Protection of Businesses Act, 1978
R 385
Long Term Insurance Act, 1998 (Act No. 52 of 1998)RulesPolicyholder Protection Rules (Long-term Insurance), 2017Chapter 6 : Product Performance and Acceptable ServiceRule 13 : Data management |
| 13.1 | In this rule any reference to "policyholder" includes a potential policyholder, a member and a potential member, except for rule 13.4, in which "policyholder'' excludes a potential policyholder and potential member. |
| 13.2 | In this rule "processing" has the meaning assigned to it in section 1 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) and includes processing of all policy-level and policyholder-level data including personal information. |
| 13.3 | An insurer must have an effective data management framework that includes appropriate strategies, policies; systems, processes and controls relating to the processing of any data which enables the insurer at all times to— |
| (a) | have access, as and when required, to data that is up-to-date, accurate, reliable, secure and complete; |
| (b) | properly identify, assess, measure and manage the conduct of business risks associated with its insurance business to ensure the ongoing monitoring and consistent delivery of fair outcomes to policyholders; |
| (c) | comply with all relevant legislation relating to confidentiality, privacy, security and retention of data; |
| (d) | comply with any regulatory reporting requirements; |
| (e) | assess its liability under each of its policies, including data pertaining to each risk that is covered by a policy and each outstanding claim in respect of a policy; |
| (f) | adequately categorise, record and report on complaints as required in terms of rule 18; and |
| (g) | have access to any other relevant data as prescribed by the Authority. |
| 13.4 | An insurer must at a minimum, for the purposes of complying with rule 13.3, have access to the names, identity numbers and contact details of all its policyholders. |
| 13.5 | The contact details referred to in rule 13.4 must be as complete as possible, and where available include the mobile number and email address of the policyholder. |
| 13.6 | Where an insurer outsources the processing of any data, the insurer must be able to access such data at any time as and when required by the insurer. |
| 13.7 | An insurer must have sufficient organisational resources and the operational ability to ensure that its data management framework is effective, adequately implemented and complies with this rule. |
| 13.8 | An insurer must regularly review its data management framework and document any changes thereto. |
