Do not be confused

POPI is intended to protect personal information from processing without consent by public and private bodies, the latter is to provide for the protection of sensitive state information… two very different things.

POPI is extremely broad in its application, covering the processing of all kinds of personal information which ranges from: collection, receiving, recording, organising, collating and storage updating, modification, retrieving, alteration and the consultation or use of personal information.

Personal information is very broadly defined. While it is primarily related to information relating to an identifiable living natural person, it is also applicable to an identifiable, existing, juristic person. Personal information ranges from information relating to a person’s race, gender, sex and age, through to their educational, medical, financial, criminal and employment history. It also includes personal opinions, views or preferences, and correspondence sent by the person implicitly or explicitly of a private or confidential nature.

That means that POPI will affect not only how insurers deal with their clients, but how they deal with service providers of all kinds, including brokers and binder holders, loss adjusters, administrators, reinsurers and other service providers, and of course their employees.

Ensuring efficient and working systems to protect the confidentiality of personal information is essential, because POPI will create significant civil and criminal law exposure where there are breaches.

A civil remedy is provided to the person whose data privacy, as contemplated by POPI, is breached, whether or not there is intent or negligence on the part of the responsible party.

A limited number of defences to such claims are provided based on Acts of God, consent, fault on the part of the data subject, that compliance is not reasonably practicable in the circumstances of the particular case, or when an exemption is granted under POPI.

POPI also provides that the information regulator, created by the Bill, may institute civil action for damages at the request of the party whose privacy is breached. This creates the opportunity for the regulator to act as a form of legal assistance. It acknowledges that individuals whose rights have been breached, may not have the means to institute civil litigation, both financially and from a general resource perspective.

That mechanism, together with the recent development of class action litigation in South Africa creates a significant new exposure both for responsible parties in their own right, and insurers who provide liability indemnity to their insureds.

A court may award an amount that is just and equitable, including damages for both patrimonial and non-patrimonial losses suffered as a result of breach of provisions of the Bill, interest, costs and also aggravated damages. Aggravated damages, although not defined clearly, allows for the introduction of punitive damages.

Contraventions of certain provisions of the law will be a criminal offence, rendering the offender liable to a fine or imprisonment not exceeding ten years or both a fine and imprisonment. There is also provision for the application of administrative fines not exceeding R10million for certain breaches.

All parties in the insurance chain should consider and review their exposure under the law to civil, criminal and administrative liability and implement the necessary precautionary measures. Insurers, in particular, should review their liability wordings, and subject to questions of risk appetite and intention, consider appropriate amendments to both operative clauses and exclusions.

Proposal forms, policy documents and claim forms need to contain appropriate consents which must be the voluntary, specific and informed expression in terms of which permission is given for the processing of personal information.