What is POPIA and how will it impact you
The Protection of Personal Information Act 4 of 2013 (POPIA) came into force on 1 July 2020 with a 12-month grace period for organisations to become fully compliant with POPIA by 1 July 2021. The below information serves to explain what you need to know about POPIA as a member of Anglo Medical Scheme and to give you assurance that we take this law and your constitutional right to privacy very seriously.
To whom does it apply?
All South African citizens and any public or private body who collects, records or processes personal information.
What does POPIA mean for the Scheme?
Any company that processes the personal information of clients, members, suppliers and/or staff, is required to comply with POPIA. As a medical scheme we have always treated our members' personal data with the greatest care and protected it with the strictest security measures. Most of the POPIA requirements have been in place for a long time.
What constitutes personal information?
This is information that identifies you as a person. It would include information such as your:
- Name, address, email address and phone number
- Identity number, code or symbol
- Photograph, CCTV footage, video clip
- Banking and financial information
A special category of sensitive personal information is classified as special personal information, much of which is collected and processed by Anglo Medical Scheme, and requires additional security measures to ensure our members' privacy. It includes:
- Information concerning a child under the age of 18
- Race, nationality, ethnicity, origin, colour, religious or political beliefs or associations
- Sexual orientation
- Blood type or any other biometric information
- Medical history and records
- All health data unless de-identified and anonymised
Our focus is to protect your personal information to protect you from harm
How you could be harmed if your personal information was compromised?
- Your identity information could be abused to steal your identity.
- Your financial information could be abused to commit fraud.
- Your personal information could be exposed by revealing private information publicly.
- You could receive unwanted communication, such as marketing telephone calls or emails.
- You could suffer from discrimination if your medical information was sent to the wrong person.
The eight data processing principles of POPIA
POPIA serves as a watchful protector over public and private organisations to which you have supplied, or may supply, your personal information. It protects your right to privacy under the following eight principles:
1. Accountability
An organisation is responsible for the personal information in its possession and needs to comply with conditions for processing information. Julia le Roux, the Scheme's Principal Officer has been appointed as Anglo Medical Scheme's Information Officer.
2. Processing limitation
We are required to process your personal information in a lawful and transparent manner. This means that processing may not be excessive, requires your consent and that consent needs to be collected directly from you.
3. Purpose specification
Your personal information has to be collected for a specific and defined purpose. We need to inform you of the purpose at the beginning of a business relationship. Also, we must not keep records longer than necessary for achieving the purpose.
4. Further processing limitation
Anglo Medical Scheme and our service providers (such as our administrator Discovery Health) may only use your personal information for the purposes that were specified at the time you provided consent to the processing of information. Should we need to use your personal information for any other purpose or disclose it to any other recipients, you need to provide further consent.
5. Information quality
Anglo Medical Scheme and our administrator Discovery Health have the responsibility to maintain the quality of the personal information that we process by ensuring that all personal information we keep is reliable and up to date. You as our member have the responsibility to inform us when your personal information changes.
6. Openness
In order for processing to be fair, you need to be aware of the personal information held about you by us - as well as the source of the information, if it was not collected from you. You need to be made aware of the reason why your information is collected. We also need to maintain documents of all processing operations while meeting the legal requirements of the Promotion of Access to Information Act 2 of 2000.
7. Security safeguards
Anglo Medical Scheme and our service providers (such as our administrator Discovery Health) must not keep your information longer than necessary and, when it is no longer required, it must be disposed of promptly and professionally. Information security measures must be in place to keep your information safe. We are also required to report any breach of personal information to both the regulator and to you.
8. Your participation
You have the right to view your information. If you ask in writing and show proof of your identity, you may have your information corrected or destroyed.
Our measures to protect your personal information
You will be familiar with many of the necessary measures necessary to be compliant with POPIA as they have been in place for a while, for example:
- When we moved to our administrator Discovery Health, we requested you to confirm and update your personal information.
- We regularly remind you in our newsletters and member correspondence to update your personal details and to let us know when they change.
- Only members can log into the logged-in area of the Scheme website.
- You can only log in to the member log-in area with your previously verified log-in details.
- Your dependants need to create their own log-in profile and certain information about adult dependants is only accessible to the relevant dependant. More information further below.
- Our members' personal details are kept separate from other schemes or business units by our administrator Discovery Health and extensive IT security measures are in place to protect your data.
- Our call centre asks you to verify your personal information when you call in; voice recognition recognises your voice to ensure nobody can pretend to be you.
Further measures include:
- Training and awareness campaigns were done for staff dealing with personal information.
- We are encrypting our emails to you and have provided you with a secure inbox on our website for documents containing personal information.
- We sometimes send you emails containing personal information in PDF attachments. For these emails, we will add an additional layer of security by means of encryption. This means that you will need a password (either your identity number or date of birth) to open and view the document. The encryption remains in place even if you forward the document to someone else, like your financial adviser or broker.
- We have engaged with healthcare practitioners and all our third parties that we share personal information with to get assurances that they are compliant with POPIA.
How we separate your and your beneficiaries' information:
- We require separate contact details for all dependants over the age of 18 in order to communicate with them independently. The Scheme is not allowed to communicate certain information pertaining to a dependant via the main member.
- With regard to claims, the main member may have access to all the claims on the membership, but the spouse and/or dependant can only view their own personal claim information.
- In the case of medical savings account balances, only the main member has access to this information, not the spouse or adult dependant. The spouse is; however, able to obtain this balance, should the main member provide permission for them to do so.
- With regard to chronic medications, the main member will only have access to his/her own chronic cover information and that of any children under 18 years of age who are beneficiaries on the membership.
- Dependants over the age of 18 will have to register separately for their chronic benefits - the main member may not register on their behalf. In addition:
- he main member is entitled to know which other beneficiaries on the membership have chronic cover, but they will not have access to the actual chronic cover information of those dependants.
- All beneficiaries are only allowed to access their own chronic cover information.
- Beneficiaries with consent (such as a spouse) are allowed to access the chronic cover information of any children under 18 years of age who are beneficiaries on the membership.
More measures might have to be added in future, depending on how we communicate with you and which systems and tools we will use.
Your responsibility
You also need to play your part. As a member of Anglo Medical Scheme you have the duty to provide us with correct date personal information and keep us updated if any of your details change.
You also need to ensure your personal data stays secure, for example:
- Don't leave your member log in on the Anglo Medical Scheme website open if you step away from your computer or device.
- Don't ever share your membership card or membership number with anybody except your Scheme or your trusted healthcare providers.
- Don't post any personal information on social media, such as a photo of your vaccination certificate with your ID number on it, or a photo of a person with the hospital tag on. Don't include personal information or medical information in discussions on social media, for example if you ask online for advice for a specialist to help you with your condition.
- Always have a lock on your phone and devices in case you leave it unattended, it gets stolen or you lose it.
- Stay vigilant and informed about scams and hacking attempts.
If you allow a third party to engage with Anglo Medical Scheme on your behalf, whether it is your child, your parent or your broker, we need you to authorise us to do so, by completing a Third Party Disclosure form. We will be sending this form via email to members who we have identified as having previously provided verbal authority to disclose information to a third party.
If you have shared your member log-in details with your dependants in the past, please ask them to create their own member profiles.
If you have previously shared your Electronic Health Record (EHR) with a healthcare professional, you need to authorise Anglo Medical Scheme to do so again by accessing the new Anglo Medical Scheme Electronic Health Record function.
Updated 9 September 2022