Privacy Policy
  1. INTRODUCTION AND PURPOSE
    1. The Board of Trustees (“the Board”) of the Consolidated Retirement Fund for Local Government (“the Fund”) recognises the importance of protecting the Personal Information1 of Data Subjects2 (including but not limited to members, former members, living annuitants, pensioners, beneficiaries, participating employers and service providers) and compliance with legislation and regulations of the Republic of South Africa insofar as such protection is concerned.
    2. The Board is therefore committed to comply with the data protection laws (“the Laws”) of the Republic of South Africa including but not limited to the Protection of Personal Information Act 4 of 2013 (“POPIA”).
    3. This policy demonstrates the Fund's commitment to Processing3 Personal Information in accordance with the Laws by implementing security protocols and internal controls for the purpose of managing compliance risk and to provide reasonable assurance to Data Subjects that their rights are protected.
    4. This policy inter alia sets out the Personal Information collected, the reasons therefor and the Processing thereof.

  2. APPLICATION OF THE POLICY
    This policy applies inter alia to the:

    1. Board, Principal Executive Officer (“the PEO”), the Fund's staff and all other fund officials;
    2. service providers of the Fund including but not limited to consultants, auditors, actuaries, stakeholders, insurance companies and independent contractors;
    3. members, former members, living annuitants, pensioners and beneficiaries; participating employers (including former and potential); and
    4. any other Persons4;

    5. in respect of which any Personal Information is processed by the Fund and its service providers where such service providers act as an Operator5.


  3. MINIMUM CONDITIONS OF COMPLIANCE WITH THIS POLICY
    1. Accountability
      1. The Fund shall ensure that the conditions set out in Chapter 3 of POPIA are complied with.

    2. Processing limitations
      1. Personal Information under the Fund's control shall be processed in a lawful manner that it is adequate, relevant and non-excessive.
      2. Special Personal Information6
        1. Special Personal Information shall only be Processed with the Consent7 of the Data Subject unless one or more of the exceptions set out in the Laws are present and justifies such processing.
      3. Collection and Consent
        1. Personal Information will only be Processed by the Fund if the Data Subject or the Competent Person8 in the case of children, has been informed in writing of the reasons for collecting his/her Personal Information and the Data Subject consents in writing to the Processing or if there is a lawful justification in terms of the Laws.
        2. The Fund shall collect Personal Information directly from the Data Subject unless there are lawful exceptions that exist to justify collecting such information from another source.
        3. In the event that Personal Information is collected from another source it shall be collected in accordance with the Laws including but not limited to collection of Personal Information of a member/former member from the participating employer.
      4. Sharing Personal Information
        1. The Data Subject's Personal Information shall only be shared with Fund related parties including but not limited to the Fund's service providers where such processing is necessary to achieve the purpose for which the information was collected and/or in compliance with the legislation.
        2. The Fund will not disclose the Data Subject's Personal Information to external organisations unless the Data Subject consented thereto in writing or the Fund is required to do so by law, or if it is necessary to protect the rights and interests of the Data Subject or the Public.
      5. Storing Personal Information
        1. There are instances where the Fund and/or its Operators store or Process the Data Subject's Personal Information in other countries. In such instances the Fund and the Operators shall ensure that the party storing or Processing Personal Information is legally and contractually required to conform to the standards of security and privacy similar to those that apply in the Republic of South Africa.

    3. Purpose specification
      1. Personal Information shall only be collected for a specific, explicitly defined and lawful purpose.
      2. The Data Subject will be notified in writing of the purpose of collection of the information subject to the Laws.
      3. The Personal Information collected and processed by the Fund shall only be retained for the period necessary to achieve the purpose for which the information was collected, unless one or more of the exceptions set out in the Laws are present.
      4. The Fund shall destroy hard copies of Personal Information and restrict the Processing of Personal Information where such information is only required for compliance with legislation insofar as its retention is concerned. Once the time period as set out in the legislation has lapsed the Fund shall destroy the Personal Information.

    4. Further Processing
      1. The Fund shall only process Personal Information further if it is compatible with the purpose for which it was collected unless one or more of the exceptions as set out in POPIA are present.

    5. Quality of information
      1. The Fund shall take reasonably practicable steps to ensure that the Personal Information Processed is complete, accurate, not misleading and up to date.

    6. Openness
      1. The Fund will take reasonably practicable steps to ensure that the Data Subject is aware when Personal Information is collected. The Fund shall notify the Data Subject in writing where it has reasonable grounds to suspect that the Personal Information of the Data Subject has been accessed or acquired by an unauthorised person.

    7. Security safeguards
      1. The Fund will ensure the integrity and confidentiality of Personal Information in its possession in order to minimise the risk of loss, unauthorised access, disclosure, interference, modification or destruction of Personal Information.
      2. In order to give effect to the above mentioned, the Fund will take the following measures:
        1. identify all reasonably foreseeable internal and external risks to Personal Information in the Fund's possession or under its control;
        2. establish and maintain safeguards and protocols against the risks identified;
        3. provide regular training and guidance to staff to ensure compliance with the Laws;
        4. verify that the safeguards and protocols are effectively implemented and adhered to; and
        5. Ensure that the safeguards and protocols are regularly reviewed and updated to cater for new risks or deficiencies.
      3. Operators
        1. The Operators undertake to comply with the provisions of the Laws.
        2. The Fund and the Operators shall in terms of a written contract agree on measures to be implemented by the Operator to ensure compliance with the Laws.
        3. The Operators will keep abreast and always comply with the Laws and ensure that their staff who has access to Personal Information of the Data Subjects are well trained on the Laws and comply with it.
        4. The Operators shall not be entitled to transfer Personal Information to a foreign country unless the Fund consents in writing thereto prior to such a transfer to the foreign country provided that such foreign country provides the same or similar protection to the Data Subject as under the Laws.
        5. Operators undertake not to subcontract the Processing of Personal Information without the Fund's prior written approval.
        6. In the event that there are reasonable grounds to believe that the Personal Information of a Data Subject has been compromised it must be reported to the Information Officer9 of the Fund who in return shall notify the Information Regulator10 and the Data Subject unless the Data Subject cannot be established with reference to the Laws.


  4. PERSONAL INFORMATION PROCESSED BY THE FUND
    The below mentioned are categories and types of Personal Information processed by the Fund however other categories and types of Personal Information not listed herein may also be processed where necessary and in accordance with the Laws.

    Item Category of Data Subject Personal Information
    1. Members including former members, in-Fund living annuitants and pensioners of the Fund. Full names, physical and postal address, gender, identity number, date of birth, age including retirement age, nationality, date joining and leaving the Fund, Fund's system number, employer details including employee number, Financial Intelligence Centre Act 38 of 2001 (“FICA”) information, contact details, salary, tax number, health and disability information, banking details, policy number for risk benefits offered by the Fund, unclaimed benefits, divorces, marital status, maintenance, information regarding dependants including children, living arrangements, mortgage over property applications, benefit statements, nomination and other information.
    2. Beneficiaries, potential beneficiaries and nominees contemplated in section 37C of the Pension Funds Act 24 of 1956 (“PFA”), other family members and caregivers. Full names, physical and postal address, gender, identity number, date of birth, age, nationality, occupation, salary, financial circumstances, tax number, health and disability information, banking details, marital status, living arrangements, criminal behaviour, maintenance information, education, training, paternity and other information.
    3. Party to divorce proceedings or person(s) representing/assisting such a party such as an attorney, court officials such as maintenance officers, applicants in maintenance proceedings. Full names, identity number, address, contact details, tax number, banking details, benefit statements, marriage certificates, antenuptial contracts and other information.
    4. Board of Trustees, the Principal Executive Officer and Fund staff including candidates for vacant positions. Full names, physical and postal address, gender, identity number, passport numbers, date of birth, age including retirement age, nationality, address, FICA information, contact details, salary, tax number, health and disability information, banking details, biometric information, criminal checks, credit checks, employment history, qualifications, banking details and other information.
    5. Service providers including consultants and independent contractors. Full names, registration number, due diligence information, names of directors/members and relevant staff contact persons, contact details, banking details, VAT number, compliance and regulatory information, licences, authorisations and accreditations relevant to the services provided and other information.
    6. Regulatory entities. Regulatory authorities' representative's personal information such as name and surname, contact details and addresses, recordings of in-person/virtual workshops and training/meetings, banking details, correspondence, reports and returns.
    7. Participating employers (including potential participating employers). Names and contact details of relevant staff members, banking details and other information.


  5. PERSONAL INFORMATION PROCESSED BY THE FUND
    1. The Fund processes Personal Information to inter alia provide pension benefits to its members and in this regard processes Personal Information for inter alia, the following reasons:
      1. give effect to the payment instructions of members/former members/beneficiaries including transfers to in-Fund products/out of Fund products or external entities;
      2. internal and external auditing;
      3. compliance with laws and regulations including reporting requirements and retention of personal information time periods;
      4. give effect to enforceable orders issued against the Fund including divorce and maintenance orders;
      5. liaise with participating employers as to the member's employment details and other related information including but not limited to payment of contributions;
      6. sharing Personal Information with Operators such as an underwriter and consultants in order to achieve the purpose for which such information was collected;
      7. investigate and distribute death benefits in accordance with Section 37C of the PFA;
      8. in connection with legal proceedings against or on behalf of the Fund;
      9. to fulfil any of the Fund's legal obligations in terms of the Laws; and
      10. in connection with proposed or contractual terms and conditions with service providers.


  6. RIGHTS OF THE DATA SUBJECT
    1. The Data Subject has the right with reference to Laws, to request:
      1. access to -;
      2. correction of -;
      3. purpose of -;
      4. deletion or destruction of -;
      5. objection to the Processing of -;

      6. his/her Personal Information held by the Fund or its service providers and make such requests using the prescribed forms available on the Information Regulator's website (link to the website is set out in this policy).


  7. INFORMATION AND DEPUTY OFFICERS OF THE FUND
    1. The Fund's appointed Information Officer is the PEO, the Deputy Information Officer is the Chief Financial Officer.
    2. The Information Officer and his/her Deputy are responsible for implementing this policy and to ensure compliance with the Laws by the Fund including attending to complaints, requests for Personal Information and other related queries.


  8. ACCOUNTABILITIES AND RESPONSIBILITIES FOR COMPLIANCE
    1. The Board is committed to continually safeguarding, protecting and avoiding any unauthorised disclosure, access or breach of Personal Information in the execution of the Fund's duties.
    2. The Fund shall conduct periodic POPIA audits in order to access the ways in which the Fund collects, holds, uses, shares, discloses, destroys and processes Personal Information.


  9. COMPLAINTS PROCEDURE
    1. The Data Subjects are entitled to lodge a complaint with the Fund in the event that they believe that their rights under the Laws have been infringed. Such complaint is to be lodged via email to PAIA@crfund.co.za or delivered by hand to the Fund Offices.
    2. The Information Officer shall investigate the complaint and respond thereto within 14 days of receipt of such a complaint. Should the matter remain unresolved the Data Subject is entitled to lodge a complaint with the Information Regulator. The prescribed form is available on the Information Regulator's website and may be sent via email to POPIAComplaints@inforegulator.org.za.
    3. The physical address and website of the Information Regulator is as follows:

      JD House
      27 Stiemens Street
      Braamfontein, Johannesburg
      Website: www.inforegulator.org.za


  10. EFFECTIVE DATE
    1. This revised Policy is effective from 4 December 2024.


  11. REVIEW OF THE POLICY
    1. This policy shall be reviewed annually or more frequently if circumstances require it.


1As defined in the POPIA.
2As defined in the POPIA.
3As defined in the POPIA.
4As defined in the POPIA.
5As defined in the POPIA.
6As referred to in Section 26 and 27 of the POPIA.
7As defined in the POPIA.
8As defined in the POPIA.
9As defined in the POPIA. The Information Officer is responsible for ensuring that the Fund complies with POPIA.
10Established in Section 39 of the POPIA.