Do not be confused

01 November 2013 Donald Dinnie, Norton Rose Fulbright

The Protection of Personal Information (POPI) Bill, the proposed data protection law, and the Protection of State Information Act, or the so-called Secrecy Act, should not be confused, as we are referring to two different sets of regulation.

POPI is intended to protect personal information from processing without consent by public and private bodies, the latter is to provide for the protection of sensitive state information… two very different things.

Broad application

POPI is extremely broad in its application, covering the processing of all kinds of personal information which ranges from: collection, receiving, recording, organising, collating and storage updating, modification, retrieving, alteration and the consultation or use of personal information.

Personal information is very broadly defined. While it is primarily related to information relating to an identifiable living natural person, it is also applicable to an identifiable, existing, juristic person. Personal information ranges from information relating to a person’s race, gender, sex and age, through to their educational, medical, financial, criminal and employment history. It also includes personal opinions, views or preferences, and correspondence sent by the person implicitly or explicitly of a private or confidential nature.

That means that POPI will affect not only how insurers deal with their clients, but how they deal with service providers of all kinds, including brokers and binder holders, loss adjusters, administrators, reinsurers and other service providers, and of course their employees.

Exposure to breach

Ensuring efficient and working systems to protect the confidentiality of personal information is essential, because POPI will create significant civil and criminal law exposure where there are breaches.

A civil remedy is provided to the person whose data privacy, as contemplated by POPI, is breached, whether or not there is intent or negligence on the part of the responsible party.

A limited number of defences to such claims are provided based on Acts of God, consent, fault on the part of the data subject, that compliance is not reasonably practicable in the circumstances of the particular case, or when an exemption is granted under POPI.

POPI also provides that the information regulator, created by the Bill, may institute civil action for damages at the request of the party whose privacy is breached. This creates the opportunity for the regulator to act as a form of legal assistance. It acknowledges that individuals whose rights have been breached, may not have the means to institute civil litigation, both financially and from a general resource perspective.

That mechanism, together with the recent development of class action litigation in South Africa creates a significant new exposure both for responsible parties in their own right, and insurers who provide liability indemnity to their insureds.

Financial recourse

A court may award an amount that is just and equitable, including damages for both patrimonial and non-patrimonial losses suffered as a result of breach of provisions of the Bill, interest, costs and also aggravated damages. Aggravated damages, although not defined clearly, allows for the introduction of punitive damages.

Contraventions of certain provisions of the law will be a criminal offence, rendering the offender liable to a fine or imprisonment not exceeding ten years or both a fine and imprisonment. There is also provision for the application of administrative fines not exceeding R10million for certain breaches.

The insurance chain

All parties in the insurance chain should consider and review their exposure under the law to civil, criminal and administrative liability and implement the necessary precautionary measures. Insurers, in particular, should review their liability wordings, and subject to questions of risk appetite and intention, consider appropriate amendments to both operative clauses and exclusions.

Proposal forms, policy documents and claim forms need to contain appropriate consents which must be the voluntary, specific and informed expression in terms of which permission is given for the processing of personal information.
Quick Polls


How confident are you that insurers treat policyholders fairly, according to the Treating Customers Fairly (TCF) principles?


Very confident, insurers prioritise fair treatment
Somewhat confident, but improvements are needed
Not confident, there are significant issues with fair treatment
fanews magazine
FAnews June 2024 Get the latest issue of FAnews

This month's headlines

Understanding prescription in claims for professional negligence
Climate change… the single biggest risk facing insurers
Insuring the unpredictable: 2024 global election risks
Financial advice crucial as clients’ Life policy premiums rise sharply
Guiding clients through the Two-Pot Retirement System
There is diversification, and true diversification – choose wisely
Decoding the shift in investment patterns
Subscribe now