Insurance companies have until 30 June 2021 to ensure that their business operations comply with the Protection of Personal Information Act, 2013 (POPI Act), or they risk facing penalties by the Information Regulator.
The Act, which came into full force on 1 July 2020, gives effect to the Constitutional right to privacy by safeguarding the personal information of individuals and, where appropriate, juristic persons such as companies (called data subjects) that is processed by public and private bodies (called responsible parties).
Insurers will need to comply with the various obligations imposed on responsible parties because the Act will affect how insurers and their service providers such as brokers, loss adjusters and binder holders deal with the personal information of insured parties.
As a matter of priority, insurance companies must appoint an Information Officer who is required to register with the Information Regulator by 30 June 2021. The Information Officer must deal with requests made to the company under the Act and will generally be responsible for the company's compliance with the Act. Whilst the Act defines an Information Officer as the head of a private body such as a Chief Executive Officer or equivalent officer, this function can be delegated to anyone, for example, a compliance or legal officer of a company.
As responsible parties, insurers would need to obtain the consent of the insured to use their personal information at contract or policy entering stage. Consent under the Act is a voluntary, specific, and informed expression of willingness to give permission to use personal information.
Personal information is wide and varied. It includes information relating to the race, gender, sex, marital status, national, ethnic or social origin and age of the insured as well as information relating to the insured’s physical or mental health, for example when the insurer is providing medical and personal injury cover. For business policies, personal information includes the financial information and claims history of commercial policyholders.
Notably, consent for the use of an insured's personal information is not required at claims processing stage since the insurer will have the right to use that information to implement the policy. This is because the Act allows the insurer to process information necessary for the performance of a policy, or necessary for pursuing the legitimate interests of the insurer or of the insured.
Where information is collected for any use that requires consent, responsible parties must take steps to ensure that data subjects are made aware of the identity of the insurer as the responsible party, what information is being collected, what the information is being used for and who the recipients will be. Insurers are already complying with some of these requirements under the relevant disclosure obligations of the Financial Advisory Intermediary Services provisions.
If the insurer is using third party service providers such as binder holders, loss adjusters or brokers, they must be granted the authority to process the personal information of the insured parties. The Act requires anyone processing personal information on behalf of a responsible party (defined as an operator) to do so with the knowledge or authorisation of the responsible party. Insurers must ensure that the consent is sufficiently wide to cover use of the personal information by its third party service providers and have appropriate indemnities in place to indemnify them against any liability arising from the service provider's failure to comply with the requirements of the Act in dealing with the personal information of the insured third party.
The personal information of the insured must be kept confidential and may only be disclosed if required by law, for example, where the information is required to be disclosed in terms of the Promotion of Access to Information Act, 2000, subject to questions of privilege.
Binder holders and brokers with claims-handling mandates can disclose the personal information of insured parties to insurers or to anyone on the insurer's instructions, for instance, the insurer's attorneys, if the disclosure is necessary to deal with the claim. The loss adjusters must ensure that their reports only go to people who need to know, such as to the insurer and, with the insurer's knowledge and consent, the insurer's attorneys.
The biggest exposure under the POPI Act is the required security safeguarding of personal information. The Act requires businesses to take reasonable measures to prevent the loss of or damage to or the unauthorised destruction of personal information that is in their possession. Insurance companies must ensure that they, and any third party who processes personal information on their behalf, establish and maintain the security measures required by the Act.
Insurers must consider their own security risks and assess whether any service providers who process information on their behalf have considered and implemented good security safeguard measures, including having secure, modern, and protected data protection systems in place.
Those who engage in direct marketing in advertising and selling their insurance products will have to comply with the direct marketing provisions of the Act. Direct marketing is prohibited unless the data subject has given consent. A data subject must be given the opportunity to object to the use of their contact details for direct marketing purposes and may request that marketing communications cease. This is in line with the direct marketing provisions of the Consumer Protection Act, 2008.
Restrictions are placed on the cross-border transfer of personal information out of and into South Africa. Cross-border transfers of information are subject to various conditions, including the requirement of consent or contractual necessity. The person receiving the data offshore must be subject to laws specifying an adequate level of data protection that is no less than that provided in the country of origin of the information.
Insurers and their service providers must be mindful of the data protection laws in both countries when investigating claims outside South Africa. Data collected and sent to, for instance, the UK or the EU will be sufficiently protected. The POPI Act ensures sufficient compliance with international standards and must be applied by insurers and their service providers to foreign-sourced personal information.
Information may not be retained longer than is necessary to fulfil the original purpose for collection, except where the insured consents or where the retention of the records is required by law.
Personal information must be destroyed or at least de-identified as soon as practicable once the purpose for the collection is fulfilled and the responsible party is no longer authorised to retain the record. For example, once a claim has been investigated and the report submitted, it may still be necessary to keep the information because litigation may arise. However, once a claim is settled and the file is closed, there is no longer a need for the information and it should be destroyed after a reasonable time, having regard to the nature of the claim, prescription laws and data retention laws. The insurance company must also comply with the FAIS provision relating to the retention of records.
Breaching POPI creates significant civil and criminal law exposure. So having efficient working systems to protect the confidentiality of personal information is essential to ensure that insurance companies do not fall foul of this new data protection law.