POPI – Protection of Personal Information Act
The 1 July 2021 deadline is looming. Along with COVID-19, the Protection of Personal Information Act (POPIA) is a hot topic of conversation in the Health Insurance industry. As a broker, why is POPI so important and why should you put in the effort to comply with the Act?
The purpose of POPIA is to ensure all South Africans and South African institutions operate in a responsible manner when acquiring, processing (including transferring or sharing) and storing personal information. The legislation holds persons and institutions accountable when information is compromised or used outside the intended purpose.
For brokers and insurers, the paragraph above has far reaching impact. Any person or institution who has in their possession the personal information of another is responsible for the protection of that information. And processing of that information for its intended purpose only means deliberate, traceable, secure systems must be put in place to guarantee its correct use. The personal information may relate to both natural and juristic persons, collectively known as data subjects.
The words “personal information of another” expresses an important distinction between POPIA and other insurance legislation which include privacy and confidentiality clauses. POPIA does not only extended to your clients or policyholders, but it also encompasses any personal information in your possession including personal information of an insurer, 3rd party contracts, suppliers, and staff.
Special Personal Information
Brokers and insurers operating in the Gap Cover and Health Insurance industry have an added responsibility. Not only do we handle personal information, but also information POPIA defines as “special personal information”. This includes data of minors, medical information, account numbers, and more. Considered particularly sensitive, additional safeguards are required for the protection and proper use of this information.
Personal Information Impact Assessment
- The first step to ensuring your organisation meets your compliance obligations is to conduct a Personal Information Impact Assessment (PIIA) to identify and minimise the risks from processing personal information.Section 4(1)(b) of POPIA Regulations makes specific reference to a PIIA and states –
“a personal information impact assessment is done to ensure that adequate measures and standards exist in order to comply with the conditions for the lawful processing of personal information;”
The above regulation requires all organisations processing personal information to –
review all processes and information stored to determine if personal information is stored and/or processed,
determine whether the personal information is required and processed according to the intended purpose,
determine whether the data subject is aware, or should be aware, you are in possession of their personal information and consent has been given to hold / process their personal information,
personal information in your possession is adequately protected, including –
- access has only been given to staff who require the information in order to fulfil their duties,
- systems, PCs, etc. have adequate password protection,
- your IT infrastructure is adequately protected,
- personal information is transmitted securely.
Awareness
A key component of the implementation of POPIA within your organisation is to ensure staff are aware what personal information encompasses and understand their personal responsibilities. Having an effective training program in place for all existing and new staff is important and should be ongoing.
It is a good idea to incorporate into your Company Disciplinary code and Letters of appointment information pertaining to the breaches of POPIA and the consequences.
Risk of Non-Compliance
The potential impact of the loss of personal information in your procession or processed by your organisation could have a significant impact on a data subject whose information has been compromised, as well as negatively impacting your organisation.
Breaches will need to be reported to the Information Regulator and may even include your organisation making a public statement that your data or systems have been compromised.
The risk of non-compliance of a party processing and storing data could include –
- civil suits for losses incurred by data subjects,
- fines and/or imprisonment,
- reputational damage.
The threat of personal information being stolen is real. It happens every day and criminals are looking for easy targets. Hence the importance of POPIA. Don’t be that easy target.
POPIA encompasses every process, department, and person within an organisation and requires the commitment of every employee. Anyone involved in the implementation of POPIA will tell you it is a mammoth job. Don’t wait. Before you know, it will be 1 July 2021.