Getting acquainted with a legislative monster.
In the not too distant future, companies will need to comply with the Protection of Private Information Act (POPIA) when the information regulator – Pansy Tlakula – announces the effective date.
What makes this compliance even more onerous is that companies will be expected also adhere to the General Data Protection Regulation (GDPR) which governs business being done in the European Union (EU).
At the recently held 3rd Annual Protection of Personal Information Conference, which was hosted by the Intelligence Transfer Centre, Lynelle Bagwandeen – Group Company Secretary and General Counsel at Netcare Limited – unpacked the eight pillars of POPIA compliance.
King IV expressly places the responsibility for information governance with the Board and Senior Management of a company delegated by the Board to manage and secure information. The Board must ensure appropriate information management, information security, and information privacy. King IV recognizes these as essential in ensuring the governance of information by organizations that are required to establish appropriate information governance measures.
“The action that is required is that companies need to establish a compliance plan to ensure adherence accompanied by a gap analysis, a training plan for the organization, and an assessment of levels of adherence,” said Bagwandeen.
Pillar two of POPIA compliance points out that companies must ensure that personal information will be processed in a reasonable manner that does not infringe the privacy of the client.
Further, personal information may only be processed if there is a purpose which would be adequate, relevant and not excessive. This may relate to the financial needs analysis meeting only and may (in many cases) exclude cold calling for marketing purposes.
Consent needs to be given by the client. Personal information may only be processed if:
- it relates to a contract;
- it relates to a legal obligation or compliance with law;
- processing protects a legitimate interest of the data subject;
- an assurance is given that consent can be withdrawn at any time;
- it is pointed out that the client may, at any time, object to the processing of this if it is seen as (adjacent to) direct marketing; and
- in the event that there is an objection or withdrawal of consent, information processing of must stop.
It is also important to note that the intermediary does have some power here. If the client says that they do not want to provide you with information (or that they do not want their information to be processed by the insurer), you can consent to this request but point out that taking this stance may have consequences (non-disclosure and improper risk rating).
Pillar Three of POPIA compliance points out that personal information must be collected for a specific, explicitly defined and lawful purpose.
In addition, data subjects must be aware of the purpose of information gathering (financial needs analysis). It is also important to note that the retention and restriction of records are covered by this condition.
Records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed unless it is prescribed by another piece of legislation. Information retention needs to be required for a lawful purpose (risk rating and premium calculation) and needs to be mandated by a contract.
Record retention needs to be consented to for historical and statistical purposes and the insurer needs to provide assurances that adequate safeguards are in place;
In retaining the records, data subjects must have the right to request access to their information and facilitate the appropriate destruction of historical records.
Pillar four of POPIA compliance points out that the further processing of information must be compatible with the purpose of its collection. To assess compatibility, the responsible party needs to consider:
- the original purpose of the collection of information and the purpose of additional processing of this information;
- the consequences of the additional processing on the client; and
- the manner in which information was collected and any contractual rights between the parties.
This prevents the sale of data collected from alternate sources.
“This can be avoided in the additional processing if it is consented to, if the original information is derived from a public record, if further processing is necessary in terms of the application of collection for legal prosecution (SARS, interests of national security). It can also be avoided if the further processing of information is necessary to save a life or an emergency situation arises and additional processing is needed for research or statistical purposes and it is used or published in an unidentifiable manner,” said Bagwandeen.
Lynelle Bagwandeen, Group Company Secretary and General Counsel at Netcare Limited, points out that the quality of the gathered information requires the responsible party to ensure that personal information is complete, accurate, not misleading, and updated where necessary.
“When approaching quality maintenance, the purpose for which personal information is collected or further processed must be referenced. What does this mean? This is an administrative burden because; in addition to safeguards, the onus on retaining accurate information is on the insurer and a policy needs to be developed to check with the client to ensure on going accuracy. Further, the insurer can also engage with the client on further processing and the obligation to update information can be done through prompts,” said Bagwandeen.
What action will companies and intermediaries be required to take? Bagwandeen added that companies will have to assess existing information to determine if refining the quality of the information is essential. Further, they will have to delete necessary information and engage with data subjects and review their information governance structures in terms of King IV.
Pillar six of POPIA compliance deals with openness. in this pillar, it is essential that documentation of all processing operations is maintained and is made accessible in terms of the Promotion of Access to Information Act (PAIA) through a publicly available manual. This is governed by Section 14 and Section 51 of PAIA.
“If personal information is collected, reasonable steps should be taken to ensure the client is aware of the information being collected and source of information, details of the party collecting information (insurer or party acting on behalf of an insurer), the purpose for the collection of the information, and whether supplying this information is mandatory or voluntary. Further, the insurer needs to inform the client that there will be consequences related to the failure to provide information, and there may be laws prescribing the collection of information.
In addition, if the information will be shared, the client needs to know. This is especially important if an insurer writes business in Africa and the information is processed and refined in South Africa. Key protection needs to be offered to data subjects whose information travels across borders.
“Additional information should be included to outline recipients of information, the rights to object to information collection as well as the right to access the services of and the details of Pany Tlakula, the information regulator,” said Bagwandeen.
POPIA compliance Pillar seven deals with security safeguards.
Bagwandeen points out that, to ensure security, integrity and confidentiality measures on personal information, companies need to implement a few security measures.
This includes taking appropriate, reasonable technical and organisational measures to:
- prevent the loss of information;
- information being damaged;
- the unauthorised destruction of information; and
- the unlawful accessing of personal information.
“To comply with this, it is necessary for the insurer to identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control. Further, the insurer must establish and maintain appropriate safeguards against the risks that it has identified,” said Bagwandeen.
In addition, the insurer needs to regularly verify that the information safeguards are effectively implemented, and the insurer needs to ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
“Finally, the insurer must implement a best practice methodology,” said Bagwandeen.
The notification of a breach of private information is vitally important. If the insurer believes there is a breach, they need to:
- notify the Information Regulator;
- notify the client if the client’s identity is known;
- send out a notice of the breach as soon as is possible by notice through email or any other relevant publication;
- identity the party who committed the breach; and
- point out any mitigating security actions that will follow the breach.
Data subject participation.
While it is the shortest of the pillars in terms of action to be taken, client participation is what POPIA compliance hinges itself on.
Bagwandeen points out that the client has the right to confirm why the information is being gathered and what type of personal information will be held. “Additionally, the client has the right to request the identity of all third parties who have, or have had, access to the information. This can be done at a fee and within a reasonable period of time,” said Bagwandeen.
She added that the provisions of sections 30 and 61 of the Promotion of Access to Information Act are applicable in respect of access to health or other records.
Don’t ignore the GDPR.
As pointed out at the beginning of the blog post, companies will be expected to be compliant with both the POPIA and the GDPR. One cannot be ignored in favor of the other. I recently read an article on techradar.com which provided ten useful tips to ensure GDPR compliance.
- Pay the registration fee to the ICO (unless you are exempt);
- Ensure you have appropriate privacy information in place and available –you’ll be on the back foot when receiving a subject access request if you cannot direct an individual to your policies;
- Take time to understand the data you collect and why, and be clear on your legal basis for processing;
- Review your marketing strategy. Whilst consent to electronically market is usually required, it is possible to market to existing customers without explicit consent, whilst you also have a legitimate interest to contact other businesses. However, ensure opt-out options are provided and actioned;
- Train your staff (including on your SAR response procedures) and support this with clear internal policies on data security and retention etc. The ICO always asks for these when investigating a complaint;
- Consider your current insurance. In particular: does it cover acts of a rogue employee; and is cyber insurance appropriate?
- Do everything you can to prevent a data breach- including IT security, destruction procedures and clear policies for employees to follow;
- Review your standard terms of business, and any client terms, to ensure they accurately reflect your actual data sharing or processing relationship (or lack of it), whilst ensuring liability is apportioned or excluded appropriately;
- Remember that you have legal rights and requirements to process personal data, so don’t panic. Be confident in why you are processing and respond accordingly; and
Taking time to consider your position now will prevent unwanted surprises in 2019.
A word on compliance.
It seems that in the future, companies will need to go through every interaction with data subjects with a fine-tooth comb.
They will also need to be well versed in legal matters. The role of the company when it comes to POPIA compliance will be extensive. Do companies have the necessary systems in place to ensure compliance?
“GTconsult has been through it, and trust me, GDPR compliance is no easy task. However, it needs to be done. The benefits that GTconsult has experienced following compliance with the GDPR has significantly benefitted the company. We look forward to POPIA and South Africa’s alignment with internationally accepted best practice principles. The rest of the country should also be taking this view,” said GTconsult Co-Founder and CEO Bradley Geldenhuys.