POPI and Insurance
01 November 2012
Christine Rodrigues, Norton Rose SA
The Protection of Personal Information Bill (POPI) is in its final draft. It affects the insurance industry because the business of providing policy benefits to consumers relies heavily on personal information. What can insurers and intermediaries expect when the legislation goes live?
POPI codifies much of what is contained in the common law. The purpose of POPI is to ensure that the use of personal information is processed for legitimate reasons and does not infringe a person’s rights to privacy.
Getting the customers’ permission
In practice there is tacit consent from consumers that when they provide personal information to insurers the information provided is utilised for underwriting purposes. POPI allows the collection of personal information only if the information is used for a legitimate reason and consent is obtained.
Insurers would be well-advised to amend applications for insurance to explicitly mention that the information provided by the person will be used for underwriting purposes and also require the customer to give consent to such use. The consent must extend to binder holders and outsource service providers as they will also use the information.
Where the application for insurance is through an intermediary, the intermediary will need to ensure it obtains the consent of the consumer. The intermediary must also ensure that the consumer consents to the information being transferred to the insurer and any other third party to which the insurer may have outsourced specific functions that utilises it.
Fine-tuning systems
Insurance companies should already have adequate systems in place to protect the personal information given to them. They will most likely need to beef up existing security measures because the cost of processing personal information requires strict measures to be in place to prevent any unauthorised person gaining access to it.
The information given to the intermediary may only be used for the purpose it was provided. The intermediary may not provide or sell the information to a third party. For example the information can be provided to insurers for the reason of obtaining an insurance quote. But the information cannot be used for marketing purposes and the sale of other insurance policies unless the person is aware of this and has provided consent.
The requirements for compliance with POPI are the same for both the intermediary and the insurer. If a complaint is lodged against the intermediary for unlawful use of the personal information the intermediary will need to show that consent was given by the insured. If the intermediary cannot prove that consent was given, it will be in contravention of POPI.
Direct marketers beware
Insurers conducting outbound direct marketing will need to ensure any personal information they buy from a third party is compliant with POPI. Unsolicited communication is not permitted ! A customer must have consented to have his or her information sold to suppliers.
Marketing directories (personal information databases) used for direct marketing purposes need to ensure a person is made aware that their personal information will be added to the directory and for what purpose the information will be used. Again, consent for this must be given by the individual.
Compliance costs will increase for insurance companies and intermediaries as they will need to ensure that the channels they obtain personal information from comply with POPI. If they do not, they face the risk of being in breach of POPI themselves.
POPI rights and obligations
An information officer will be required to be appointed by the insurer and intermediary that must ensure there is compliance with POPI. Insurers and intermediaries will also need to become acquainted with the complaints process with the regulator. This is important because the regulator can seize alleged illegally processed information.
Administrative fines can be as much as R10 million. The complainant or the Regulator at the request of the complainant can institute a civil action for damages against the insurer or intermediary too. Insurers and intermediaries will have one year from the commencement of POPI to ensure they comply with its requirements.