PoPI and your medical aid company
The Protection of Personal Information Act has been a long time coming. With the appointment of the Information Regulator in October, companies across South Africa are now seriously looking at their data security systems and seeing how they can improve them.
The Protection of Personal Information (POPI) Act was signed in November 2013 but has been on the backburner until October last year. In order for the Act to move forward, an Information Regulator had to be appointed.
The Information Regulator is similar to that of the Public Protector. They protect the data that may be subject to harm and ensure that personal information is protected by responsible parties. Their role is to hold responsible parties accountable for not complying with POPI.
Now all we are waiting for is for the president to give the official commencement date and we are all set. This should all happen no later than 24 May 2017. There is usually a one year grace-period after the date is announced, so it is anticipated that companies will have to comply with POPI from early 2018.
What is POPI?
The POPI Act is designed to ensure that all South African institutions, including medical schemes, conduct themselves in a responsible manner when collecting, processing, storing and sharing a person’s personal information. Institutions that abuse or compromise a citizen’s personal information in any way will be held accountable according to the laws put in place.
What is considered personal information?
Personal information is any information that identifies a person, such as name, date of birth, identity number, address or gender, just to name a few.
Why should I care about POPI?
Personal information needs to be protected in order to protect people from harm. People can be discriminated against, become the target of persistent and unwanted marketing, or lose access to credit if someone untoward has inappropriate access to their information. These are just a few devastating impacts of not protecting personal information. By safeguarding this information, the likelihood of this ever happening is slim.
Now just imagine the sort of information your medical scheme has. Cape Medical Plan knows a lot about you and your health, the doctors you’ve seen and the medication you’ve needed. This is all very sensitive information that you trust us to keep safe, which we do, but the guidelines offered by POPI will further ensure that your information remains safe.
The nitty gritty
The Act contains eight conditions for processing personal information. All eight of these have a bearing on the way in which medical schemes collect, store and disseminate information to members.
- Accountability – the medical scheme needs to ensure they fully comply with the conditions set out by the POPI Act;
- Processing limitation – while there are special limitations that apply to collecting health information, especially from children, this condition essentially requires that information must be acquired lawfully and in a way that does not infringe on the privacy of the person. Only the minimal necessary information should be collected and processed;
- Specific purpose – the information collected must be for a specific purpose. Steps must be taken to ensure that the subject is aware of the purpose. Personal information must not be kept for longer than necessary;
- Further processing limitation – if the information is going to be used in a different way, the original purpose still needs to be its end point;
- Information quality – steps must be taken to ensure that the collected information is complete, accurate, up to date and not misleading;
- Openness – medical schemes must maintain the information and make the member aware that personal information is being collected and why it is being collected;
- Security safeguards – the integrity and confidentiality of the personal information needs to be secured by the medical scheme, which needs to take appropriate measures to prevent loss, unlawful access and unauthorised destruction of this information. Medical schemes also need to perform risk assessments relating to the security of this data and implement safeguards against these risks;
- Data subject participation – the subject, in this case, the medical scheme member, must have access to the information and the ability to correct the information or request deletions of inaccurate or irrelevant information. Members can also ask to whom the information has been disclosed.
We realise that POPI can seem complicated, but at the end of the day, it is here to serve you, the consumer.
At Cape Medical Plan, the protection of your information is vital, and we can assure you that we are doing everything possible to ensure your personal information is used appropriately and is in no way abused.
For example, we will be implementing some important changes to the way claims statements are handled, in particular, information sent to a principal member about a beneficiary on the Scheme, but as these new requirements unfold we will inform you.
Additionally, we have security measures in place that protect your information, and we adhere to the retention periods for documentation that are recommended by the Act.
With us, you are safe. We will keep you updated as we progress with our protection measures, and we will keep you informed about POPI every step of the way. If you have any questions about the integrity of your information, please let us know.
Cape Medical Plan
Breaking News »