Privacy Policy in terms of the Protection of Personal Information (POPI) Act
Introduction
The purpose of this policy is to confirm our commitment to complying with the provisions of the Promotion of Personal Information (POPI) Act, to facilitate compliance with the regulatory requirements, and to provide assurance to our clients that their personal information collected by Reef Insurance Brokers (Pty) Ltd in the performance of our contractual obligations will be protected.
Reef Insurance Brokers (Pty) Ltd is an authorised financial services provider rendering financial services to natural persons as well as legal entities (out clients). The rendering of these services is in accordance with a contractual relationship with our clients which governs the scope and nature of the services to be rendered.
Application of the POPI Act
Reef Insurance Brokers (Pty) Ltd is in possession of personal information relating to our employees, clients and suppliers. Personal information includes any information in relation to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person. Such persons are referred to as data subjects.
The POPI Act applies to the collection and processing of personal information.
POPI does not apply to personal information that has been de-identified or where the person is deceased.
Information Officer / Deputy Information Officer
The FSP has appointed Andrew Lamprecht the Information Officer and Nicole Botha the Deputy Information Officer to fulfil the responsibilities. The appointment of the Information Officer / Deputy Officer will be reviewed annually. The Information Officer alongside the Deputy Information Officer will be responsible for the following:
Developing, publishing and maintaining a POPI Act Policy which addresses all relevant provisions of the POPI Act, including but not limited to the following:
Reviewing the POPI Act and periodic updates as published
Ensuring that POPI Act induction training takes place for all staff
Ensuring that periodic communication awareness on POPI Act responsibilities takes place
Ensuring that Privacy Notices for internal and external purposes are developed and published
Handling data subject access requests
Approving unusual or controversial disclosures of personal data
Approving contracts with Data Operators
Ensuring that appropriate policies and controls are in place for ensuring the Information Quality of personal information
Ensuring that appropriate Security Safeguards in line with the POPI Act for personal information are in place
Handling all aspects of relationship with the Regulator as foreseen in the POPI Act Provide direction to any Deputy Information Officer if and when appointed.
Processing of Personal Information
Reef Insurance Brokers (Pty) Ltd is required to collect and process personal information in order to fulfil its contractual obligations. Such information relates to both natural persons as well as juristic entities. Reef Insurance Brokers (Pty) Ltd undertakes to ensure that personal information that is collected is required for a specific, explicitly defined and lawful purpose. Further to this, the personal information collected must not be excessive, in other words, we must not collect more information than is required to fulfil our obligations. The personal information collected must be adequate and relevant.
Specific purpose – only personal information that is required for a specific purpose will be collected for processing and Reef Insurance Brokers (Pty) Ltd will ensure that it is able to describe the specific purpose for which the personal information has been collected. No personal information that is not specifically required for the performance of our contractual and lawful obligations will be collected.
Explicitly defined – the explicit purpose for which the information is collected will be recorded and not simply be implied.
Lawful purpose – the collection and processing of personal information must be reasonable as well as lawful. It is lawful for Reef Insurance Brokers (Pty) Ltd to collect and process personal information where it is required in order to fulfil our contractual or lawful obligations or where the data subject has consented to the collection and processing of the personal information or to protect the legitimate interests of the data subject. It is furthermore lawful to process a data subject’s personal information where in law we have an obligation to do so.
Reef Insurance Brokers (Pty) Ltd keeps records of all processing activities which includes the personal information of data subjects.
Further Processing of Personal Information
Where Reef Insurance Brokers (Pty) Ltd has personal information about a data subject which we may want or need to use for a new or unforeseen purpose that is different to the specific purpose for which it was originally collected, Reef Insurance Brokers (Pty) Ltd is required to ensure that the further processing of that information is lawful by ensuring that the processing is compatible or in accordance with the purpose for which it was collected. The following should be considered when determining whether further processing of the personal information is permitted –
The relationship between the “new” processing activity and the original activity (if closely related the further processing would be lawful); The nature of the personal information; The consequences of the new processing activity;
The way in which the personal information was collected; The contractual rights and obligations between the data subject and the FSP.
Further processing will automatically be lawful under the following circumstances –
where the data subject has consented to the further processing; the personal information is available as a public record; the processing is used for historical, statistical or research purposes and the results will not be published in identifiable form; the processing is aimed at preventing or mitigating a serious threat to public health or safety or the life or health of the data subject or another individual.
The further processing of information must be discussed with the Information Officer to ensure that the further processing of such information is lawful.
Duty to Notify
In the interests of promoting transparency, we are required to ensure that data subjects are notified of the collection of their personal information including the purpose for the collection before the information is collected or where this is not possible as reasonably practicable thereafter.
Where we have complied with the notification requirement once, we do not need to do so again if the same or similar personal information is collected and the purpose for the collection has remained the same.
The notification to data subjects must include the following details:
A list of the personal information that is being collected; Where the personal information is not collected directly from the data subject, where the personal information was obtained; The name and address of the responsible party; Whether supplying the personal information is mandatory or voluntary; The consequences of failing to provide the personal information; Any law that authorises the collection of the personal information; Whether the personal information will be transferred to another country or international organisation and their privacy protection measures; Any other information including - The recipient or category of recipient of the personal information; The nature of the personal information; The data subject’s rights to access and rectify the personal information or to object to the processing; and The data subject’s right to lodge a complaint with the Information Regulator.
The duty to notify a data subject of the collection of personal information is not necessary where the data subject has consented to the collection of the personal information or where the personal information is de-identified or used for historical, statistical or research purposes.
Sharing of Personal Information
Personal information relating to data subjects that is collected and processed by Reef Insurance Brokers (Pty) Ltd will never be sold to a third party.
Reef Insurance Brokers (Pty) Ltd does not make use of operators for the purpose of processing information. Personal information will therefore not be provided to operators. In the event that Reef Insurance Brokers (Pty) Ltd makes use of an operator in the future, such operator will be required to comply with the provisions POPI and data subjects will be advised accordingly.
Personal information will where relevant to the contractual and lawful obligations of Reef Insurance Brokers (Pty) Ltd be shared with third parties such as but not limited to insurers and public bodies such as the South African Revenue Services and the Financial Intelligence Centre.
Data Quality
Reef Insurance Brokers (Pty) Ltd is reliant on data subjects to provide the personal information that is processed.
Reef Insurance Brokers (Pty) Ltd will take reasonable steps to ensure the completeness and accuracy of the personal information collected and processed. Data subjects will be required to provide updated personal information to ensure that the personal information processed by Reef Insurance Brokers (Pty) Ltd is not misleading or inaccurate.
Reef Insurance Brokers (Pty) Ltd is aware that data subjects may access their personal information held by ourselves to assess the correctness of such personal information.
Securing Personal Information
Reef Insurance Brokers (Pty) Ltd has the necessary security safeguards in place to ensure the integrity and confidentiality of personal information in its possession.
Risk management procedures and protocols extend to protect personal information from loss, damage, unauthorised destruction, unlawful access and unlawful processing. Risk mitigation measures are reviewed annually.
Retention, Restriction and Destruction of Personal Information Retention
In the event that there has been unauthorised access to personal information of any data subjects held by Reef Insurance Brokers (Pty) Ltd, the Information Officer will be responsible for notifying the Information Regulator and the affected data subjects as soon as reasonably possible. Notification must be made in writing and must conform to the notification requirements contained in section 22 of the POPI Act.
Reef Insurance Brokers (Pty) Ltd will not retain personal information for longer than is necessary to achieve the purpose for which the information was collected. This however is subject to retention periods that are prescribed in terms of other laws such as labour laws, Companies Act, financial services laws contained in legislation such as the FAIS and FIC Acts as well as any other legislation that prescribes retention periods.
Retention is also possible where Reef Insurance Brokers (Pty) Ltd has obtained the consent of the data subject or where the information is required for historical and statistical purposes.
Restriction
Reef Insurance Brokers (Pty) Ltd acknowledges that in the event that a data subject contests the accuracy of personal information held by ourselves, the processing of such information is limited to use with the consent of the data subject or for the protection of the rights of another natural or juristic person or where the processing is in the public interest.
Destruction
Personal information that no longer needs to be retained for any justifiable reason must be destroyed.
Personal information is regarded as destroyed if it cannot be reconstructed in an intelligible form. De-identification is an alternative to the deletion of personal information and requires that information that identifies the data subject or can be used or manipulated to identify the data subject or can be linked to other information that could identify the data subject is destroyed.
Reef Insurance Brokers (Pty) Ltd will ensure that personal information either in hard copy or electronic form which Reef Insurance Brokers (Pty) Ltd is no longer required to retain will be destroyed completely by either shredding hard copy documentation or destroyed in a manner that ensures that identification of the data subject is not possible.
Transfer of Personal Information Across Borders
POPI applies to the processing of information within South Africa.
Transfer of Personal Information out of South Africa
Where personal information is transferred out of South Africa, the personal information must be protected. The transfer of information out of South Africa may therefore only take place where the data subject has consented to the transfer or the third party to whom the personal information is transferred is subject to binding corporate rules or a binding agreement that upholds the principles contained in POPI. The transfer of the personal information must be necessary for the performance of a contract between the data subject and the responsible party.
Transfer of Personal Information from other Countries
When personal information received from other countries is processed in South Africa, the requirements of POPI apply.
Reef Insurance Brokers (Pty) Ltd will ensure that appropriate protection measures are in place when personal information is either transferred out of South Africa or received from other countries.
Exemptions to the Collection and Processing of Personal Information
Several exemptions are contained in POPI depending on the nature of the personal information that is collected. Reef Insurance Brokers (Pty) Ltd will always strive to comply with the provisions of the POPI Act and to protect the privacy of the data subjects whose personal information is collected, processed and retained by Reef Insurance Brokers (Pty) Ltd. This includes due consideration for the exemptions contained in the legislation.
