In her Benchmark Symposium presentation, Michele Jennings noted that the Benchmark research indicated that the awareness of the impact of the Protection of Personal Information Act (often called the POPI Act or POPIA) on service providers is 80 to 90% there, although from some of the interactions it remains a concern whether employers or funds fully understand their own roles as responsible parties under POPIA.
Why Personal Information is required
Sanlam Corporate: Group Risk (hereafter referred to as SGR) may use personal information or obtain personal information for the following purposes:
- underwriting and providing accurate and effective insurance cover and related value-added services;
- member communication;
- market research and statistical analysis;
- verification of the personal information provided;
- to comply with all legal and regulatory requirements, including applicable codes of conduct;
- to protect Sanlam’s interests; and
- any purposes related to the above.
POPIA is South Africa’s data privacy law and it guides us on when and how organisations collect, use, share, store, delete and otherwise process personal information of “data subjects”. The term “data subject” as defined in the POPI Act refers to a natural person and a juristic person (i.e. an organisation for example an employer or retirement fund) whose personal information is being processed by other person(s) or organisation(s) acting as responsible party/ies.
The Policyholder (employer or fund), as a joint responsible party with SGR, ensures that personal information of employees/members (“data subjects”) are collected and shared by themselves (or the service provider appointed by the Policyholder).
SGR will process and protect the personal information shared by the Policyholder, or the service provider appointed by the Policyholder, in accordance with the provisions of the applicable data privacy laws. For more information, please refer to the Sanlam Group Privacy Notice.
SGR cannot guarantee the security or accuracy of any information transmitted to SGR.
Policy endorsements, for the inclusion of data privacy provisions in line with POPIA, will be sent to all Policyholders, shortly.
How long is Personal Information kept
Personal information will be held and used for as long as permitted for legal, regulatory, fraud prevention and legitimate business purposes.
Are there other parties that may receive the Personal Information?
- SGR may share personal information within the Sanlam Group and/or with other service providers appointed by Sanlam and industry bodies or other insurers where required for any of the purposes listed above, or with third parties where SGR is lawfully required to do so.
- SGR may send personal information to service providers outside the RSA for storage or further processing on SGR’s behalf. SGR will not send personal information to a country that does not have information protection legislation similar to that of the RSA, unless SGR has a binding agreement with the service provider which ensures that it effectively adheres to the principles for processing of personal information in compliance with the applicable data privacy laws.
- SGR may contact the Policyholders and/or the data subject regarding events, seminars, products, services and content that may be of interest, or invite the employer/fund and/or the employees/members to participate in research with the aim of improving SGR’s products and services.
In summary, SGR confirms it has implemented appropriate technical and organizational information security measures to keep the personal information secure, accurate, current, and complete. Due to some of our clients software not being compatible with a solution of encrypting communication, we have also implemented a secure method of communication that will incorporate protecting documents with passwords.