Privacy statement

Alexander Forbes Group Holdings Limited and its subsidiary companies (hereafter referred to as Alexforbes) recognises its obligation to comply with the requirements of the Protection of Personal Information Act 4 of 2013 (POPIA).

 

Statement 1

Accountability

Alexforbes recognises itself as a responsible party under POPIA and as an operator in respect of retirement funds, employers and other corporate entities who use our services and products. Due care and security of personal information as well as compliance with applicable laws will be adopted across Alexforbes, regardless of the role that Alexforbes plays.

Statement 2

Processing limitation

All personal information collected and used by Alexforbes is done so lawfully and in a reasonable way that does not infringe on the privacy rights of data subjects.

As far as possible, the principle of minimality (adequate, relevant and necessary) is upheld for all business activities – where the minimum set of data or information is processed to achieve the purpose.

Statement 3

Purpose specification

At all times, personal information is to be used for specific purposes only, and a record of these purposes is to be documented and maintained by the business unit making use of the personal information.

Data subjects are to be made aware, by Alexforbes or the relevant responsible party if not Alexforbes, of the purposes for which Alexforbes collects and uses their personal information at the point where it is collected or during any future interactions with the data subject.

Suitable records management policies, processes, standards and guidelines are developed to ensure appropriate retention, restriction, archival, deletion and destruction of records of personal information. Records of personal information are only kept for as long as a data subject has a relationship with Alexforbes, or as otherwise permitted by law or a contractual agreement, following which they are suitably disposed of, as fair as reasonably possible, or otherwise securely archived for historical or evidentiary purposes.

Statement 4

Further processing

Any additional processing of personal information across Alexforbes must be compatible with the original purpose(s) for which it was collected.

For an incompatible or additional purpose of processing, Alexforbes or the relevant responsible party if not Alexforbes, must notify data subjects of this new purpose and obtain their consent, if necessary.

Where appropriate, as a financial services provider, Alexforbes may process personal information for the following additional purposes, which are considered compatible or provided for in law:

  • Compliance with any laws applicable to Alexforbes.
  • To protect its employees, corporate clients, funds, employers and their members, third parties and other stakeholders against financial loss due to dishonesty, malpractice, improper conduct, unfitness or incompetence of data subjects within Alexforbes, even without their consent.
  • To provide holistic integrated solutions for responsible parties, which include financial and other solutions that provide insight, advice and impact to our data subjects, or as provided for in contractual agreements, or as otherwise directed by responsible parties.

If information is de-identified and cannot be linked back to a data subject, then further processing may take place without the need for notification or consent of the data subject.

At all times, personal information is to be used for specific purposes only, and a record of these purposes is to be documented and maintained by the business unit making use of the personal information. Data subjects are to be made aware, by Alexforbes or the relevant responsible party if not Alexforbes, of the purposes for which Alexforbes collects and uses their personal information at the point where it is collected or during any future interactions with the data subject.

Suitable records management policies, processes, standards and guidelines are developed to ensure appropriate retention, restriction, archival, deletion and destruction of records of personal information. Records of personal information are only kept for as long as a data subject has a relationship with Alexforbes, or as otherwise permitted by law or a contractual agreement, following which they are suitably disposed of, as fair as reasonably possible, or otherwise securely archived for historical or evidentiary purposes.

Statement 5

Information quality

Alexforbes will take reasonable steps to ensure that all personal data and information is kept accurate, complete, up to date and not misleading as is necessary for the purposes for which it is processed. Data enrichment or remediation from third-party sources is permitted provided that an appropriate assessment has been done by the Alexforbes privacy office.

Statement 6

Openness

Alexforbes will maintain a PAIA Manual as contemplated in section 51 of PAIA. The PAIA Manual will be made publicly available on the Alexforbes website. All PAIA requests and procedures are to be handled by the Alexforbes privacy office.

Where personal information is collected, the data subject is made aware of at least the following:

  • What the personal information will be used for 
  • Consequences of the failure to provide this information
  • Any laws which authorise such collection or processing
  • If information will be transferred to third parties or across international borders
  • The rights they have in terms of their personal information 
  • If any of the information will be used for automated decision-making and profiling, suitable logic surrounding such processing and any consequences of such automated processing

Statement 7

Security safeguards

Alexforbes establishes, reviews and maintains adequate technical and organisational security measures to deal with the confidentiality and integrity of personal information in its possession and to manage associated risks.

Alexforbes establishes due diligence procedures for assessing the use of third-party service providers, and these procedures are always adhered to when the third party will process or have access to personal information.

Where Alexforbes uses third parties to process personal information, if applicable under POPIA, consent will be obtained from any responsible parties.

Alexforbes may require standardised contractual clauses be included in all agreements to ensure that privacy, security, data processing and breach notification requirements are met.

On termination of an agreement or contract with a responsible party, Alexforbes will return all personal information to the client unless:

  • Directed or permitted by law to keep the personal information beyond termination of the agreement
  • Instructed by the client to retain the information on its behalf
  • The data subject(s) have consented in writing to the personal information being kept

Statement 8

Data subject participation

Appropriate channels and mechanisms will be established such that data subjects can freely gain access to and correct their personal information, or exercise any rights that they have under applicable privacy and data protection laws.

Unless otherwise stipulated, funds authorise Alexforbes to respond to valid requests for access to personal information on their behalf.

Statement 9

Special personal information

Wherever categories of special personal information are used across the Alexforbes business, stricter controls are implemented to ensure that it is suitably protected, including encryption, stringent access controls to systems and data, and as far as possible and practical, records of access to all sensitive personal information should be kept.

Consent does not need to be collected if required by law (such as employment equity, disability, health and safety or other regulations). For any other purposes, explicit consent for the processing of any categories of special personal information must be collected and kept as evidence.

Explicit consent must be obtained from parents, legal guardians or caregivers in cases where the information of children (minors under the age of 18) or people incapable of managing their own affairs (people with diminished mental capacity) is collected or processed.

Statement 10

Direct marketing

Alexforbes does not actively engage in direct marketing. Where these activities do take place, all direct marketing activities are to be reviewed and approved by the Alexforbes privacy office prior to implementation and roll-out. Direct marketing activities must comply with any policies and standards as issued by Alexforbes Group Marketing.

Alexforbes ensures that where voluntary or optional communications are provided to data subjects regarding the provision of products or services, opt- out mechanisms are implemented to uphold such requests from the data subjects.

Subject to consent from a responsible party (employer or fund), Alexforbes may send promotional messages to data subjects on an opt-out (or opt-in) basis as required by law.

Statement 11

Further processing

Occasionally, data subjects may be subjected to a decision which is based exclusively on an automated system which forms part of a contractual agreement with the data subject or where they have provided consent to such processing.

Automated decision-making includes profiling and behavioural or other tracking activities. Automated decision-making and profiling based on special categories of personal information must be approved by the Alexforbes privacy office.

Alexforbes will must provide data subjects with a process whereby they may make representation about any decision made by such a system or its associated processing so that the logic of the decision can be explained.

Statement 12

Cross-border information flows

Alexforbes adheres to the requirements stipulated in POPIA for the transmission of personal information across international borders.

Statement 13

Intragroup data transfers or requests

The Alexforbes group of companies has an internal privacy policy and all companies within the Alexforbes group agree to adhere to the policy and be bound by it. Consequently, if there are no conflicts of interest and the privacy rights of data subjects are protected, and appropriate security safeguards are applied, personal data and information may be shared between group entities to achieve the purpose for which it was collected.

Statement 14

Data breach reporting

Incoming:

Upon becoming aware of a breach, incident or other unauthorised access to personal information in their possession, all third parties and other stakeholders in the Alexforbes ecosystem must report such an incident to their contact at Alexforbes or the Alexforbes privacy office directly via email (zzprivacy@alexforbes.com).

Upon receipt of any such notification, an Alexforbes employee must immediately notify the Alexforbes privacy office.

Outgoing:

As a responsible party, should a breach or incident related to personal information occur, Alexforbes will notify the Information Regulator as soon as details of the breach or incident are available, but within the best-practice guidelines of a maximum of 72 hours following confirmation of the breach.

Any affected data subjects will be notified as soon as reasonably practical after a breach or incident has been discovered, and will always include the following information:

  • The personal information that was compromised in the breach
  • The steps that Alexforbes has taken or will take to address the breach
  • Any steps that the data subject can take to protect themselves against the consequences of the breach
  • If known, or at the guidance of the Information Regulator, the identity of the individual(s) who gained unauthorised access to the personal information

Where Alexforbes is the operator, if a breach or incident is discovered within any Alexforbes business unit relating to a client that is a responsible party, the responsible party will be notified, and Alexforbes will take guidance from the responsible party on how best to resolve the matter. Alexforbes will not report breaches to the Information Regulator directly or otherwise interact with them without instruction from the responsible party.

All reported breaches and incidents are maintained by the Alexforbes privacy office on a centralised register.

Statement 15

Regulatory authorisation

Alexforbes is required to identify instances where prior authorisation is required from the Information Regulator, and to make requests to the Information Regulator in accordance with their prescribed processes and guidelines.

Where Alexforbes is the operator, it is the duty of the responsible party to ensure that such authorisation is required and the necessary approval is obtained from the Information Regulator.

Should Alexforbes identify or become aware of a processing activity which requires such authorisation, the responsible party will be notified accordingly.

Records of prior authorisation requests and responses, or outcomes of such requests from the Information Regulator, are maintained by the Alexforbes privacy office.

Statement 16

Privacy impact assessments

Privacy impact assessments must be performed for the entire business at an Alexforbes group level annually. Targeted privacy impact assessments may be performed for those areas of the business, where a high risk to processing of personal information is likely or has been identified.

Statement 17

Employees and privacy

Employees receive training on privacy, information security and data protection. General awareness training is conducted for all employees at least annually.

General awareness training is also provided to all employees at induction upon joining Alexforbes. More detailed training is provided to specific employees aligned with their specific roles and responsibilities related to privacy and data protection.

Letters of appointment include appropriate privacy, confidentiality and data protection clauses.

Statement 18

Third-party management

Third parties may undergo risk assessments and further due diligence requirements dependent on the services that they will provide to Alexforbes, the types, sensitivity and volumes of personal information to be processed by the third party (if any), and the risk and potential impact posed to any data subjects by such processing.

Standard contractual agreements for all third parties will include privacy, data protection, information security and data handling clauses.

Information officer
Alexforbes has appointed the following senior manager as the information officer:
Fiona Rollason
Email: rollasonf@alexforbes.com

 

Disclaimer

The information in this document belongs to Alexforbes. You may not copy, distribute or modify any part of this document without our express written permission.