The right to privacy is guaranteed in the POPI Act, which includes a data subject's right to be safeguarded from any unlawful collection, retention, dissemination, or use of their personal information.
Insurance businesses had until 30 June 2021 to confirm that their business processes were compliant with the Personal Information Protection Act of 2013. (POPI Act).
The Act, which took effect on 01 July 2020, gives effect to the Constitutional right to privacy by protecting the personal information of individuals and, where applicable, juristic persons such as businesses (referred to as data subjects) that is processed by public and private organisations (called responsible parties).
Because the Act will affect how insurers and their service providers, such as brokers, loss adjusters, and binder holders, deal with the personal information of insured parties, insurers and their service providers, such as brokers, loss adjusters, and binder holders, will need to comply with the various obligations imposed on responsible parties.
Appointment of an Information Officer was required to register with the Information Regulator by 30 June 2021. The Information Officer must deal with requests made to the company under the Act and will generally be responsible for the company's compliance with the Act. Whilst the Act defines an Information Officer as the head of a private body such as a Chief Executive Officer or equivalent officer, this function can be delegated to anyone, for example, a compliance or legal officer of a company.
The Information Officer is responsible for dealing with requests made to the company under the Act and for the organization's overall compliance with the Act. While the Act defines an Information Officer as the chief executive officer or comparable officer of a private entity, this job can be assigned to anyone, such as a company's compliance or legal officer.
Insurers, as responsible parties, would need to get the insured's authorization to use their personal information at the time of contract or policy entry. Under the Act, consent is defined as a voluntary, specific, and informed declaration of willingness to allow the use of personal information.
Personal data is diverse and extensive. It contains data on the insured's race, gender, sex, marital status, national, ethnic, or social origin, and age, as well as data on the insured's physical or mental condition, such as when the insurer provides medical and personal injury coverage. The financial details and claims history of commercial policyholders are included in personal information for business policies.
Notably, at the claims processing stage, approval for the use of an insured's personal information is not necessary because the insurer will have the right to use that information to carry out the policy. This is because the Act authorizes the insurer to handle information that is required for the performance of a policy or to pursue the insurer's or insured's legitimate interests.
When data is gathered for any purpose that requires consent, responsible parties must take steps to ensure that data subjects are aware of the insurer's status as the responsible party, the type of data being collected, the purpose for which the data is being used, and who the recipients will be. Under the applicable disclosure responsibilities of the Financial Advisory Intermediary Services rules, insurers are already complying with some of these requirements.
If the insurer uses third-party service providers like binder holders, claim adjusters, or brokers, they must be given permission to process the insured parties' personal information. Anyone processing personal information on behalf of a responsible party (designated as an operator) must do so with the responsible party's knowledge or authorization, according to the Act. Insurers must ensure that the consent is broad enough to cover the use of personal information by their third-party service providers, and that appropriate indemnities are in place to protect them from any liability resulting from the service provider's failure to comply with the Act's requirements when dealing with the personal information of the insured third party.
The insured's personal information shall be kept private and disclosed only when needed by law, such as when the information is required to be revealed under the Promotion of Access to Information Act, 2000, subject to privilege issues.
The most serious risk posed by the POPI Act is the requirement to keep personal information secure. Businesses must take reasonable precautions to prevent the loss, damage, or unauthorised deletion of personal information in their control, according to the Act. Insurance firms, as well as any third parties who process personal information on their behalf, must ensure that the Act's security measures are implemented and maintained.
Those that use direct marketing to advertise and sell their insurance products will be required to follow the Act's direct marketing regulations. Unless the data subject has granted consent, direct marketing is illegal. A data subject has the right to object to the use of their contact information for direct marketing purposes and to have marketing communications stopped. This complies with the Consumer Protection Act of 2008's direct marketing rules.
