The introduction of the new Protection of Personal Information Act (POPI) into law has been hailed a positive addition to current consumer protection laws in South Africa. Many industries, however, through existing legislation and codes of conduct already regulate how personal information is collected and processed by industry participants. The healthcare and medical insurance industry is one such example. How much further does this new piece of legislation take the obligations of medical schemes, administrators, medical scheme service providers, brokers and other industry participants (collectively referred to as medical scheme industry participants) to protect the personal information of current and prospective medical scheme members?
The nature and extent of the information required of individuals by the healthcare industry makes the medical scheme industry most likely industry to be affected by POPI, notwithstanding the existing obligations which exist in current legislation. All participants in the medical scheme industry are “responsible parties” 1 that collect and deal with not only general personal information but also special personal information such as medical/health information of natural persons, which as a result imposes additional compliance requirements under POPI.
Unlike the EU Directive on Data Protection, POPI extends its cover to not only natural persons but also juristic persons. This means that personal information relating to companies, which is held by any of the medical scheme industry participants must also be processed in accordance with POPI.
Every responsible party processing personal information in the medical scheme services supply chain is accountable under POPI to ensure that the provisions of the legislation are fully complied with and the processing of personal information is lawful. The general obligations under POPI include:
The above list is by no means exhaustive and certainly these requirements will require different considerations depending on the industry concerned and the nature of the information being collected. Considered below are five scenarios which highlight the responsibilities of the various medical scheme industry participants under POPI:
Personal information collected
Storing personal information
In this digital age, the means for electronic storage of information is pervasive. Options include inter alia storage in the “Cloud”, external storage devices (flash drives, CD’s, external hard drives etc.), desktops and laptops. In many instances, information is also stored in hard copy format. Irrespective of the medium the security of personal information is key and responsible parties processing information are liable in the event of a security breach. Some of the storage and security considerations that participants in medical schemes industry will need to comply with in terms of POPI include the following:
Retention of personal information
Reward Programmes (Third Party Alliances)
Many medical scheme service providers offer benefit or wellness programmes to medical scheme members (members) and do so through alliances with third party service providers. Naturally, certain personal information is required to be provided to that third party alliance partner in order to provide their client with the applicable reward benefits. Although the rewards programmes offered by various medical scheme service providers are not directly linked to the medical scheme, in order to provide a full overview of POPI’s coverage in the medical schemes industry we set out below the responsibilities of those service providers who offer rewards programmes to its members:
Given the extensive coverage of POPI and responsibilities placed on responsible parties, adequate insurance and third party liability/indemnity covers will also need to be reconsidered to ensure that medical scheme industry participants have adequate insurance covers in place should a breach occur.
One of the main concerns raised by the insurance industry in their comments during the drafting of POPI, was the cost implications of POPI due to the significant amount of personal information that the insurance industry collects, uses and stores in relation to its members.
The insurance industry suggested that the one year transitional period for the implementation of POPI should be extended to three or five years in order to allow the industry adequate time to ensure compliance with POPI and so that the cost could be managed. It is still to be seen whether or not the President will extend the one year transitional period upon commencement of POPI or whether this transitional period will be extended at a later date. For now, organisations and individuals will have one year from the commencement date of POPI (still to be determined by the President) to get their organisations/businesses POPI compliant.
The implementation of POPI may be costly and time consuming depending on the current IT architecture, systems and controls in place; the number of mediums used to collect, use and store personal information as well as on the number of contracts with third party operators.
Ultimately, no matter how advanced and POPI compliant an organisation may be, there is always the potential risk of personal information being lost, stolen or used unlawfully by the employees or other individuals who have access to that information. To ensure the successful implementation of POPI, medical scheme industry participants will need to invest time to train their employees and implement change management initiatives within the organisation to instil the value of privacy and data protection not only as a core value and vision of the firm in the way it does business but also as a value that its employees should instil in their everyday life.
The information contained in this article is of a general nature and is not to be construed as legal advice or a comprehensive analysis of POPI.
For further information and/or to obtain any specific advice or assistance in respect to POPI please contact either Vikeshni Vandayar on 082 719 2103 or Nikki Pennel on 082 719 5916.
1 As defined in POPI.
2 Section 14 of POPI sets out the instances under which a responsible party may retain personal information for a longer period. Such instances include inter alia if the personal information is retained for a lawful purpose related to the responsible parties functions/activities and if such personal information is retained for historical, statistical or research purposes, provided the personal information is not used for any other purpose.