Page 99 - Profiles's Unit Trusts & Collective Investments - September 2024
P. 99
Legislation and Guidelines
Does POPI apply to Financial Advisors?
The scope of POPI is very wide and it applies to almost everything that gets done with the
personal data of individuals.
POPI covers the defined activity of “processing” personal data – the activity is defined rather
than particular professions or types of entities. This makes the definition very broad: anyone who
processes personal data must comply with POPI and must only use personal data in accordance
with POPI’s data protection principles.
Any person or entity, therefore, that collects and/or holds information on identifiable
individuals – or uses, discloses or retains such information – is likely to fall under the definition of
“processing” personal data.
Clearly, financial services firms, including brokers and financial advisors, need to make sure
they comply with POPI. Any non-compliance with POPI since 1 July 2021 can have consequences
including penalties up to R10 million, civil proceedings instituted by data subjects or the
Regulator, and the possibility of both criminal charges and fines in some circumstances.
Consent
Under POPI, consent needs to be informed and specific; it needs to be voluntary and an
expression of will. In other words, the subject must make an active choice (clicking on a tick box,
for example) – it is no longer permissible to engineer automatic “opt in” when someone types an
email address or cell number, with “consent” buried somewhere in the terms and conditions.
Consent does not entitle anyone to misuse information. If a subject has given limited consent
and the personal information is used for other purposes, the responsible party could still be
reported to the Information Regulator.
POPI and PAIA
The implementation of POPI has focussed attention on the 2000 Promotion of Access to
Information Act (PAIA), which is a “freedom of information” law.
PAIA, which came into effect on 9 March 2001, was enacted to give effect to the constitutional
right of access to information. Section 32 of the Constitution states that: “Everyone has a right of
access to any information held by the state and any information held by another person that is
required for the exercise or protection of any rights.”
In terms of both the Constitution and PAIA, therefore, all people in South Africa, including
non-nationals, can request information from public and private bodies.
The ostensibly conflicting objectives of POPI and PAIA can be summarised as follows:
POPI requires organisations to safeguard information they collect and ensure data is not
misused
PAIA requires organisation to provide certain defined information both on request and in
published documents
The POPI and PAIA requirements are unrelated and have to be dealt with separately, although
POPI caused the requirement of Section 51 of PAIA, which defines the contents of every
organisation’s PAIA manual, to be amended. PAIA manuals have to be posted on websites and
made available at each organisation’s place of business (note that an earlier requirement that PAIA
manuals were to be lodged with the Human Rights Commission was removed). The PAIA manual
deadline was 31 December 2021.
CRISA and TCF
Code for Responsible Investing
The Code for Responsible Investing in South Africa (CRISA) was launched in July 2011. A second
version of it, CRISA 2.0 was launched in 2022 and reporting in terms of it became effective in 2023.
The code, a product of the Committee on Responsible Investing convened by the Institute of Directors
in South Africa, aims to encourage sound governance by major investors in their business activities.
Profile’s Unit Trusts & Collective Investments — Understanding Unit Trusts 97
