POPI bill to significantly impact the financial services industry

Since the dawn of the new millennium, it is evident that the world has changed. Technology has been a major driver of this, and while the changes affected by technology at the start of the millennium were significant, indications are that this impact will grow going forward. But while this had a positive impact on society in that it made connectivity so much easier, recent events have highlighted the danger of an over reliance on technology. This has prompted many countries to introduce comprehensive pieces of legislation, which protects the privacy of information of its citizens.

South Africa moving forward

Following the lead of the US, the UK, France and Brazil, South Africa has been working hard on its own Protection of Private Information (POPI) bill. This was brought before parliament last week and was sent back to change the wording before it is signed into law.

While this bill looks set to improve the lives of South Africans, it will have an impact on the financial services industry.

POPI provides the regulatory framework within which organisations may process personal information and seeks to give individuals control over how their personal information is used or disclosed. The Bill defines personal information as all information relating to an identifiable, living person and where applicable, an existing juristic person.

Lize de la Harpe, Legal Adviser at Glacier by Sanlam points out that the definition of processing is drafted wide enough to cover any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including the collection, receipt, collation, storage, updating and use of the information.

De La Harpe adds that there are eight specific areas which the bill covers:

1. Accountability
The responsible party (being the party that determines the purpose of and means for processing) must ensure that the conditions for processing are complied with at all times.

2. Processing limitation
Processing must be lawful, done in a reasonable manner that does not infringe the privacy of the data subject and must not be excessive. Processing may only take place with the consent of the data subject, subject to certain exceptions (such as is necessary to carry out actions for the conclusion or performance of a contract to which the data subject is a party, it complies with an obligation placed on the responsible party by law or it protects a legitimate interest of the data subject). Personal information must be collected directly from the data subject with certain exceptions.

3. Purpose specification
Collection must be for a specific purpose and records may not be kept for any longer than is necessary for achieving the purpose for which it was collected or subsequently processed, subject to certain exceptions (for example if it is required or authorised by law or the data subject has consented).

4. Further processing limitation
Further processing must be compatible with the purpose of collection, taking into account, amongst others, the nature of the information, the consequences for the data subject and the manner in which the information was collected.

5. Information quality
The responsible party must take reasonably practicable steps to ensure that the personal information is complete, accurate, not misleading and updated where necessary.

6. Openness
A responsible party must maintain documentation of all processing operations. When personal information is collected, the responsible party must (subject to exceptions) take reasonably practicable steps to ensure that the data subject is aware of, inter alia, the information being collected, the source, the purpose of the collection and the rights of the data subject.

7. Security safeguards
Reasonable measures must be taken to identify all foreseeable internal and external risks, establish and maintain appropriate safeguards against these risks, regularly verify that the safeguards are effectively implemented and ensure they are continually updated. The responsible party must notify the Information Regulator and the data subject when the personal information of a data subject has been accessed or acquired by any unauthorised person.

8. Data subject participation
The data subject has a right to request a responsible party to confirm whether or not it holds personal information about the data subject (free of charge), to request the record or a description of the personal information held, as well as the identity of third parties who have access to the information. The data subject also has the right to request the correction or deletion of personal information which is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully.

Industry impact

While there are many people who feel that this legislation is long overdue, its effects will have a significant impact on the insurance industry.

"Companies will need to do significant gap analysis programmes whereby they asses the information that they have already collected and measure it up to whether they comply with the eight areas governed by legislation. You basically need to ask what information you collect, for what purpose the information is being collected, and how the information will be kept. The processing of the information is also a significant area of concern for companies as they will need to get consent from the client in most cases,” says De La Harpe.

Companies will also need to be very clear as to what constitutes material information. Material information is the information which is necessary in establishing a policy and its premiums. For example, knowing if a person is a smoker is material when calculating the premiums and exclusion of a life policy. In this instance, a broker or adviser would need to justify why the information is material.

But perhaps the biggest concern is the implementation of systems and processes which are compliant. "Indications are that companies, which have not already started implementing systems and processes which would make them compliant, will take between two to three years to achieve this. This will put them in a tough situation as the act states that companies will only have a year to comply,” says De La Harpe.

The legislation will apply to both public and private bodies, including retirement funds and administrators. There will be a transitional period of one year whereafter full compliance with the legislation will be required.

Editor’s Thoughts:
The bill aims to protect the public against direct marketing activities which come off the back of giving your information to an insurance company. While this is good news for the public, and a move which is long overdue, it will have an effect on ability of companies within the industry to sell additional products which may complement the cover which has been taken out. Of concern is the fact that it will take between two and three years for the majority of companies in the industry to implement this, although the bill only allows for a year to comply. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughtsjonathan@fanews.co.za.

Comment on this Post

Name*

Email Address*

Comment*

 

Submit Comment