Befriending the legislative monster
FAnews recently published a newsletter which provided a detailed description about what insurers and intermediaries will need to do to ensure compliance with the first four pillars of the Protection of Private Information Act (POPIA).
The first four pillars discussed the handling and processing of information in the initial stages of the client engagement. The final four pillars deal with the processing of information at the end of its lifecycle.
Information quality
Lynelle Bagwandeen, Group Company Secretary and General Counsel at Netcare Limited, pointed out at the 3rd Annual POPI Conference – which was hosted by the Intelligence Transfer Centre – that the quality of gathered information requires the responsible party to ensure that personal information is complete, accurate, not misleading, and updated where necessary.
“When approaching quality maintenance, the reason why personal information is collected or further processed must be referenced. What does this mean? This is an administrative burden because; in addition to safeguards, the onus on retaining accurate information is on the insurer and a policy needs to be developed to check with the client to ensure on going accuracy. Further, the insurer can also engage with the client on further processing and the obligation to update information can be done through prompts," said Bagwandeen.
What action will insurers and intermediaries be required to take? Bagwandeen added that insurers will have to assess existing information to determine if refining the quality of the information is essential.
Further, insurers will have to delete necessary information and engage with clients and review their information governance structures in terms of King IV.
Openness
Pillar six of POPIA compliance deals with openness. in this pillar, it is essential that documentation of all processing operations is maintained and is made accessible in terms of the Promotion of Access to Information Act (PAIA) through a publicly available manual. This is governed by Section 14 and Section 51 of the PAIA.
"If personal information is collected, reasonable steps should be taken to ensure the client is aware of the information being collected and the source of information, details of the party collecting information (insurer or party acting on behalf of an insurer), the purpose for the collection of the information, and whether supplying this information is mandatory or voluntary. Further, the insurer needs to inform the client that there will be consequences related to the failure to provide information, and there may be laws prescribing the collection of information.
In addition, if the information will be shared, the client needs to know. This is especially important if an insurer writes business in Africa and the information is processed and refined in South Africa. Key protection needs to be offered to clients whose information travels across borders.
"Additional information should be included to outline recipients of information, the rights to object to information collection as well as the right to access the services of and the details of Pany Tlakula, the Information Regulator," said Bagwandeen.
Security safeguards
POPIA compliance Pillar Seven deals with security safeguards.
Bagwandeen points out that, to ensure security, integrity and confidentiality measures on personal information, insurers need to implement a few key security measures.
This includes taking appropriate, reasonable technical and organisational measures to:
- prevent the loss of information;
- information being damaged;
- the unauthorised destruction of information; and
- the unlawful accessing of personal information.
"To comply with this, it is necessary for the insurer to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control. Further, the insurer must establish and maintain appropriate safeguards against the risks that it has identified,” said Bagwandeen.
In addition, the insurer needs to regularly verify that the information safeguards are effectively implemented, and the insurer needs to ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
“Finally, the insurer must implement a best practice methodology," said Bagwandeen.
The notification of a breach of private information is vitally important. If the insurer believes there is a breach, they need to:
- notify the Information Regulator;
- notify the client if the client’s identity is known;
- send out a notice of the breach as soon as is possible through email or any other relevant publication;
- identify the party who committed the breach; and
- point out any mitigating security actions that will follow the breach.
Data subject participation
While it is the shortest of the pillars in terms of action to be taken, client participation is what POPIA compliance hinges itself on.
Bagwandeen points out that the client has the right to confirm why the information is being gathered and what type of personal information will be held. "Additionally, the client has the right to request the identity of all third parties who have, or have had, access to the information. This can be done at a fee and within a reasonable period of time," said Bagwandeen.
She added that the provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
Editor’s Thoughts:
The role of the insurer when it comes to POPIA compliance will be extensive. Do they have the necessary systems in place to ensure compliance? Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts jonathan@fanews.co.za.
