The impact of POPI on data collection
01 April 2013
Yurika Pistorius, Centriq Insurance
Aimed at protecting every South African citizen’s constitutional right to privacy, the Protection of Personal Information Bill (POPI), now in final draft, allows for the collection of a consumer’s personal information if (a) the consumer has given consent for the information to be obtained and (b) the consumer’s personal information is used by a legitimate public or private person or entity for a legitimate reason.
POPI stipulates that:
• A consumer’s personal information may only be used for (a) the purpose the information was obtained for, and (b) may only be retained for the period necessary to achieve the purpose for which it was obtained;
• Reasonable steps must be taken to ensure that the consumer is aware of the purpose for which their personal information is being used; and
• The consumer may request a party free of charge to (a) confirm if it holds information about the consumer; (b) describe the type of information it has; (c) reveal the identity and categories of all third parties, who have, or have had, access to their information; and (d) correct, delete or destroy the personal information in their possession or under their control if the information was obtained unlawfully, served the purpose it was obtained for, is inaccurate, irrelevant, excessive or misleading.
"Affected parties would have to implement appropriate security measures to protect personal information against unauthorised use or disclosure, accidental loss, destruction or damage,” says Yurika Pistorius, executive head of legal and compliance at Centriq Insurance.
"Policies, practices, procedures and IT systems also need to be developed and/or enhanced for insurers and their agents to comply,” she says. E.g. amending insurance applications to explicitly mention for what purpose consumer information will be used (e.g. quoting, underwriting and/or future insurance sales purposes).
"Consumer consent must extend to binder holders and outsourced service providers as well, seeing that these parties will also use the information (e.g. for processing purposes),” she says.
Where intermediaries come in
Where insurers utilise intermediaries to sell the policies, and where the application for insurance is made through an intermediary, he or she would need to obtain the consumer’s consent.
"The intermediary must also ensure that the consumer consents to the information being transferred to the insurer and any other third parties involved,” says Pistorius.
POPI compliance requirements are the same for both intermediary and insurer. "If a consumer complaint is lodged against an intermediary for unlawful use of personal information, the intermediary would need to prove that consent was given by the insured to the intermediary, for the intermediary to have used the insured’s personal information. "Failure to do so will be in contravention of POPI,” she says.
Insurers and intermediaries would need to appoint an information officer to ensure compliance. "They also need to familiarise themselves with the regulator’s complaints process because the regulator can seize alleged illegally processed information,” she says.
Compliance costs will increase for insurance companies and their agents as they will need to ensure that the distribution channels they obtain personal information from comply with POPI.
Enforcement and penalties
Affected parties must comply within one year of the commencement of POPI. The regulator has extensive investigative powers, including the right to apply to court for a warrant to enter and search premises.
"Consumers, or the regulator on behalf of the consumer, may institute a claim for damages in certain circumstances, irrespective of whether there is intent or negligence involved,” explains Pistorius.
The regulator has the power to issue enforcement notices for certain breaches of the Bill and failure to comply is a criminal offence.
"On conviction of an offence under the Bill, a person is liable to a fine and/or up to 12 months imprisonment, except if the offences relate to obstructing the regulator, in which case the person is liable to a fine and/or up to 10 years imprisonment. An administrative fine of up to R10m may be imposed in certain instances,” she adds.