Accountability
Alexforbes recognises itself as a responsible party under POPIA and as an operator in respect of retirement funds, employers and other corporate entities who use our services and products. Due care and security of personal information as well as compliance with applicable laws will be adopted across Alexforbes, regardless of the role that Alexforbes plays.
Processing limitation
All personal information collected and used by Alexforbes is done so lawfully and in a reasonable way that does not infringe on the privacy rights of data subjects.
As far as possible, the principle of minimality (adequate, relevant and necessary) is upheld for all business activities – where the minimum set of data or information is processed to achieve the purpose.
Purpose specification
At all times, personal information is to be used for specific purposes only, and a record of these purposes is to be documented and maintained by the business unit making use of the personal information.
Data subjects are to be made aware, by Alexforbes or the relevant responsible party if not Alexforbes, of the purposes for which Alexforbes collects and uses their personal information at the point where it is collected or during any future interactions with the data subject.
Suitable records management policies, processes, standards and guidelines are developed to ensure appropriate retention, restriction, archival, deletion and destruction of records of personal information. Records of personal information are only kept for as long as a data subject has a relationship with Alexforbes, or as otherwise permitted by law or a contractual agreement, following which they are suitably disposed of, as fair as reasonably possible, or otherwise securely archived for historical or evidentiary purposes.
Further processing
Any additional processing of personal information across Alexforbes must be compatible with the original purpose(s) for which it was collected.
For an incompatible or additional purpose of processing, Alexforbes or the relevant responsible party if not Alexforbes, must notify data subjects of this new purpose and obtain their consent, if necessary.
Where appropriate, as a financial services provider, Alexforbes may process personal information for the following additional purposes, which are considered compatible or provided for in law:
If information is de-identified and cannot be linked back to a data subject, then further processing may take place without the need for notification or consent of the data subject.
At all times, personal information is to be used for specific purposes only, and a record of these purposes is to be documented and maintained by the business unit making use of the personal information. Data subjects are to be made aware, by Alexforbes or the relevant responsible party if not Alexforbes, of the purposes for which Alexforbes collects and uses their personal information at the point where it is collected or during any future interactions with the data subject.
Suitable records management policies, processes, standards and guidelines are developed to ensure appropriate retention, restriction, archival, deletion and destruction of records of personal information. Records of personal information are only kept for as long as a data subject has a relationship with Alexforbes, or as otherwise permitted by law or a contractual agreement, following which they are suitably disposed of, as fair as reasonably possible, or otherwise securely archived for historical or evidentiary purposes.
Information quality
Alexforbes will take reasonable steps to ensure that all personal data and information is kept accurate, complete, up to date and not misleading as is necessary for the purposes for which it is processed. Data enrichment or remediation from third-party sources is permitted provided that an appropriate assessment has been done by the Alexforbes privacy office.
Openness
Alexforbes will maintain a PAIA Manual as contemplated in section 51 of PAIA. The PAIA Manual will be made publicly available on the Alexforbes website. All PAIA requests and procedures are to be handled by the Alexforbes privacy office.
Where personal information is collected, the data subject is made aware of at least the following:
Security safeguards
Alexforbes establishes, reviews and maintains adequate technical and organisational security measures to deal with the confidentiality and integrity of personal information in its possession and to manage associated risks.
Alexforbes establishes due diligence procedures for assessing the use of third-party service providers, and these procedures are always adhered to when the third party will process or have access to personal information.
Where Alexforbes uses third parties to process personal information, if applicable under POPIA, consent will be obtained from any responsible parties.
Alexforbes may require standardised contractual clauses be included in all agreements to ensure that privacy, security, data processing and breach notification requirements are met.
On termination of an agreement or contract with a responsible party, Alexforbes will return all personal information to the client unless:
Data subject participation
Appropriate channels and mechanisms will be established such that data subjects can freely gain access to and correct their personal information, or exercise any rights that they have under applicable privacy and data protection laws.
Unless otherwise stipulated, funds authorise Alexforbes to respond to valid requests for access to personal information on their behalf.
Special personal information
Wherever categories of special personal information are used across the Alexforbes business, stricter controls are implemented to ensure that it is suitably protected, including encryption, stringent access controls to systems and data, and as far as possible and practical, records of access to all sensitive personal information should be kept.
Consent does not need to be collected if required by law (such as employment equity, disability, health and safety or other regulations). For any other purposes, explicit consent for the processing of any categories of special personal information must be collected and kept as evidence.
Explicit consent must be obtained from parents, legal guardians or caregivers in cases where the information of children (minors under the age of 18) or people incapable of managing their own affairs (people with diminished mental capacity) is collected or processed.
Direct marketing
Alexforbes does not actively engage in direct marketing. Where these activities do take place, all direct marketing activities are to be reviewed and approved by the Alexforbes privacy office prior to implementation and roll-out. Direct marketing activities must comply with any policies and standards as issued by Alexforbes Group Marketing.
Alexforbes ensures that where voluntary or optional communications are provided to data subjects regarding the provision of products or services, opt- out mechanisms are implemented to uphold such requests from the data subjects.
Subject to consent from a responsible party (employer or fund), Alexforbes may send promotional messages to data subjects on an opt-out (or opt-in) basis as required by law.
Further processing
Occasionally, data subjects may be subjected to a decision which is based exclusively on an automated system which forms part of a contractual agreement with the data subject or where they have provided consent to such processing.
Automated decision-making includes profiling and behavioural or other tracking activities. Automated decision-making and profiling based on special categories of personal information must be approved by the Alexforbes privacy office.
Alexforbes will must provide data subjects with a process whereby they may make representation about any decision made by such a system or its associated processing so that the logic of the decision can be explained.
Cross-border information flows
Alexforbes adheres to the requirements stipulated in POPIA for the transmission of personal information across international borders.
Intragroup data transfers or requests
The Alexforbes group of companies has an internal privacy policy and all companies within the Alexforbes group agree to adhere to the policy and be bound by it. Consequently, if there are no conflicts of interest and the privacy rights of data subjects are protected, and appropriate security safeguards are applied, personal data and information may be shared between group entities to achieve the purpose for which it was collected.
Data breach reporting
Incoming:
Upon becoming aware of a breach, incident or other unauthorised access to personal information in their possession, all third parties and other stakeholders in the Alexforbes ecosystem must report such an incident to their contact at Alexforbes or the Alexforbes privacy office directly via email (zzprivacy@alexforbes.com).
Upon receipt of any such notification, an Alexforbes employee must immediately notify the Alexforbes privacy office.
Outgoing:
As a responsible party, should a breach or incident related to personal information occur, Alexforbes will notify the Information Regulator as soon as details of the breach or incident are available, but within the best-practice guidelines of a maximum of 72 hours following confirmation of the breach.
Any affected data subjects will be notified as soon as reasonably practical after a breach or incident has been discovered, and will always include the following information:
Where Alexforbes is the operator, if a breach or incident is discovered within any Alexforbes business unit relating to a client that is a responsible party, the responsible party will be notified, and Alexforbes will take guidance from the responsible party on how best to resolve the matter. Alexforbes will not report breaches to the Information Regulator directly or otherwise interact with them without instruction from the responsible party.
All reported breaches and incidents are maintained by the Alexforbes privacy office on a centralised register.
Regulatory authorisation
Alexforbes is required to identify instances where prior authorisation is required from the Information Regulator, and to make requests to the Information Regulator in accordance with their prescribed processes and guidelines.
Where Alexforbes is the operator, it is the duty of the responsible party to ensure that such authorisation is required and the necessary approval is obtained from the Information Regulator.
Should Alexforbes identify or become aware of a processing activity which requires such authorisation, the responsible party will be notified accordingly.
Records of prior authorisation requests and responses, or outcomes of such requests from the Information Regulator, are maintained by the Alexforbes privacy office.
Privacy impact assessments
Privacy impact assessments must be performed for the entire business at an Alexforbes group level annually. Targeted privacy impact assessments may be performed for those areas of the business, where a high risk to processing of personal information is likely or has been identified.
Employees and privacy
Employees receive training on privacy, information security and data protection. General awareness training is conducted for all employees at least annually.
General awareness training is also provided to all employees at induction upon joining Alexforbes. More detailed training is provided to specific employees aligned with their specific roles and responsibilities related to privacy and data protection.
Letters of appointment include appropriate privacy, confidentiality and data protection clauses.
Third-party management
Third parties may undergo risk assessments and further due diligence requirements dependent on the services that they will provide to Alexforbes, the types, sensitivity and volumes of personal information to be processed by the third party (if any), and the risk and potential impact posed to any data subjects by such processing.
Standard contractual agreements for all third parties will include privacy, data protection, information security and data handling clauses.
Information officer
Alexforbes has appointed the following senior manager as the information officer:
Fiona Rollason
Email: rollasonf@alexforbes.com
Disclaimer
The information in this document belongs to Alexforbes. You may not copy, distribute or modify any part of this document without our express written permission.