The much-anticipated Protection of Personal Information Bill (PoPI) and the Financial Markets Act 2012 (FMA) will have a huge influence on the manner in which Strate deals with personal information in relation to the shareholders of listed companies.
PoPI is being debated in Parliament and is aimed at promoting the right to privacy enshrined in section 14 of the Constitution of the Republic of South Africa, 1996. It will affect every person dealing with personal information, including, Strate, CSD Participants, issuers, transfer secretaries, etc.
Furthermore, the FMA was signed into law on 30th January 2013 and it will replace the Securities Services Act 2004 (SSA) in the very near future. The FMA will, among other things, regulate how organisations, such as Strate, deal with confidential information.
PoPI and the FMA will have an impact on the custody and administration of securities (particularly the share registers) as it relates to personal information.
It is important to note that both PoPI and the FMA prescribe penalties for non-compliance, being a fine or a jail sentence of up to 10 years or both in respect of PoPI, and a fine of up to R1 million or a jail sentence of up to 5 years or both in respect of the FMA. It is important to further note that the penalties in respect of PoPI will apply to every person, while the penalties in respect of the FMA will only apply to institutions, such as Strate and its personnel.
In anticipation of the implementation of either PoPI or the FMA, Strate has undertaken extensive consultation and reviews of its operations, including the review of and the proposed draft amendments to its Directive SA.8 dealing with beneficial download (BND) for bonds and equities.
The BND report can be provided weekly or monthly basis to issuers of bonds and equities as well as other market stakeholders in the South African market to provide them with the detailed breakdown of the dematerialised beneficial shareholders. The BND includes, but is not limited to, information that related to – the shareholder’s name, ID number, address, e-mail address, country of domicile, and the number and description of shares held.
The proposed draft amendments to Directive SA.8 relate to limiting the amount of BND information that may be given to third parties (as required by both PoPI and the FMA), and the requirement to secure the personal information in the BND file as prohibited by PoPI. These proposed draft changes have been discussed with the relevant market stakeholders through workshops, meetings and e-mail communication, and the affected parties have been afforded an opportunity to submit their comments as part of Strate’s directive consultation process.
Once the consultation process is completed, the proposed draft changes to Directive SA.8 will only be implemented by Strate upon the implementation of either PoPI or the FMA, whichever may be implemented first. It is clear from the above that Strate has no option but to ensure total compliance with the forthcoming legislation.
PoPI
PoPI applies to “the processing or use of personal information”. The term “processing or use” includes a wide range of activities, whether done manually or through automated means. Such activities include collecting, receiving, recording, storing, updating, retrieving, distributing, making available, merging, linking, destroying, etc. The term “personal information” is widely defined to include information relating to a living natural person or an existing juristic person, such as name, physical address, e-mail address, telephone number, identifying number or any particular assignment to the person, financial history, location information, race, gender, marital status, nationality, age, language, etc. In addition, PoPI further prescribes certain standards relating to the safeguarding of personal information. With the introduction of PoPI, every person or institution will need to be cognisant of what they/it does.
The use of personal information
PoPI prohibits the use of personal information of another person unless certain grounds or exceptions exist. This prohibition applies to both natural persons and juristic persons (e.g. a company, trust, close corporation), and the personal information that is being protected also relates to both natural persons and juristic persons. There are, however, grounds or exceptions upon which a person is allowed to use personal information. Any one or more of the following grounds or exceptions must exist in order to use personal information.
Where the owner of the personal information has given consent. Consent has been defined in PoPI as “any voluntary, specific and informed expression of will …”. This definition suggests that if the owner of personal information gives consent to use personal information for one purpose, it may not be used for another purpose.
Where the use is necessary to carry out actions for the conclusion or performance of a contract to which the owner of the personal information is party. This would be a rare scenario in our custody and administration of securities environment, however personal information may be used by any party to perform or conclude a contract with or involving the owner of personal information.
Where the use complies with an obligation imposed by the law on the person using the personal information. Where the law places a duty on a person to perform certain duties, personal information may be used in the performance of such duties. E.g. in terms of section 30(2)(m) of the FMA, the CSD (Strate) must on request, disclose information about securities held in the central securities account to the registrar (the Financial Services Board) and to the issuer of those securities. CSD Participants also have a similar duty in terms of section 32(2)(h) of the FMA. As such, CSD Participants and Strate may disclose personal information to the FSB and issuers in order to perform those obligations.
Where the use protects a legitimate interests of the owner of personal information. In terms of section 62 of the Companies Act (2008), shareholders have a right to receive notices of meetings and other reports from the issuers, for the purposes of attending and voting at company’s meetings, etc. Issuers, CSD Participants and Strate may use shareholders’ personal information to, amongst other things, effect delivery of relevant issuers’ notices and reports, to shareholders, thereby protecting shareholders’ rights or legitimate interests.
Where the use is necessary for the proper performance of a public law duty by a pubic body. Strate is a public body in terms of the law, and it may in terms of PoPI use personal information in the performance of its public law duties, including, the disclosure of personal information to regulators or public bodies such as the Financial Services Board, South African Revenue Services, Financial Intelligence Centre, etc.
In addition to the prohibition on the use of personal information, PoPI also imposes a duty on a person collecting personal information to collect it for a specific, explicitly defined and lawful purpose related to the function and activity of such person. PoPI further imposes a duty on a person using the personal information, to use such personal information, if given the purpose for which it is used, the use is adequate, relevant and not excessive.
Safeguarding the personal information
In terms of PoPI, a person who is in possession of or in control of personal information must take the necessary steps to secure the integrity and confidentiality of such personal information. “Securing the integrity of personal information” would include taking the necessary steps to ensure that personal information is reliable, trustworthy and not being subjected to unauthorised alteration, editing, etc. “Securing the confidentiality of personal information” would include taking the necessary steps to secure personal information against access or use by unauthorised persons. Such person must also take necessary steps to prevent the personal information from loss, damage or unauthorised destruction. Furthermore, personal information may not be kept for longer than is necessary to achieve the purpose for which it was collected, unless certain defined grounds or exceptions exist.
FMA
In addition to the duties imposed by PoPI, the FMA (section 73) specifically imposes a duty on institutions such as Strate and its personnel (including the CEO, officers, employees, etc.), not to disclose confidential information obtained in the performance of the functions in terms of the FMA, unless the following grounds or exceptions exist. Some of these grounds or exceptions overlap with the grounds in terms of PoPI.
The owner of the information has given consent. Consent is not defined in the FMA and it would presumably bear the same meaning as PoPI. See PoPI above.
The disclosure is required or permitted by the law or court order. E.g. where the law or court order specifically states that certain information must be disclosed.
The disclosure is necessary for the performance of duties under any law. See PoPI above.
The disclosure is required for the purposes of legal proceedings. E.g. where there is a writ of attachment issued by the Court to attach uncertificated securities, personal information in the securities account or central securities account may be disclosed to the Sheriff and/or Court to satisfy such writ of attachment.
For further information, please contact Strate Legal Services on Strate-Legal@strate.co.za.
