By: Peter Grealy, Lisa Swaine, Karl Blom &, Maria Philippides from Webber Wentzel
The terms and conditions of insurance policies are currently going through a major overhaul after the unexpected events of the Covid-19 pandemic highlighted new areas of risk for insurers.
While they are reviewing their terms and conditions, insurers need to be aware of another urgent issue that needs to be addressed: obtaining the necessary consents for sharing their client’s information with third parties. This is likely to extend well beyond typical consent clauses because there is usually a necessary chain of information sharing in the world of insurance.
The Protection of Personal Information Act (POPIA) came into effect on 1 July 2020, with a 12-month grace period in which to comply. It applies to any entity that processes information – including collecting, receiving, storing and processing it. The act puts different obligations on responsible parties and operators to store information and protect it from misuse.
In the context of insurance, personal information is frequently collected, passed on to third parties, shared and used for various purposes. The risk of this sharing being in breach of the Act is high if the proper consent of the data subject was not obtained and/or the data subject was not duly informed that this sharing has taken place.
For example, companies that provide vehicle tracking systems supply their client’s details and the data collected to insurers. Doctors provide details of patients’ medical conditions to medical aid companies to settle claims or to the insurers for the purpose of assessing the risks to be insured. Companies may have to provide their insurers with details of their contracts to obtain proper cover. Contractors applying for insurance on their sites need to provide the insurers with the security or health and safety arrangements of the companies on whose premises they are operating. Often, the information shared is confidential and sometimes it may be information that belongs to a third party.
The information obtained enables the insurer or medical scheme to assess the risk that it is being asked to insure. This is being done at the start of the insurer / insured / medical aid / person / beneficiary relationship or when the cover is renewed. The information is used for that purpose but, once it has been obtained and held, it could be shared for other purposes, for example when claims are made. That means that information personal to the data subject is being used for a purpose that is neither known nor intended by the subject, and it involves information relating to or involving third parties who have no idea that their information is being shared.
In the example of a tracking company, there will be an agreement between the driver and the tracking company, and between the driver and his/her insurance company. But the driver has not agreed to that information being shared with other insurance companies or being used for other purposes. The driver may be astonished to find six months later that the tracking information was used to reject a claim on the basis that he or she had a record of reckless driving.
In most cases, there must be consent not only to the collection of the information, but to the purpose for which it was collected. In many real-life examples, no consent to purpose has been given.
Insurers normally provide for blanket clauses allowing the company to collect and share the policyholder’s personal information. Under POPIA, that blanket clause is no longer sufficient, because the policyholder does not know what information is being consented to and what further purposes it will be used for.
An insurance company cannot assume it is entitled to share that information. Many insurers and healthcare providers assume they are entitled to share their clients’ personal information and will use it for various purposes. They also never inform the data subject of the right to withdraw consent to process that information.
Insurers should consider obtaining legal advice in drafting appropriate consent forms for processing third party information for underwriting purposes or to assess a claim. They should be aware of the processes they need to follow to avoid breaches of POPIA. They also need to consider carefully all the other parties in the network of information sharing, from underwriting to claims processing, and how they should be putting steps in place to comply with POPIA.
The penalties of not complying with POPIA include a 10-year prison sentence. However, while this may seem a remote possibility, a more real consequence of the publicity around a breach of data could be claims for damages, or severe reputational damage. In the event that clients no longer trust their insurance company, they could withdraw their business on a large scale, with devastating consequences for the company involved.