Dissecting POPI in the medical scheme industry | KPMG | ZA

Dissecting POPI in the medical scheme industry

Dissecting POPI in the medical scheme industry

The introduction of the new Protection of Personal Information Act (POPI) into law has been hailed a positive addition to current consumer protection laws in South Africa. Many industries, however, through existing legislation and codes of conduct already regulate how personal information is collected and processed by industry participants. The healthcare and medical insurance industry is one such example. How much further does this new piece of legislation take the obligations of medical schemes, administrators, medical scheme service providers, brokers and other industry participants (collectively referred to as medical scheme industry participants) to protect the personal information of current and prospective medical scheme members?


Also on KPMG.com

The nature and extent of the information required of individuals by the healthcare industry makes the medical scheme industry most likely industry to be affected by POPI, notwithstanding the existing obligations which exist in current legislation. All participants in the medical scheme industry are “responsible parties” 1  that collect and deal with not only general personal information but also special personal information such as medical/health information of natural persons, which as a result imposes additional compliance requirements under POPI.

Unlike the EU Directive on Data Protection, POPI extends its cover to not only natural persons but also juristic persons. This means that personal information relating to companies, which is held by any of the medical scheme industry participants must also be processed in accordance with POPI.

Every responsible party processing personal information in the medical scheme services supply chain is accountable under POPI to ensure that the provisions of the legislation are fully complied with and the processing of personal information is lawful. The general obligations under POPI include:

  • Obtaining the specific and informed consent to process a person’s personal information.
  • Identifying the legitimate purpose for which information is processed
  • Ensuring that the processing of information is relevant, adequate and not excessive in respect of that purpose (for example to determine the terms upon which the medical scheme will offer medical insurance).
  • Notifying persons when their personal information is collected, purpose for the collection as well as obtaining consent to transfer information to another party (for example the transfer of personal information between the individual broker, medical scheme service provider/administrator and the medical scheme).
  • Installing adequate security measures to protect the integrity of the information
  • Notifying the Regulator of the data subject when a security breach/compromise occurs and the possible consequences of the breach.
  • Ensuring, through a written agreement, that any third-party operator which processes personal information on behalf of the responsible party establishes and maintains the security measures to which POPI refers.
  • Destroying or deleting a record of personal information as soon as the purpose for which that information was collected has been fulfilled or is no longer required.

The above list is by no means exhaustive and certainly these requirements will require different considerations depending on the industry concerned and the nature of the information being collected. Considered below are five scenarios which highlight the responsibilities of the various medical scheme industry participants under POPI:

Personal information collected

  • Integral to their function and contract with members, medical scheme industry participants collect and process an extensive variety of personal information. Under POPI, medical scheme industry participants will need to ensure that the personal information they collect is absolutely necessary and relevant to the services they provide. Such personal information can only be used for the purpose explicitly specified to the member.
  • If any personal information is not essential to fulfil the purpose of providing the services which the medical scheme industry participant has been engaged to perform, such information cannot be collected and if collected should be destroyed.
  • Medical scheme industry participants will need to obtain consent from members to pass their personal information on to other parties. Members should be made aware of the reasons for collecting their personal information, for what it will be used and to whom such information may be passed, on to as well as the reason for passing their personal information on to a third party.
  • Medical scheme industry participants will need to review all of the personal information that has already been collected and stored, to determine whether there is a lawful purpose for the personal information collected and whether the purpose for which the personal information was collected has been fulfilled.
  • At all times members should be given access to their personal information in order to update such information or alternatively to request that it be destroyed by the relevant medical scheme industry participant. Members must be informed of their rights to access their personal information for this purpose and how they should go about exercising their rights.

Storing personal information

In this digital age, the means for electronic storage of information is pervasive. Options include inter alia storage in the “Cloud”, external storage devices (flash drives, CD’s, external hard drives etc.), desktops and laptops. In many instances, information is also stored in hard copy format. Irrespective of the medium the security of personal information is key and responsible parties processing information are liable in the event of a security breach. Some of the storage and security considerations that participants in medical schemes industry will need to comply with in terms of  POPI include the following:

  • The need for extensive security measures to be put in place to establish and maintain the security of personal information and prevent it being accessed by unauthorised persons, due to the fact that the medical insurance industry deals with an extensive amount of personal and special personal information. This will entail establishing appropriate security controls, such as password protection and encryption mechanisms, in order to ensure that if such storage devices are lost, stolen or accessed unlawfully that the personal information stored on them cannot be easily accessed.
  • Compliance with the specific provisions of POPI relating to cross-border information transfers, if information is to be transferred outside of South Africa, for example where it may be stored in the “Cloud”.
  • Entering into written contracts with third party operators that are used to process (i.e. collect, use / store) personal information, in terms of which the third party operator is required to establish and maintain adequate or specific confidential and security measures to ensure that the personal information it processes on behalf of the responsible party is kept secure.
  • Irrespective of where personal information is stored, participants in the medical schemes industry will be required to take appropriate, reasonable, technical and organisational measures to ensure that personal information is secure from loss, destruction, theft or unlawful use of such information.

Retention of personal information

  • Generally personal information can only be retained for so long as it is necessary to achieve the specific purpose for which it was collected, unless there is a valid reason to retain the personal information for a longer period 2. For example, where there is a statutory requirement to keep such information for a longer period, such as in terms of section 18 of the Financial Advisory and Intermediary Services Act which requires certain information to be obtained for a minimum period of five years.
  • As soon as the personal information is no longer required for the specific purpose for which it was collected, it must be destroyed to the extent that it cannot be reconstructed to an intelligible form or re-identified. Medical scheme industry participants will therefore need to assess the personal information they store to determine whether such information can be retained, whether the personal information can be destroyed and how it should be destroyed.

Direct marketing

  • Medical scheme industry participants may continue to send marketing communications provided that it is to their current members for the purpose of directly marketing their own similar products or services.
  • In addition, the member must be given a reasonable opportunity at the time of first collecting his/her information to object to the use of his/her details for marketing purposes.
  • Members who may have initially consented to the use of their information have the right to object, free of charge, to further direct marketing at any time thereafter. Medical scheme industry participants therefore need to ensure that all marketing communications include an opt-out option.

Reward Programmes (Third Party Alliances)

Many medical scheme service providers offer benefit or wellness programmes to medical scheme members (members) and do so through alliances with third party service providers. Naturally, certain personal information is required to be provided to that third party alliance partner in order to provide their client with the applicable reward benefits. Although the rewards programmes offered by various medical scheme service providers are not directly linked to the medical scheme, in order to provide a full overview of POPI’s coverage in the medical schemes industry we set out below the responsibilities of those service providers who offer rewards programmes to its members:

  • POPI places an obligation on the medical scheme service provider to ensure that the alliance partner establishes and maintains the same security measures as those imposed upon the medical scheme service provider under POPI in order to protect the confidentiality and integrity of the personal information provided to it. Specifically, the medical scheme service provider is obliged to enter into a written agreement with each of its alliance partners in this regard.
  • Medical scheme service providers will need to ensure that members have given their specific consent to the transfer of their personal information to the alliance partner and that the personal information provided to third parties is only that which is relevant and necessary in order for them to provide benefits/services to the client.
  • While the alliance partner will also fall under the ambit of POPI and will be required to comply with requirements of POPI, medical scheme service providers will need to review their current contracts with such alliance partners, and other third parties it may otherwise use to process the information of members, to ensure that these contracts specifically contain the relevant provisions required by POPI, among other things.

Given the extensive coverage of POPI and responsibilities placed on responsible parties, adequate insurance and third party liability/indemnity covers will also need to be reconsidered to ensure that medical scheme industry participants have adequate insurance covers in place should a breach occur.

One of the main concerns raised by the insurance industry in their comments during the drafting of POPI, was the cost implications of POPI due to the significant amount of personal information that the insurance industry collects, uses and stores in relation to its members.

The insurance industry suggested that the one year transitional period for the implementation of POPI should be extended to three or five years in order to allow the industry adequate time to ensure compliance with POPI and so that the cost could be managed. It is still to be seen whether or not the President will extend the one year transitional period upon commencement of POPI or whether this transitional period will be extended at a later date. For now, organisations and individuals will have one year from the commencement date of POPI (still to be determined by the President) to get their organisations/businesses POPI compliant.

The implementation of POPI may be costly and time consuming depending on the current IT architecture, systems and controls in place; the number of mediums used to collect, use and store personal information as well as on the number of contracts with third party operators. 

Ultimately, no matter how advanced and POPI compliant an organisation may be, there is always the potential risk of personal information being lost, stolen or used unlawfully by the employees or other individuals who have access to that information. To ensure the successful implementation of POPI, medical scheme industry participants will need to invest time to train their employees and implement change management initiatives within the organisation to instil the value of privacy and data protection not only as a core value and vision of the firm in the way it does business but also as a value that its employees should instil in their everyday life.

The information contained in this article is of a general nature and is not to be construed as legal advice or a comprehensive analysis of POPI.

For further information and/or to obtain any specific advice or assistance in respect to POPI please contact either Vikeshni Vandayar on 082 719 2103 or Nikki Pennel on 082 719 5916.



1 As defined in POPI.
2 Section 14 of POPI sets out the instances under which a responsible party may retain personal information for a longer period. Such instances include inter alia if the personal information is retained for a lawful purpose related to the responsible parties functions/activities and if such personal information is retained for historical, statistical or research purposes, provided the personal information is not used for any other purpose.

Connect with us


Request for proposal