POPIA for Medical Aid and Insurance Brokers: Handling Special Personal Information

POPIA for Medical Aid and Insurance Brokers: Handling Special Personal Information

If you broker medical aid or insurance products in South Africa, the personal information you collect sits in a different category under the Protection of Personal Information Act (POPIA) — one that carries stricter obligations. Understanding how POPIA treats this data, and how the Information Regulator's guidance shapes your responsibilities, is essential groundwork for any broker operating today.

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. For your specific situation, consult a qualified attorney.

---

What Makes Broker Data Different?

Insurance and medical aid brokers routinely collect information that POPIA calls special personal information. Under POPIA section 26, this category includes data concerning a person's health, medical history, biometric information, financial history, and criminal record — exactly the kind of data a broker needs to assess risk, place cover, and service a policy.

The default position under POPIA section 26 is that processing special personal information is prohibited unless a specific authorisation applies. Section 27 sets out those general authorisations — for example, that processing is permitted if the data subject has given explicit consent, if processing is necessary to establish, exercise, or defend a right or obligation in law, or if processing is clearly in the public interest in specific circumstances described in the Act.

For most brokers, the most practical authorisation is explicit consent from the client, combined with the necessity of processing to carry out the contract (placing cover on the client's behalf). However, the Information Regulator's guidance is that consent must be freely given, specific, informed, and unambiguous — a blanket tick-box buried in a lengthy form is unlikely to meet that standard.

---

The Eight Conditions Always Apply

Even when you have a valid authorisation to process special personal information, the eight conditions for lawful processing under POPIA section 8 still apply to everything you do with client data. In brief, those conditions require that you:

• Collect for a specific purpose (s13): Be clear about why you need each piece of information. Collecting a client's full medical history when you are only placing a funeral policy is likely disproportionate.
• Give clients notice (s18): When you collect personal information, POPIA requires that you inform the client who you are, what you will do with the data, whether they must provide it, and what their rights are.
• Keep data only as long as necessary (s14): Records should not be retained indefinitely. POPIA requires that personal information is destroyed or de-identified once the purpose for which it was collected is fulfilled, subject to any other legal retention requirements (such as FAIS or the Long-term Insurance Act record-keeping rules — check the relevant requirements at fic.gov.za and the FSCA's published guidance).
• Protect data with reasonable security measures (s19): Brokers hold highly sensitive data. POPIA requires reasonable technical and organisational measures to prevent loss, damage, or unlawful access.
• Notify the Information Regulator and affected data subjects of a breach (s22): If special personal information is compromised, notification obligations arise. The Information Regulator's published guidance on breach notification is available at inforegulator.org.za.

---

Direct Marketing to Clients and Prospects

Brokers frequently market by email or SMS. POPIA section 69 requires that direct marketing by electronic communication may only be sent to data subjects who have given consent, or — in a narrow exception — to existing clients for similar products or services, provided an opt-out mechanism is always included and honoured. Cold electronic marketing to purchased lists is not compliant under section 69.

---

Sending Data Across Borders

Many insurers and medical schemes have systems or reinsurers outside South Africa. POPIA section 72 governs transfers of personal information to third parties in foreign countries. The Information Regulator's position is that such transfers require either that the recipient country offers adequate protection, that the data subject consents to the transfer, or that one of the other conditions in section 72 is met. If your client data travels to cloud servers or group IT systems outside South Africa, this section is relevant to your processing arrangements.

---

Your Information Officer

Under POPIA section 55, every responsible party — including a brokerage — must have a designated Information Officer whose duties include ensuring compliance with POPIA, dealing with data subject requests, and working with the Information Regulator. For small brokerages, this is typically the owner or a senior manager. The Information Officer must be registered with the Information Regulator; registration is done through the portal at inforegulator.org.za.

---

Client Rights You Must Be Able to Honour

POPIA gives your clients active rights over their data:

• Right of access (s23): A client can ask what personal information you hold about them.
• Right to correction (s24): A client can ask you to correct inaccurate information.
• Right to object (s11(3)): A client can object to you processing their personal information on the basis of legitimate interest. You must have a process to receive and respond to these requests in a reasonable time.

Brokers who cannot demonstrate they have workable processes for handling these requests face regulatory risk.

---

Practical Starting Points

Based on the published requirements under POPIA, brokers may find it useful to:

1. Audit what special personal information you collect — map every form, system, and third-party integration where health or financial data flows.
2. Review your client consent language — ensure it is explicit, specific, and easy to understand before any data is collected.
3. Check retention schedules — reconcile POPIA's limitation requirements with FAIS and insurance-sector record-keeping rules.
4. Update your PAIA / Privacy Notice — your clients should be able to find out easily how their data is handled.
5. Register your Information Officer — if not already done, this is a foundational compliance step.

Tools like Khanyitas are designed to help South African SMEs and regulated intermediaries manage exactly these kinds of ongoing obligations — from documentation to breach tracking — without needing a large in-house compliance team.

---

> Disclaimer: This article is general information based on published Information Regulator guidance and the text of POPIA. It is not legal advice. The compliance obligations applicable to your specific brokerage will depend on your business model, the products you place, and any sector-specific regulations that apply to you. Consult a qualified attorney for advice on your situation. Refer to primary sources: Information Regulator | FIC | CIPC.