Consumer Protection Act: Exemptions for retirement funds

Consumer Protection Act: Exemptions for retirement funds

The Consumer Protection Act (CPA) which came into effect on 31 March 2011 also applies to retirement funds. A previous publication (Legislative Updates 13 May 2011) discussed this in detail. Pease contact 10X if you require a copy of
this publication.

General exemptions

The following are exempt from the CPA:

• Entities with assets or turnover above R2 million are excluded from the definition of “consumer”. Most retirement funds are thus only categorised as “suppliers”
• Services constituting advice in terms of FAIS
• Services related to the underwriting of any risk regulated under the Longterm and Short-term Insurance Acts, provided that these Acts are brought in line with the CPA by September 2012.

Exemptions specific to the retirement funds industry

The Minister of Trade & Industry published notices on 27 June 2011 exempting certain institutions – including retirement funds – from some of the provisions of the CPA. This exemption runs from 1 April 2011 to 1 September 2012. This
temporary exemption will give the FSB time to align retirement fund regulation with the CPA. Retirement funds are thus, for now, exempted from most provisions of the CPA.

Furthermore, complaints against retirement funds cannot be referred to the National Consumer Commissioner and remain in the domain of the Pension Funds Adjudicator.

Retirement funds must still comply with some CPA provisions

The following are still governed by the CPA:

• Consumers’ right to restrict unwanted direct marketing
• Consumers’ right to select suppliers
• Bait marketing
• Negative option marketing
• Catalogue marketing
• Customer loyalty programmes and promotional competitions.

Implications of the Protection of Personal Information Act (POPI) for retirement funds

For the purpose of understanding how this Act applies to retirement funds, our publication substitutes the term “data subject” with “member” and “responsible party” with “administrator”. The Protection of Personal Information Bill (“POPI”) is not yet law. This Act is likely to be promulgated at the end of 2011 and should include a 12 month transition period to give institutions and companies time to comply.

If the POPI Bill is passed in its current form, it would greatly impact the way in which information is transferred between the numerous parties involved in retirement fund activities, such as employers, administrators and asset
managers. Information between these parties is exchanged in many different ways and is therefore susceptible to leaks. Overleaf we set out the principles contained in the POPI Bill, as far as these impact on retirement funds.

Do not confuse POPI with the much publicised Protection of Information Bill, which classifies State
information.

The Act refers to terms such as the “data subject” and the “responsible party”. For the purpose of understanding how this Act applies to retirement funds, our publication substitutes the term “data subject” with “member” and “responsible party” with “administrator”.

Principle 1: Accountability

The administrator is accountable for compliance under POPI.

Principle 2: Processing limitation

Information may only be processed for purposes that are adequate, relevant and not excessive. This may be a challenge as funds pass information between various parties. Further, information is seldom obtained directly from members, nor is their consent obtained at every point that this information is exchanged. The industry must obtain clarity on this.

Principle 3: Purpose specification

Information must be collected for a specific purpose and members must be aware of this purpose. This provision does not clarify how much detail is required when the information is processed, and whether each possible purpose needs to
be set out. Further, information may only be retained for as long as it is necessary to achieve the given purpose.

Principle 4: Further processing limitation

The administrator may only use information for compatible purposes. Administrators also may not use information for a purpose unrelated to the original processing, without obtaining further consent from the member.

Principle 5: Information quality

The administrator must take reasonable steps to ensure that information is complete and not misleading. It still requires further clarity on how information updates are given to members, where information is used on an ongoing basis.

Principle 6: Openness

The administrator may only collect personal information if the Regulator has been notified and this notification is recorded in a register.

Openness with the Regulator

Administrators must notify the Regulator (once-off) of any personal information processed. Administrator may be exempted if they have submitted a manual in terms of the Promotion of Access to Information Act.

Openness with the member

Administrators must take reasonable steps to notify members of the information collected, for what purpose, whether its supply is voluntary or mandatory, the consequences of not providing this information and any particular law that applies to this. Members must be informed of the above before the information is collected.

Exceptions

Administrators may avoid this information process if:

• Members have given their prior consent
• It will not prejudice the legitimate interests of members
• It is necessary to process the information, to perform in terms of a contract to which the member is a party
• It prejudices a lawful purpose of the collection
• It is not reasonably practicable in the circumstances
• The information will be used for statistical or research purposes.

Principle 7: Security safeguards

The administrator must put measures in place that protect the confidential nature of collected information. They must ensure the integrity of personal information and take appropriate, reasonable, technical and organisational measures to
prevent personal information being lost or unlawfully accessed and processed. This will be challenging as technologies such as cellphones and memory sticks are currently used by funds to transfer information.

Principle 8: Individual participation

Members may confirm (free of charge) whether information is held about themselves. They may request that the information is amended or destroyed if the reason to hold the information no longer exists. The administrator may refuse this request if it is required to continue holding the information, for example under FICA requirements.

Principle 9: Accountability

The administrator must implement procedures to ensure the principles of POPI are complied with, if this Bill becomes law. Funds, employers and service providers deal with personal information on a daily basis. Therefore, data flows will need to be mapped through every step of the information transfer process to ensure the security of members’ personal information. Further, contracts will need to be drawn up between the parties exchanging members’ personal information.