In the not too distant future, insurers and intermediaries will need to comply with the Protection of Private Information Act (POPIA) when the information regulator – Pansy Tlakula – announces the effective date. At the recently held 3rd Annual Protection of Personal Information Conference, which was hosted by the Intelligence Transfer Centre, Lynelle Bagwandeen – Group Company Secretary and General Counsel at Netcare Limited – unpacked the eight pillars of POPIA compliance. The pillars are extensive, so we will cover the first four in this newsletter and the final four in a follow up newsletter.
Accountability
King IV expressly places the responsibility for information governance with the Board and Senior Management of a company delegated by the Board to manage and secure information. The Board must ensure appropriate information management, information security, and information privacy. King IV recognises these as essential in ensuring governance of information by organisations that are required to establish appropriate information governance measures.
“The action that is required is that insurers need to establish a compliance plan to ensure adherence accompanied by a gap analysis, a training plan for the organisation, and an assessment of levels of adherence,” said Bagwandeen.
Processing limitation
Pillar two of POPIA compliance points out that insurers must ensure that personal information will be processed in a reasonable manner that does not infringe the privacy of the client.
Further, personal information may only be processed if there is a purpose which would be adequate, relevant and not excessive. This may relate to the financial needs analysis meeting only and may (in many cases) exclude cold calling for marketing purposes.
Consent needs to be given by the client. Personal information may only be processed if:
- it relates to a contract;
- it relates to a legal obligation or compliance with law;
- processing protects a legitimate interest of the data subject;
- an assurance is given that consent can be withdrawn at any time;
- it is pointed out that the client may, at any time, object to the processing of this if it is seen as (adjacent to) direct marketing; and
- in the event that there is an objection or withdrawal of consent, information processing must stop.
It is also important to note that the intermediary does have some power here. If the client says that they do not want to provide you with information (or that they do not want their information to be processed by the insurer), you can consent to this request but point out that taking this stance may have consequences (non-disclosure and improper risk rating).
“The action required in this pillar is simple. Develop an iron clad consent clause, establish a code of conduct for the management of confidential information, establish a good privacy policy, and insurers need to obtain additional consent for information stored outside of South Africa,” said Bagwandeen.
Purpose specification
Pillar three of POPIA compliance points out that personal information must be collected for a specific, explicitly defined and lawful purpose.
In addition, clients must be aware of the purpose of the information gathering (financial needs analysis). It is also important to note that the retention and restriction of records is covered by this condition.
Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed unless it is prescribed by another piece of legislation. Information retention needs to be required for a lawful purpose (risk rating and premium calculation) and needs to be mandated by a contract.
Record retention needs to be consented to for historical and statistical purposes and the insurer needs to provide assurances that adequate safeguards are in place. Further, when it comes to retaining records, clients must have the right to request access to their information and facilitate the appropriate destruction of historical records.
Further processing limitation
Pillar four of POPIA compliance points out that the further processing of information must be compatible with the purpose of its collection. To assess compatibility, the responsible party needs to consider:
- the original purpose of the collection of information and the purpose of additional processing of this information;
- the consequences of the additional processing on the client; and
- the manner in which information was collected and any contractual rights between the parties.
This prevents the sale of data collected from alternate sources.
“This can be avoided in the additional processing if it is consented to, if the original information is derived from a public record and, if further processing is necessary in terms of the application of collection for legal prosecution (SARS, interests of national security). It can also be avoided if the further processing of information is necessary to save a life or an emergency situation arises and additional processing is needed for research or statistical purposes and it is used or published in an unidentifiable manner,” said Bagwandeen.
Editor’s Thoughts:
It seems that in the future, insurers and intermediaries will need to go through every interaction with clients with a fine-tooth comb. They will also need to be well versed in legal matters. Please keep an eye out for a newsletter discussing the second part of this issue. Please comment below, interact with us on Twitter at @fanews_online or email me your thoughts jonathan@fanews.co.za.