Sharing personal information of trust beneficiaries to verify black ownership under the scorecards requires companies and trusts to be aware of POPIA requirements.
Under the Codes of Good Practice for Broad-based Black Economic Empowerment, issued in terms of the Broad-Based Black Economic Empowerment Act 53 of 2003 (B-BBEE Act), an enterprise must maintain a scorecard showing, inter alia, how it is achieving black ownership targets. The measured entity can earn B-BBEE points on the scorecard, as part of the ownership element, for some collective investment ownership structures. These structures include Employee Share Ownership Schemes (ESOPs) and Broad-Based Ownership Schemes (BBOS).
In these collective investment structures, there is an interplay between the ultimate shareholders of the entity seeking a B-BBEE rating (the Measured Entity), which may include an ESOP and/or a BBOS, and the investee company, as the Measured Entity. The main players involved in the verification of black ownership in this case are the Measured Entity, the ESOP or BBOS and the B-BBEE verification agent.
The Codes require that for the Measured Entity to be awarded full points for an ESOP or a BBOS, the beneficiaries of the structure, which is usually a trust, must be defined and identified. This can be done by defining the beneficiaries as a class of natural persons collectively (e.g. the local community of a certain area, learners at schools or colleges in a particular area) or specifically identifying them in a written record containing their details, including name, age, race group and address. In both cases, a register has to be maintained with the relevant information of the beneficiaries and it must be produced to enable them to be identified for information and verification purposes. The Measured Entity must obtain the requisite information from the trust, as it has to provide the details of the specific beneficiaries to achieve an annual rating by a B-BBEE verification agency or audit firm.
The Protection of Personal Information Act (POPIA), which came into force on 1 July, has potential implications for measured entities with collective investment ownership vehicles that contribute to their black ownership.
Many trusts were established over a decade ago, before there was a legal requirement to retain and process the personal information of their beneficiaries. In some cases, the beneficiaries may number only a few hundred people, but for some of the older and larger BBOS or ESOPs, the number may run into thousands.
Under POPIA, an enterprise, and any related trust, must have a lawful basis for processing the personal information of its beneficiaries. The Act also requires that beneficiaries be notified of any sharing of their personal information. The trust or Measured Entity must ensure that beneficiaries are notified that their personal information will be shared with a third party, namely the verification agency and/or their auditors or advisers and, potentially, the Measured Entity. In turn, the verification agency is required to comply with POPIA in processing beneficiaries’ personal information.
For example, a decade-old trust may have been formed to make sustainable investments and will use the dividends to fund thousands, or tens of thousands of beneficiaries, such as community members or schools. Its investments may stretch across 20 different companies, each of which has to submit itself to B-BBEE verification annually. The trust must now ensure that it has a lawful basis, as contemplated in POPIA, to share these beneficiaries’ personal information with the Measured Entity and the B-BBEE verification agent from time to time.
Different types of information are subject to different controls. POPIA regulates “personal information” and “special personal information”. “Special personal information” includes information about the health or disability of a data subject. If the information pertains to minors, POPIA has additional processing requirements. Processing of children’s special personal information and personal information necessitates additional controls.
We have discussed some of the practical examples that very large trusts will face in complying with POPIA. POPIA does provide guidelines on obtaining exemptions from the Act, but the threshold is high (e.g. public interest) and seeking it may not be a practical option.
Under POPIA, the responsible party must determine, firstly, what the justification is for collecting the information. Has the trust made it clear to the beneficiaries that their information is being collected and held? Is there an agreement in place with the verification agencies on the processing of this information?
Normally, there would not be a direct relationship between the B-BBEE verification agency and the trust. The relationship is normally between the Measured Entity that has to complete the B-BBEE scorecard and the B-BBEE verification agency, with the Measured Entity being responsible for providing the agency with the information it requires.
POPIA also provides that information may not be kept for longer than it is needed, unless justified. B-BBEE verification is annual, so the verification agency should not need to keep the personal information of data subjects after the audit has been completed. However, there may be legal grounds to justify continued retention under POPIA. All parties to the B-BBEE verification should ensure that they retain records of personal information in a manner that complies with POPIA.
In future, it will be necessary to include a standard POPIA clause in all agreements between Measured Entities and their ultimate shareholders, who may be collective schemes such as BBOS or ESOPs, and between the Measured Entities and their B-BBEE verification agencies. Employees or other beneficiaries of these collective schemes should sign an agreement consenting to the use of their personal details for verification purposes, if this clause is not already in place.