Ushering in an era of data privacy, the South African Protection of Personal Information Act (POPIA) caused a paradigm shift in how insurance businesses approach privacy.
In the context of insurance, personal information is frequently collected, passed on to third parties, shared, and used for various purposes. Insurers normally provide blanket clauses which allow the company to collect and share the policyholder’s personal information.
However, under POPIA, blanket clauses are no longer sufficient because the policyholder does not know what information is being consented to and what different purposes it will be used for.
In addition, any password system deployed must protect against theft of stored passwords and ‘brute-force’ or guessing attacks, and all security methods must be implemented, including approval measures when capturing banking details.
While Cardinal has always treated its stakeholders’ data with the utmost care and security, our three functionalities to cater for POPIA - Data Retention And Destruction, Password Encryption, and Approval of Newly Loaded Banking Details - ensure even more protection of personal information.
POPIA is a data privacy law that supplements section 14 of the Constitution of the Republic of South Africa, 1996, which guarantees the right to privacy for all citizens. It imposes accountability on companies collecting, keeping, analysing, and managing personal, information while granting individuals new rights to retain control over their data.
POPIA is comparable to the General Data Protection Regulation (GDPR) of the European Union (EU) – the toughest privacy and security law in the world - and originates from many of its core ideas.
In enacting POPIA, the Information Regulator provided organisations one year to achieve compliance and make all necessary changes to be ready by July 1, 2021. Any business that processes or stores the personal information of clients, tenants, vendors, or suppliers, had to be fully POPIA compliant by this date, or risk being in breach of the law.
All personal information must be lawfully processed. Personal information is broadly defined but includes:
Knowing how, why, and for how long to keep data before deleting it is crucial to protecting the interest of clients. When an insurance company is not actively using a policy holder’s data, that data should be deleted or made unrecognisable by replacing sensitive, personal information.
The essential concern for insurance companies in the era of POPIA is how they should delete or destroy previously processed personal information. POPIA does not dictate the method(s) of destroying or erasing personal information and does not provide extensive guidance on how responsible parties who process personal data should destroy or erase a record of personal information.
In certain situations, businesses may take the easy approach and destroy their hard copies and computer data. However, this is often insufficient, as remnants of that information may remain.
Whichever data destruction and deletion processes insurance companies implement, the accountable party is ultimately responsible for ensuring compliance with POPIA, by both itself and all operators offering services to the accountable party.
The outsourcing or subcontracting of processing activities to operators does not absolve the liable party of responsibility. If the operator violates POPIA, the Information Regulator will still hold the guilty party accountable.
At Cardinal, we have been investigating innovative ways to make adherence to POPIA requirements easier.
The rollout of our pre-built data retention and destruction functionality enables the responsible party to set security controls to protect personal information on a case-by-case basis.
A security task member is assigned to a specific user by an administrator within Cardinal. This process is not accessible to C360 users for security reasons, but only to users with the requisite security task.
A Obfuscation Rule Type is then configured. The user with rights determines which Policy Rule type applies to the user based on their retention periods and whether these periods have been exceeded.
The user with rights can configure the periods with the Obfuscation Rule Type for how long data should be kept, with the option of less than the minimum of five years. Personal information will be de-identified within the set timeframe, or as soon as practicable once the purpose for the collection is fulfilled and Cardinal is no longer authorised to retain the record (this will be audit-controlled).
For instance, once a claim has been investigated, and a report has been made, it may be vital to retain the information because litigation may ensue. However, the information is no longer necessary once a claim has been paid and the file has been closed.
The user with rights can also request a policyholder report by simply enabling the Send Report option. The user can either enter FTP information for the location where the report should be uploaded or specify a File Secret.
In which case, the CSV file will be compressed and encrypted with a password before being uploaded to the FTP server. The user with rights can test the provided FTP information and upload a file to confirm that all details are accurate.
Does compliance with POPIA require the use of email encryption when sending personal information-containing emails? In other words, is it possible that sending unencrypted emails containing personal information violates POPIA? In short, yes.
While POPIA does not contain any explicit regulations about email encryption, the codes of good conduct may clearly demand it. Password encryption is one method for protecting data subjects and ensuring compliance with POPIA.
C360 provides the capability to encrypt PDF documents emailed to Policyholder Entities, Broker Entities, Insurer Entities, and/or Creditor Entities.
In the system, a Default Password can be specified. Each of the corresponding entities listed above can be configured to utilise this Default Password for PDF encryption, or a password can be omitted for certain entities.
In addition to the configurable default password, the following parameters are entry-specific:
The risk of being a victim of fraud has increased for South Africans over the past year, according to the Southern African Fraud Prevention Service (SAFPS). Considering the current state of the economy, this is especially troubling.
As such, personal banking information must be processed legitimately and without violating the data subject's privacy. When processing banking information, extra special care must be taken.
Within C360, the option to approve newly loaded banking details is available, contributing to the prevention of potentially fraudulent transactions.
Only users who have the ‘Can Approve Bank Details’ permission can approve newly loaded bank details. Until approved, these bank details cannot be used for insurance transactions.
Compliance with POPIA is not a case of one-size-fits-all. Different organisations must employ distinct compliance measures. For instance, the responsibilities of a small business (or SME) are vastly distinct from those of a medium or large-sized organisation. An organisation’s actions depend on the foundations already built to protect personal information. Some organisations may have many securities in place, while others are new to the issue.
Cardinal is committed to complying with POPIA, protecting your privacy, and ensuring transparency in how we handle any personal information received from any of our stakeholders.
Contact Us For a Solution That's Right For You