New data protection legislation in South Africa and Australia

South Africa

In South Africa, the Protection of Personal Information (POPI) Act was passed in August 2013 but the commencement date (in terms of Section 115 of the Act) – from which South African entities have a twelve month transitional period to comply – is yet to be announced. POPI introduces new principles for the processing of personal information by any natural or legal person domiciled in South Africa. This includes Lloyd’s coverholders operating in South Africa.

The Act covers eight principles in respect of: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards and data subject participation. The POPI Act also covers the use of personal information for direct marketing purposes (see Section 66), which contains similar provisions as the EU Privacy and Electronic Communications Regulations.

Coverholders should familiarise themselves with the provisions of the POPI Act, and ensure that their practices around processing of personal information are compliant with the principles established by the Act in time for the end of transitional period.

Australia

In Australia, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 came into force on 12 March 2014. The Act was passed in 2012 and Lloyd’s has previously published guidance in Market Bulletin Y4720.

The new Australian Privacy Principles (APPs) apply only to Lloyd’s underwriters’ operations actually in Australia. This means the Act applies  to Australian domiciled coverholders, service companies and to any process where information is collected, used or stored by an Australian entity, such as a third party claims administrator or broker.

Before the implementation deadline coverholders’ staff should have undergone training on the new regime and internal privacy policies should have been updated. In 2013 Lloyd’s Australia updated its own internal privacy policy and provided background information to coverholders to assist them in complying with any necessary requirements.

The relevant obligations introduced by the Act can be found in the Lloyd's Australia Privacy Act Guidelines (August 2013) on Crystal. If you are a Lloyd's market participant with a Crystal account, you will be able to access this information. Market Bulletin Y4720 also provides further guidance. 

These Lloyd’s guidelines provide information on the prescribed information that must be provided when any personal information is collected (e.g. in proposal or claims processes). This notifying information must be provided and a generic form has been provided in the guidelines above. Additionally, the Office of the Australian Information Commissioner has recently released the Australian Privacy Principles Guidelines, which should be taken into account.

As Australian entities now have to inform customers if their personal information will be sent overseas some local brokers are requesting information about how the data will be protected overseas.  Consequently coverholders may seek information from managing agents about their data protection policies under the UK’s Data Protection Act 1998.