Policy on the Protection of Personal Information Act (POPIA)
Approved by the Board on 21 April 2021
Introduction
The right to privacy is enshrined in the South African Constitution, which expressly states that everyone has the right to privacy.
The introduction of Data Protection / Privacy legislation (for example the Protection of Personal Information Act in SA) will affect the way we deal with personal information (PI) as the Old Mutual Staff Medical Aid Fund. Old Mutual Staff Medical Aid Fund (‘the Fund’), like all other public and private organisations, will be legally obliged to protect any personal information we hold for our members, our suppliers and our employees. Adherence to the Principles of Privacy legislation, as detailed in this policy, will ensure compliance.
The POPI Act commences from 1 July 2020 and organisations need to be compliant by 1 July 2021.
Medical schemes, by the nature of its business, typically process vast amounts of Personal Information.
The Fund, as the Responsible Party, remains responsible for the processing of Personal Information regardless of the Fund having passed that Personal Information to a third party to process the Personal Information on its behalf.
Policy Objective
The objective of this policy is to outline a set of mandatory governing principles of the Fund, when processing personal Information.
Policy Application
The provisions of this policy shall apply to the Fund, its employees and all third party service providers processing Personal Information on behalf of the Fund.
Definitions
“Constitution” means the Constitution of the republic of South Africa 1996;
“Member” means a registered beneficiary of a medical scheme;
“Operator” means a person who processes Personal Information or a responsible party in terms of a contract or mandate, without coming under the direct authority of that party;
“PAIA” means the Promotion of Access to Information Act No. 2 of 2000;
“POPIA” means the Protection of Personal Information Act of 2020
“Personal Information” means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to:
a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
b) information relating to the education or the medical, financial, criminal or employment history of the person;
c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
d) the biometric information of the person;
e) the personal opinions, views or preferences of the person;
f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence;
g) the views or opinions of another individual about the person; and
h) the name of the person if it appears with other Personal Information relating to the person or if the disclosure of the name itself would reveal information about the person;
“Process” means any operational activity concerning Personal Information including the collection, organisation, storage, modification, communication and destruction of information;
“Record” means any recorded information in whatever form in possession or under the control of the responsible party;
“Regulator” means the Information Regulator as defined in the Bill;
“Responsible Party” means the Fund who determines the purpose of and means of processing Personal Information;
Fund Responsibilities
The Fund, and any individual or third party service provider carrying out functions on the Fund’s behalf, including but not limited to processing of Personal Information, have a legal obligation to safeguard Personal Information and to process Personal Information in accordance with PPI. To fulfill this responsibility the Fund will disseminate this policy to all relevant parties and also take the following actions:
• Ensure that this policy is implemented;
• Ensure that the following provisions are contained in written agreements with all applicable third party providers / Operators to the Fund:
– Confidentiality clauses
– Requirements of processing personal info
– Information security requirements;”
• Ensure that third parties have adequate security measures in place to safeguard the integrity of Personal Information against unauthorised access, loss, damage or destruction;
• Ensure members are aware of the reasons why Personal Information about them is collected and held, and the purpose for which their Personal Information may be used; and
• Ensure that members have access to their Personal Information held by the Fund;
Conditions for Lawful Processing of Personal Information
Personal Information should be considered as belonging to the individual to whom it relates.
The conditions governing the lawful processing of Personal Information are as follows:
Condition 1: Accountability – Responsible Party to give effect to the conditions
“The responsible party must ensure that the conditions set out in this Chapter, and all the measures that give effect to such conditions, are compiled with at the time of the determination of the purpose and means of the processing and during the processing itself.”
The Fund, as the Responsible Party, who alone or in conjunction with others, determines the purpose and the means of processing Personal Information, must ensure that all conditions listed herein and all the measures that give effect to the conditions are complied with.
The Fund, as the Responsible Party, remains responsible for the processing of Personal Information regardless of it having passed that Personal Information to a third party to process the Personal Information.
To enable the Fund to exercise the control over Personal Information the Fund will establish and maintain the following control measures:
• Identify Personal Information being processed, and
• Identify and appoint a person as Information Officer, whose responsibilities will include the following:
– Encourage the Fund to comply with the conditions for lawful processing of Personal Information;
– Deal with requests in relation to PPI made to the Fund;
– Working with the Regulator in relation to PPI investigations; and
– Otherwise ensuring compliance by the Fund with PPI.
• The appointed roles and responsibilities for the following roles are outlined in the Annexure A:
– Responsible party
– Operator
– Privacy Officer
– Privacy Champions
Condition 2: Processing limitation
Lawfulness of processing
“Personal Information must be processed –
(a) lawfully; and
(b) in a reasonable manner that does not infringe the privacy of the data subject.”
The Fund will act lawfully in its collecting and processing of Personal Information.
The Fund will act reasonably in its collecting and processing of Personal Information and take into account the interests and reasonable expectations of members and other relevant stakeholders about whom we hold personal information.
Minimality
“Personal Information may only be processed, if given the purpose for which it is processed, it is adequate, relevant and not excessive.”
The Fund will ensure that all processing is adequate, relevant and not excessive and will not do more with the Personal Information than what is required to achieve the purpose of processing. The Fund will ensure that only Personal Information, which is relevant to the purpose for which it is being collected, is collected.
Consent, Justification and Objection
The Fund will process Personal Information of Members only if one of the following grounds for processing exists:
• the Member has provided voluntary, specific and informed consent to the processing of Personal Information relating to him or her;
• the processing is necessary to carry out actions for the conclusion or performance of a contract to which the Member is a party;
• the processing complies with an obligation imposed by law on the Fund;
• processing protects a legitimate interest of the Member;
• processing is necessary for pursuing the legitimate interests of the Fund or of a third Party to whom the Personal Information is supplied.
The Fund acknowledges the right of a Member to object, at any time, on reasonable grounds to the processing of Personal Information, unless legislation provides for such processing by the Fund. If the Member has objected, the Fund will immediately cease processing the Personal Information of that Member.
Collection directly from Member
The Fund collects Personal Information directly from the Member and with the consent of the Member from other sources, like healthcare providers.
Controls for Condition 2:
• Application forms / Fund rules with privacy clause detailing use of Personal Information and express consent;
• Privacy clauses in operator and third party agreements;
• Record-keeping of consent;
• Process for objections to processing.
Condition 3: Purpose specification
Collection for a Specific Purpose
The Fund collects Personal Information for a specific, explicitly defined and lawful purpose that relates to the activity of the Fund.
Member Aware of the Purpose and Collection of Information
The Fund informs Members before the collection and processing of Personal Information of the purpose thereof.
Retention of records
The Fund does not retain records of Personal Information for any longer than is necessary for achieving the purpose for which the Personal Information was collected or processed. (Taking in consideration any legal obligation to keep records for a set period in accordance with any other relevant legislation.)
Controls for Condition 3:
• Application forms / Fund rules detailing processing purpose and retention period;
• Retention guidelines and process.
Condition 4: Further processing limitation
The Fund only processes Personal Information further where the further processing is compatible with the purpose for which it was initially collected.
Controls for Condition 4:
• Implementing processes for the identification of, notification of and objection to further processing.
• Checking compatibility of purpose of further processing with original purpose
Condition 5: Information quality
The Fund takes reasonably practical steps to ensure that collected and processed Personal Information is complete, accurate, not misleading and, where necessary, updated. This is done taking into account the purpose for collecting and processing such Personal Information
Controls for Condition 5:
• Proactive data quality validation procedures for personal information;
• Privacy clauses in operator or third party agreements.
Condition 6: Openness
Notification to Regulator and to Member
The Fund will compile a manual in terms of PAIA, make it available on the Fund’s website and provide a copy to the South African Human Rights Commission.
The Fund will ensure the Member is aware of the following before the Personal Information is collected from the Member:
• that Personal Information is being collected;
• the identity of the Fund;
• the purpose for the collection of the Personal Information;
• whether or not the supply of the Personal Information by the Member is voluntary or mandatory;
• the consequences of failure to provide the information;
• any particular law authorizing or requiring the collection of the Personal Information;
• where applicable, the fact that the Fund intends to transfer the Personal Information to a third country or international organization and the level of protection afforded to the information by that third country or international organization;
• any further information such as
– the recipients of information;
– the existence of the right to access to and the right to rectify the Personal Information;
– the existence of the right to object to the processing of Personal Information on certain grounds;
– the right to lodge a complaint to the Information Regulator and the contact details of the Information Regulator.
Controls for Condition 6:
• Publication of PAIA manual
• Application forms / Fund Rules containing the abovementioned disclosures
• Privacy policy on the Fund’s website
Condition 7: Security safeguards
Security measures on integrity and confidentiality of Personal Information
The Fund will ensure that Personal Information of a Member in its possession or under its control is appropriately safeguarded against loss, damage, destruction or unlawful access by taking appropriate, reasonable technical measures.
Information processed by a third party or operator or person acting under authority of a responsible party
The Fund will ensure that any third party or operator processing Personal Information for the Fund must do so only with the written authorisation of the Fund and must treat the Personal Information as confidential.
The Fund will ensure that any third party or operator processing Personal Information on its behalf establishes security safeguards and that these measures are maintained. The Fund will also ensure that the third party or operator immediately notifies the Fund where there are reasonable grounds to believe that the Personal Information of the Member(s) has been accessed or acquired by an unauthorized person.
The processing of Personal Information and the security safeguards required by the Fund will be governed by written agreements with third parties or operators.
Notification of security compromises
The Fund will, in instances where Personal Information has been accessed or acquired by an unauthorized person, notify the Information Regulator and Member(s) (unless the identity of the Members cannot be established).
Controls for Condition 7:
• Identity and access management processes
• Encryption of sensitive personal information transfers
• Secure disposal of information
• Training of employees on security policies and procedures
Condition 8: Member participation
Access to Personal Information
The Fund acknowledges the Member’s right to request the Fund to confirm, free of charge, whether the Fund holds Personal Information about the Member.
The Fund further acknowledges the member’s right to request the Fund, at a fee that is not excessive, to provide him or her with a description of the Personal Information held by it or by an operator or third party within a reasonable time. This description will be in a reasonable manner and format and in a form that is generally understandable. The Fund will also inform the Member of his/her right to ask for the correction of his/her Personal Information.
Correction of Personal Information
The Fund acknowledges the right of a Member to request a correction or deletion of Personal Information.
In cases where changes have been made which may impact on decisions taken using Personal Information, the Fund will advise any third party to whom the information may have been disclosed.
Controls for Condition 8:
• Process for access requests / changes
This policy on the protection of personal information was approved by the
Board of Trustees at the Board of Trustees meeting held on the 21 April 2021.