Win with COVER & Emperor Asset Management


Legislative challenges relating to data and privacy protection measures – A Broad Overview

The insurance industry has, over the past few years, shown a steadfast inclination to move business practices towards greater usage of electronic technology enhancers to improve efficiencies and management, and to ensure cost effectiveness. Needless to say, the use of such electronic enhancers is not without risk and is subject to extensive regulation. This article serves to provide a broad overview of the most important data and privacy protection regulations impacting on the insurance industry, and which need to be taken into consideration when structuring businesses and transactions within the insurance sector.

Currently, a number of Acts provides protective measures when dealing with electronic and data messages, such as the Electronic Communications and Transaction Act, 25 of 2002 (“the ECT Act“); the Insurance Acts, 1998; the Financial Advisory and Intermediary Services Act, 37 of 2002 (“FAIS”); the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 70 of 2002 (“RICPCRI Act”); the Consumer Protection Act, 68 of 2008; and the much anticipated Protection of Personal Information Bill. Though this list is quite a mouthful, and not exhaustive, insurers need to take cognisance of the provisions of these acts to ensure compliance therewith and effectively to discharge its legislative obligations when conducting e-business.

The requirements of writing and safekeeping of documents, and recording of verbal communications are extensively dealt with in both the Insurance Acts and FAIS. Examples of such requirements are the provisions of section 48 of the Insurance Act dealing with the compulsory furnishing of a written policy schedule, or the right of policyholders to request a copy of an insurance policy. Both FAIS and the Policyholder Protection Rules (“PPR”) promulgated in terms of the Insurance Acts, provide for written disclosures to be furnished to policyholders and clients, and that such disclosures must be stored for a specified period. Direct marketers must furthermore, in terms of the PPR, have appropriate systems in place to keep records of written and verbal communications with clients in an appropriate electronic or recorded format, which format must be easily accessible and readily reduced to written or printed form.

In terms of the ECT Act, a requirement in law that a document must be in writing, is met if the document is in the form of a data message and is accessible in a manner usable for subsequent reference. A data message is any data generated, sent, received or stored by electronic means, and includes voice and stored records. Accordingly, if the communications in terms of the Insurance Acts and FAIS are in the form of a data message, the requirement of ‘writing’ for purposes of the Insurance Act and FAIS will be met in accordance with the ECT Act.

Furthermore, where the law requires information to be retained, in terms of the ECT Act, the retention may take place in the form of a data message provided that inter alia the information is available for subsequent use, in the format that it was generated, sent or received, and that the integrity of the data massage is reliably maintained. It is, therefore, in terms of the ECT Act, possible to store policy documents and disclosures by means of data messages, provided that the abovementioned factors are taken into account.

As regards the admissibility and reliability of data messages in legal proceedings, section 15 of the ECT Act provides that data messages are admissible and must be given due evidential weight. A court therefore has no discretion in allowing data messages as evidence, but does retain discretion with regards to the evidential weight of the message with due consideration of the guidelines contained in the ECT Act. The International Organisation for Standardisation has published a guideline paper with internationally accepted recommended practices regarding trustworthiness and reliability of electronically stored documents (ISO 15801), and has recently issued various papers for public comment which pertain to inter alia protection of authenticity of data messages, electronic signatures and data identification.

In several recent cases, it was argued that cell phone recordings, clips and images and computer-generated documents are not the best evidence and therefore should not carry considerable evidential weight. The court, however, recently ruled favourably on the issue of authenticity and admissibility of an audio cell phone clip to be used, in the case of Judge Motata v Nair NO [2008] JOL 22291 (T). In another recent judgment, MTN Service Provider (Pty) Ltd v LA Consortium & Vending CC t/a LA Enterprises & others [2009] JOL 23394 (W),the court ruled on the use of a certificate of authentication, and held that computer-generated invoices were acceptable proof of a transaction. In Jafta v Ezemvelo KZN Wildlife [2008] JOL 22096 (LC), the court held that the acceptance of an offer of employment by means of an sms and email message constituted valid acceptance due to the fact that all common law requirements of acceptance were met. It is apparent that our courts are, in line with international practices, moving towards a more flexible approach when considering the evidential weight of data messages.

Another consideration is the maintenance of privacy of confidential information obtained through electronic means, which presents another challenge. The ECT Act provides that personal information obtained in electronic transactions may only be collected or disclosed with the express written permission of the person concerned. The RICPCRI Act makes it an offence for a person to intercept communications of another person in the course of an occurrence or transmission without the prior written consent of the parties to the communications. The RICPCRI Act also deals extensively with interception and protection of information.

Another interesting piece of legislation is the Protection of Personal Information Bill (“the Bill’), which regulates the lawful processing, collection, recording, updating and retrieval of personal information. In terms of the Bill, personal information may only be processed, inter alia, where the person to whom the information relates has given express consent to such processing of his/her personal information. The Bill’s object is accordingly to protect a person’s right to privacy and will govern instances where “leads” are provided by, for instance, a bank to an insurer, for the possible conclusion of an insurance policy. It is envisaged that such practices will extensively be regulated in terms of the Bill. The second draft of the Consumer Protection Act contained similar provisions, but was omitted from the final draft due to the duplication in regulating the protection of personal information.

The above overview of the most relevant legislation pertaining to privacy and data protection is indicative of the complexity, intricacy and voluminous provisions dealing with the electronic commerce, and should be carefully considered when conducting business by electronic means. Although technology is ever evolving, the law still has quite some catching up to do to ensure that technological enhancers can be effectively utilised within a well-maintained regulatory framework.

Related posts

The role of telematics in insurance


Every business a technology business


The art of partnering & collaboration in insurance technology


After the Shock: Insurance in 2021 and Beyond