orangeblock
Menu

Unlocking the POPI-code

02 February 2015 | Magazine Archives FAnews & FAnuus | Short Term | Catherine Berry, Camargue

The Protection of Personal Information (POPI) Act, seeks to regulate every aspect of the processing of personal information, as well as to promote transparency regarding the collection and processing of such information.

The impact of this legislation is far-reaching, and will affect insurers, insurance brokers, and loss adjusters quite significantly. Familiarity with POPI is fundamental to delivering a professional insurance service and the industry must make a resolute effort to skill up on the matter.

The buck stops here

A responsible party is a person or body - public or private - who determines the purpose of, and means for, the processing of personal information. An organisation is responsible for personal information in its possession or custody, including information which has been transferred to service providers for processing.

Given the above, contracts should be utilised to provide a comparable level of protection, while the information is being processed by a third-party processor. This should be done to ensure that the operator establishes and maintains the security measures that the responsible party has adopted.

Further to this, when personal information is being transferred for processing - whether domestically or internationally - the individual’s consent should be obtained to do so, as well as due diligence exercised to ensure that the recipient protects the information consistently.

A responsible party must secure the integrity and confidentiality of any personal information in its possession by implementing appropriate, reasonable, technical and organisational measures to prevent loss, damage, and unauthorised and unlawful access thereto.

The data subject must be informed of the purpose of the collection, and the responsible party must bear the burden of proof to show that consent has been given by the data subject.

Personal information may only be collected for a lawful, specific, explicitly defined purpose relating to the function or activity of the responsible party collecting the information.

Subject’s rights

The data subject has the right to request confirmation of whether or not the responsible party holds personal information about him or her. Legally the data subject may also request the record, or a description of the personal information being held, as well as information regarding all third-parties who have had access to this personal information.

The data subject may also request a responsible party to correct or delete personal information that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully. In addition, the data subject may request that information which the responsible party is no longer authorised to retain be deleted or destroyed.

Breaching protocol

A responsible party must notify the information regulator and the data subject where there are reasonable grounds to believe that the personal information of the data subject has been accessed or acquired by an unauthorised person. The notification must provide sufficient information to allow the data subject to mitigate against the potential consequences of the breach, including a description of the possible consequences of the compromise; a description of the measures that the responsible party intends to take to address the compromise; a recommendation of measures to be taken by the data subject; and the identity of the unauthorised person who has accessed the personal information.

Offences created by POPI include:

• hindering, obstructing or unlawfully influencing the Information Regulator,
• failure to comply with the terms of an enforcement notice (or summons),
• the obstruction of the execution of a search and seizure warrant,
• a serious or persistent failure to comply with the conditions for lawful processing of
personal information in the case of an account number of a data subject.

Pay the price for non-compliance

Non-compliance not only opens up the opportunity for the regulator to initiate a civil suit for patrimonial and non-patrimonial damages for interference with personal information, whether or not there is intent, but also exposes the responsible party to an administrative penalty, as well as imprisonment.

quick poll
Question

If you had to hazard a guess, when do you reckon the COFI Bill will be signed into law?

Answer
View the Results arrow
FAnews April 2026
THE LATEST EDITION FANEWS MAGAZINE
  • Geopolitical risk: the rising threat to global trade and insurance markets
  • The regulatory tightrope: achieving consumer protection without overregulation
  • Liability disclaimers and consumer protection: key lessons from recent case law
  • From promise to payout: the real test for employee benefits
  • Retirement planning: when the maths doesn’t math
Products & Services
Useful Links
Important Links
Jobs

© FAnews | Privacy Policy | Site Map | Website Design by Online Innovations