South African businesses are set to face even more legislation with the introduction of the Protection of Personal Information Bill (PoPI). The Bill has taken current restrictions to a whole new level, since it even restricts the way in which you may go about collecting and analysing your own client data.
This is according to John Stebbing, General Liability Underwriting manager at Camargue Underwriting Managers, partner company with Lireas, the strategic investment company of the Hannover Re Group Africa, who says, “PoPi is about to become law in South Africa. It comes with numerous requirements, which I believe will have an impact on businesses throughout the country.”
He explains that with the introduction of PoPi, personal information may only be processed in accordance with the following criteria:
* If the processing has been consented to by the data subject. The company must identify all third parties who have access to the personal information to the data subject;
* If the data subject is aware of the purpose for which the data is being collected;
* If it has been collected directly from the data subject; and
* If it was collected for a specific, explicitly defined purpose and the data subject is informed of the purpose of the collection. Once the company has achieved that defined purpose, the data must be deleted or disposed of in a secure manner. Until the data is deleted, the company must ensure that the personal information is not misleading, incomplete or out of date.
Stebbing says, “Although there are exceptions to the restrictions above, they give an indication of what businesses can typically expect. In terms of PoPi there are three ways in which a business could find itself in trouble. Firstly there is civil liability. This means that people could sue the company for the harm they have suffered as a result of the company not obeying PoPi.
“Secondly, in terms of criminal liability, PoPi provides for fines and imprisonment of up to 10 years. Lastly, the law also allows for administrative penalties which the company would need to pay to the Information Regulator.”
He says there are certain types of personal information which receive special attention in terms of PoPi. These include trade union membership, philosophical beliefs, political persuasion and criminal behaviour.
Stebbing clarifies that although these restrictions apply to brokers, they also apply equally to almost every other business that operates under South African law.
Many business people will be dismayed at the prospect of facing even more legislation and it may seem as if there is an ever increasing number of ways in which a business could be tripped up and inevitably face some form of financial punishment. The irony is that these challenges actually create new opportunities.
He elaborates, “Many of the risks that businesses face in terms of PoPi can be covered by a cyber-risks policy. These policies have been created to cover the risks that arise out of operating computers. With cybercrimes on the increase globally and in South Africa, it is becoming increasingly important to have a cyber-risks policy in place.
“Cyber-risks policies cover risks such as the wrongful disclosure of personal information to unauthorised parties. A mistake like this happens all too easily by simply sending an e-mail attachment to the wrong person.
“Then there is the ever-growing threat posed by the dark world of hacking. Even though it might not be at fault, the business could be held liable for failing to secure its data. Fortunately, this too can be covered by a cyber-risks policy.”
He concludes, “Although a cyber-risks policy doesn’t cover all the risks that are spawned by legislation such as PoPi, it has been designed to mitigate many of those risks. If one considers the pace at which society is changing, a cyber-risks policy may soon become as common as a general liability policy.”