Compliance with the Protection of Personal Information Bill, and particularly the conditions for lawful processing of personal information, will have a significant impact on the EB industry.
The Protection of Personal Information Bill applies to the processing of personal information entered into a record by or for a responsible party that uses automated or non-automated means for forwarding personal information. The purpose of the Bill is to promote the protection of personal information processed by public and private bodies. The Bill also aims to introduce information protection principles so as to establish minimum requirements for the processing of personal information; and also to provide for the issuing of codes of conduct.
In the EB industry
Employee benefits administrators receive the following information in respect of employees who are members of retirement funds or from beneficiaries in the event of death of the member:
• employee name and surname;
• employee identity number;
• a copy of the identity document at claim stage;
• medical records (for underwriting, disability claims, medical reports and decisions);
• death, disability and assistance with business claim records;
• contributions received and invested on behalf of retirement fund members;
• annuity payment records (banking details and address details); and
• copies of correspondence between the member and the fund.
In terms of the above, an administrator is regarded as a responsible party.
Processing personal information
Furthermore, administrators process the personal information of data subjects, in other words, the members.
The processing of personal information may only occur if:
•there is consent from the data subject;
• it is necessary to execute a contract to which the data subject is a subject;
• an obligation to process is imposed by law;
• it will protect the legitimate interests of the data subject;
• it is necessary for the proper performance of a public duty or the pursuance of the legitimate interests of the party or third party.
Lawful purpose
The purpose for which information is collected should be specific, explicitly defined and lawful. This means that it should be in relation to the lawful purpose related to the function or activities of the responsible party. Administrators therefore also need to ensure that the member is aware of the purpose for which the information is collected.
HR issues
The administrator’s staff need to be aware of the Bill. In order to ensure compliance, an administrator would need to review the manner in which personal information is collected, the storage and safeguarding of that information, a member’s access to that personal information and the destruction of the personal information once the purpose for it has been collected has been achieved or the statutory prescribed period for the retention of business related records has passed.
Staff need to be aware:
• about working on a 'clear desk' basis - by securely storing hard copy personal information when it is not being used;
• that visitors should be signed in and out of the premises, or accompanied in areas normally restricted to staff;
• of positioning computer screens away from windows to prevent accidental disclosures of personal information; and
• of encrypting personal information that is being taken out of the office if it would cause damage or distress if lost or stolen.
The risk of laptops
Traditionally, the most important issue around the loss or theft of a laptop is that the company needs to replace an asset. The PPI will add another important dimension by inquiring as to whether any personal information that might have been contained on the laptop was secured.