Sandra Sithole, Partner in Dispute Resolution at Webber Wentzel
Insurance companies have until 30 June 2021 to ensure that their business operations comply with the Protection of Personal Information Act, 2013 (POPI Act), or they could face penalties by the Information Regulator.
The Act gives effect to the Constitutional right to privacy. It safeguards the personal information of individuals or companies (data subjects) that is processed by public and private bodies (responsible parties).
As a matter of priority, insurance companies must appoint an Information Officer who must register with the Information Regulator by 30 June 2021. The Information Officer must deal with requests made to the company under the Act and will generally be responsible for the company's compliance. The function of Information Officer can be delegated to anyone in a company, such as a compliance or legal officer.
As responsible parties, insurers would need to obtain the consent of the insured to use their personal information at contract or policy entering stage. Personal information is wide and varied and includes the race, gender, sex, marital status, national, ethnic or social origin and age of the insured. It also includes information relating to the insured’s physical or mental health, for example when the insurer is providing medical and personal injury cover. For business policies, personal information includes the financial information and claims history of commercial policyholders.
Notably, consent to use of an insured's personal information is not required at claims processing stage, since the insurer will have the right to use that information to implement the policy. This is because the Act allows the insurer to process information necessary for the performance of a policy, or necessary to pursue the legitimate interests of the insurer or of the insured.
Where information is collected for any use that requires consent, responsible parties must take steps to ensure that data subjects are made aware of the identity of the insurer as the responsible party, what information is being collected, what the information is being used for and who the recipients will be. Insurers are already complying with some of these requirements under the relevant disclosure obligations of the Financial Advisory Intermediary Services provisions.
The insurer, as the responsible party, must grant authority to its third party service providers, such as binder holders, loss adjusters or brokers, to process the personal information of the insured parties.
The biggest exposure under the POPI Act is the required security safeguarding of personal information. The Act requires businesses to take reasonable measures to prevent the loss of or damage to or the unauthorised destruction of personal information that is in their possession. Insurance companies must ensure that they, and any third party who processes personal information on their behalf, establish and maintain the security measures required by the Act.
Insurers must consider their own security risks and assess whether any service providers who process information on their behalf have considered and implemented good security safeguard measures, including having secure, modern, and protected data protection systems in place.
Those who engage in direct marketing in advertising and selling their insurance products will have to comply with the direct marketing provisions of the Act. Direct marketing is prohibited unless the data subject has given consent. A data subject must be given the opportunity to object to the use of their contact details for direct marketing purposes and may request that marketing communications cease. This is in line with the direct marketing provisions of the Consumer Protection Act, 2008.
Restrictions are placed on the cross-border transfer of personal information out of and into South Africa. Cross-border transfers of information are subject to various conditions, including the requirement of consent or contractual necessity. The person receiving the data offshore must be subject to laws specifying an adequate level of data protection that is no less than that provided in the country of origin of the information.
Insurers and their service providers must be mindful of the data protection laws in both countries when investigating claims outside South Africa. Data collected and sent to, for instance, the UK or the EU will be sufficiently protected. The POPI Act ensures sufficient compliance with international standards and must be applied by insurers and their service providers to foreign-sourced personal information.
Information may not be retained longer than is necessary to fulfil the original purpose for collection, except where the insured consents or where the retention of the records is required by law.
Personal information must be destroyed or at least de-identified as soon as practicable once the purpose for the collection is fulfilled and the responsible party is no longer authorised to retain the record. For example, once a claim has been investigated and the report submitted, it may still be necessary to keep the information because litigation may arise. However, once a claim is settled and the file is closed, there is no longer a need for the information and it should be destroyed after a reasonable time, having regard to the nature of the claim, prescription laws and data retention laws. The insurance company must also comply with the FAIS provision relating to the retention of records.
Breaching the POPI Act creates significant civil and criminal law exposure. So having efficient working systems to protect the confidentiality of personal information is essential to ensure that insurance companies and their service providers do not fall foul of this new data protection law.
Get the latest issue of FAnews