Personal information provided for one purpose, such as obtaining insurance, is often shared within the insurance world for other data-gathering purposes. This typically requires specific consent, if those collecting the information are not to find themselves in breach of POPIA from 1 July 2021
When the Protection of Personal Information Act (POPIA) comes into full force on 1 July this year, a range of previously uncontemplated obligations may open up for everyone in the insurance-sharing network.
Information is the foundation of every aspect of insurance, from personal and commercial policies to medical aid, incentivisation and risk mapping.
For example, companies that provide vehicle tracking systems supply their client’s details and the data collected to insurers. Doctors provide details of patients’ medical conditions to medical aid companies to settle claims or to the insurers for the purpose of assessing the risks to be insured. Companies may have to provide details of their contracts to obtain proper cover. Contractors applying for insurance on their sites need to provide their insurers with the security or health and safety arrangements of the companies on whose premises they are operating. Often, the information shared is confidential and sometimes it may be information that belongs to a third party.
Generally, these disclosures work in the interests of the patient, client or insured party. They enable individuals to benefit from no-claims bonuses or age-related premiums. However, this information can also be contrary to their interests, for example in risk-weighting monthly premiums. Sometimes this disclosure is in the interest of the third parties, e.g. the contractors and their insurance companies, but not in the interests of the data subject.
The information obtained enables the insurer or medical scheme to assess the risk that it is being asked to insure. This is being done at the start of the insurer / insured / medical aid / person / beneficiary relationship or when the cover is renewed. The information is used for that purpose but, once it has been obtained and held, it could be shared for other purposes, for example when claims are made. That means that information personal to the data subject is being used for a purpose that is neither known nor intended by the data subject, and it involves information relating to or involving third parties who have no idea that their information is being shared.
In the example of a tracking company, there will be an agreement between the driver and the tracking company, and separately between the driver and his/her insurance company. But the driver has not agreed to that information being shared with other insurance companies, or being used for other purposes. The driver may be astonished to find six months later that the tracking information was used to reject a claim on the basis that he or she had a record of reckless driving.
In most cases, there must be consent not only to the collection of the information, but to the purpose for which it was collected. In many real-life examples, no consent for this purpose has been given.
Insurers normally provide for blanket clauses allowing the company to collect and share the policyholder’s personal information. Under POPIA, that blanket clause is no longer enough, because the policyholder does not know what information is being collected and for what further purposes it will be used.
Insurers should consider obtaining legal advice in drafting appropriate consent forms for processing third party information for underwriting purposes, or to assess a claim. They should be aware of the processes they need to follow to avoid breaches of POPIA and to consider carefully all the other parties in the network of information sharing, from underwriting to claims processing, and how they should be putting steps in place to comply with POPIA.
The penalties of not complying with POPIA include a 10-year prison sentence. While this may seem a remote possibility, a more real consequence could be claims for damages, or severe reputational damage.
It may also be that the duty of protecting this personal information - and liability under POPIA - extends throughout the chain, from the individual or client to the service provider and through to the insurance companies. An insurance company that accepts an insured’s personal information without having the required consent in place would also be in breach of POPIA.
Currently, many insurance companies are reviewing their policy terms and conditions as a result of the unexpected claims that arose from the pandemic. At the same time, they should be considering those terms with POPIA in mind.