Additional PoPI Challenges for Insurers in South Africa
Our last blog post detailed serious challenges associated with the Protection of Personal Information (PoPI) Act compliance. This post explains some additional issues:
Avoiding ‘Regulatory Paradox’
PoPI clearly requires insurers to reduce the nature and volume of personal information they hold and retain, in order to protect customers’ privacy. Paradoxically, though, regulators generally are requiring insurers to retain more and more customer data, to identify anti-money laundering, fraud, terrorist funds (FICA), etc. How will insurers find ways to resolve this paradox in a compliant manner?
Tracking Third Parties
The insurer must, in terms of a written contract, ensure that a third-party (operator) processing data on behalf of the responsible party establishes and maintains the required security measures. The third-party must:
- Process personal information only with the responsible party’s knowledge, or authorisation, and must not disclose it unless required by law (or in the proper performance of their duties).
- Immediately notify the responsible party where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person.
Under PoPI, a written agreement relating to third-party access to personal information and customer consent is normally required, but not necessary in all circumstances. Insurers who offer customers access to their data via self-service capabilities and give third parties access to data must be able to track whenever and wherever personal data has been accessed, no matter the channel.
Breaches/Violations
The regulator and data subjects must be informed, within a ‘reasonable timescale’, where there has been a breach of personal information. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach is more than just losing personal data; it includes any misuse, hacking, data sales, or any unauthorised use.
The regulator may direct that a data breach can be publicised if there are reasonable grounds to believe that publicity would protect an affected customer.
A breach may come to light via:
- The individual ‘data subject’, via a complaint to the information regulator
- The insurers – there is a PoPI requirement for organisations to notify the information regulator and the data subjects of any compromises of their personal information
- The information regulator where s/he has initiated a review or investigation of an organisation’s compliance, which s/he is empowered to do under PoPI
For additional information, please check out our white paper: PoPI Challenges and Solutions for South African Insurers. It examines the difficulties facing insurers on the road towards full PoPI compliance, as well as some opportunities that will likely result from the regulations, and how insurers can maximise those opportunities.
Read more about Sapiens’ insurance software and related Sapiens’ solutions.