POPI and Insurance

01 November 2012 Christine Rodrigues, Norton Rose SA

The Protection of Personal Information Bill (POPI) is in its final draft. It affects the insurance industry because the business of providing policy benefits to consumers relies heavily on personal information. What can insurers and intermediaries expect when the legislation goes live?

POPI codifies much of what is contained in the common law. The purpose of POPI is to ensure that the use of personal information is processed for legitimate reasons and does not infringe a person’s rights to privacy.

Getting the customers’ permission

In practice there is tacit consent from consumers that when they provide personal information to insurers the information provided is utilised for underwriting purposes. POPI allows the collection of personal information only if the information is used for a legitimate reason and consent is obtained.

Insurers would be well-advised to amend applications for insurance to explicitly mention that the information provided by the person will be used for underwriting purposes and also require the customer to give consent to such use. The consent must extend to binder holders and outsource service providers as they will also use the information.

Where the application for insurance is through an intermediary, the intermediary will need to ensure it obtains the consent of the consumer. The intermediary must also ensure that the consumer consents to the information being transferred to the insurer and any other third party to which the insurer may have outsourced specific functions that utilises it.

Fine-tuning systems

Insurance companies should already have adequate systems in place to protect the personal information given to them. They will most likely need to beef up existing security measures because the cost of processing personal information requires strict measures to be in place to prevent any unauthorised person gaining access to it.

The information given to the intermediary may only be used for the purpose it was provided. The intermediary may not provide or sell the information to a third party. For example the information can be provided to insurers for the reason of obtaining an insurance quote. But the information cannot be used for marketing purposes and the sale of other insurance policies unless the person is aware of this and has provided consent.

The requirements for compliance with POPI are the same for both the intermediary and the insurer. If a complaint is lodged against the intermediary for unlawful use of the personal information the intermediary will need to show that consent was given by the insured. If the intermediary cannot prove that consent was given, it will be in contravention of POPI.

Direct marketers beware

Insurers conducting outbound direct marketing will need to ensure any personal information they buy from a third party is compliant with POPI. Unsolicited communication is not permitted ! A customer must have consented to have his or her information sold to suppliers.

Marketing directories (personal information databases) used for direct marketing purposes need to ensure a person is made aware that their personal information will be added to the directory and for what purpose the information will be used. Again, consent for this must be given by the individual.

Compliance costs will increase for insurance companies and intermediaries as they will need to ensure that the channels they obtain personal information from comply with POPI. If they do not, they face the risk of being in breach of POPI themselves.

POPI rights and obligations

An information officer will be required to be appointed by the insurer and intermediary that must ensure there is compliance with POPI. Insurers and intermediaries will also need to become acquainted with the complaints process with the regulator. This is important because the regulator can seize alleged illegally processed information.

Administrative fines can be as much as R10 million. The complainant or the Regulator at the request of the complainant can institute a civil action for damages against the insurer or intermediary too. Insurers and intermediaries will have one year from the commencement of POPI to ensure they comply with its requirements.

Quick Polls


What is your one-liner for the 2024 National Budget speech?


Creepy failure to adjust income tax, medical tax credits
Overall happy, it should support economic growth
Overall unhappy, soaring public sector wages and broken SOEs suck..
There are too few taxpayers, too many grant recipients.
fanews magazine
FAnews February 2024 Get the latest issue of FAnews

This month's headlines

On the insurance industry’s radar in 2024
Insurers, risk managers unsure of AI’s judgement credentials
Is offshore the place to be in 2024?
Gap claims: erosion of medical benefits, soaring specialist fees
Investments and retirement… is conventional wisdom under threat?
Subscribe now