How the Protection of Personal Information Act (POPIA), 2013, impact role players

Every person is affected by the Protection of Personal Information Act, No 4 of 2013 (POPIA) as it strengthens every citizen’s right to privacy, which is afforded by the Constitution of the Republic of South Africa.  The Act is important, because personal information is crucial for doing business and must be managed securely and responsibly.  It is not an absolute right that stems the free flow of information, but rather aims to regulate the flow of information in a secure and responsible manner.

Sanlam’s readiness for POPIA

Sanlam Corporate: Group Risk (a division of Sanlam Life Insurance, hereafter referred to as Sanlam) is the trusted custodian of the personal information of many policyholders and investors, and as a reputable financial services institution, is committed to a culture of compliance with the law.

In alignment with global best practice and Sanlam Group principles, Sanlam respects clients’ constitutional rights to information privacy and is committed to protecting the personal information of our clients, employees and business partners, in a manner that is fair, lawful and is committed and secure.

Although certain sections of POPIA are effective from 1 July 2020, Sanlam has been applying these principles already.  During the 12 months to 1 July 2021 (when all parties must fully comply with this legislation), Sanlam will continue to do the following:

  1. Identify gaps – we are actively and carefully looking for potential gaps in our systems, processes and procedures;
  2. Increase Awareness – we are increasing awareness amongst our staff to ensure that they have a clear understanding of the new regulatory requirements;
  3. Implement Improvements – we are actively implementing improvements and closing the gaps identified in our processes and systems. Any changes must be practical and effective; and
  4. Ongoing Review – As technology advances and processes change accordingly, Sanlam will constantly review the business operations to ensure that we remain compliant.

All reasonable steps are taken to ensure that our systems, processes and procedures are secure and protected and we hereby confirm that Sanlam shall:

  • Ensure that all personal information received will be treated as confidential and processed fairly and lawfully;
  • Always have proper controls in place to ensure the security of such information;
  • Use such information only for purposes of enabling Sanlam to perform its duties in terms of the relevant policy and applicable legislation; and
  • Comply with any current or future legislation and regulations regarding the protection of personal information.

Why Sanlam requires personal member information/data

In addition to the Policyholder Protection Rules (PPR’s) that require an insurer to collect and store monthly member data, Sanlam requires personal member information, for the purpose of:

  1. Underwriting a scheme;
  2. Administering and processing insurance claims;
  3. Paying client claims accurately and effectively; and
  4. Implementing digital initiatives focused on improving the client’s experience.

POPIA regulates the flow of information in a secure and responsible manner balanced with other rights and constitutional values. 

The implications if clients don’t provide personal information

The aim of the PPR’s is to enhance customer protection, through requiring insurers to play a more informative and engaging role with their clients and members.  The PPR’s require members to receive clear information about their insurance before, during and after entering into the policy.  The provision of this information to members can be done by Sanlam, or if it is not reasonably practicable for Sanlam to communicate directly with the members of a group scheme, can be facilitated through the policyholder. 

Sanlam is required to provide evidence to the regulator that all reasonable steps have been taken to communicate material insurance matters with members using their contact details.

Without this information, not only is Sanlam’s ability to pay claims compromised, but members are at risk of not understanding their insured benefits (e.g. their rights, benefits and duties as they are affected by the policy).  The provision of member data is thus in the client’s best interest. 

Sanlam’s measures to protect member personal data

Sanlam respects its clients’ privacy and is committed to ensuring that the personal information of its clients and business partners are at all times processed fairly, lawfully and securely. 

All personal information collected and stored by Sanlam is securely managed in accordance with strict information and data governance frameworks.  Sharing of member contact details to any part of Sanlam, or any call centres (e.g. as lead generation for new product sales), would be in conflict with the requirements of the data governance frameworks, and therefore not practiced in Sanlam.

Requirements from intermediaries

The intermediary (together with the insurer, employer or fund), is a key stakeholder in ensuring that the selected financial solution provides fair outcomes to members and their families. 

The role of an intermediary is governed by an agreement which stipulates the services required by the client pertaining to their insured benefits, and a separate intermediary agreement with the insurer.

The Sanlam Intermediary agreement requires compliance with all regulations, including POPIA, and explicitly requires the intermediary to perform the following:

  • Render/perform intermediary services relating to Sanlam products as set out in the intermediary agreement honourably, professionally, with due skill, care and diligence and with due regard to the fair treatment of policyholders;
  • Comply with all obligations imposed on it by law, including but not limited to Codes of Conduct, PPR, the Financial Advisory and Intermediary Services Act and POPIA;
  • Ensure that persons employed or conducting business through the intermediary are familiar with the requirements of all applicable legislation including POPIA;
  • Treat all client information as confidential and not divulge it to third parties;
  • Comply with the legislative provisions relating to the confidentiality, privacy and security of information;
  • Collect and provide complete monthly member data from the policyholder to Sanlam, which will include identity numbers, email addresses and mobile phone numbers for each member; and
  • Provide assurance to policyholders (employers, members, funds) that Sanlam, together with the intermediary, is fully committed to compliance with POPIA.

Sanlam’s expectations from the Policyholder

Policyholders (employers, funds) should inform employees/members that their personal information is collected for legitimate insurance and underwriting purposes.

Warm regards,

Deolinda Delcarme