for a specific purpose (usually disclosed to the data subject)
should be collected
Reasonable security measures to protect data must be put in place
Personal data stored with permission must be relevant and up to date
Only as much as needed must be held, and only for as long as needed
Data subjects must be permitted to see what data is held if they so request
Processing Personal Information
“Personal Information” is defined as any information relating to an identifiable, living natural person
or any juristic person. It includes (but is not limited to) the following examples (amongst others):
Contact details: email, telephone, birth date, ethnicity
History: employment, financial, educational, criminal, medical records
Biometric information: blood type, fingerprints, voice signature
Personal opinions: including private views and preferences
Private correspondence: where it is implicitly or explicitly of a confidential nature
“Processing” means, very broadly, anything done with personal information, including
collection, usage, storage, dissemination, modification, and even deletion.
Note that “personal information” does not necessarily mean data held in a database, it would
include hand-written notes, emails, WhatsApp messages, or even audio or video call recordings.
Hard copy records also fall under POPI.
96 Profile’s Unit Trusts & Collective Investments — Understanding Unit Trusts
