Long Term Insurance Act, 1998 (Act No. 52 of 1998)

Rules

Policyholder Protection Rules (Long-term Insurance), 2017

Chapter 6 : Product Performance and Acceptable Service

Rule 13 : Data management

Purchase cart Previous page Return to chapter overview Next page

 

13.1In this rule any reference to "policyholder" includes a potential policyholder, a member and a potential member, except for rule 13.4, in which "policyholder'' excludes a potential policyholder and potential member.

 

13.2In this rule "processing" has the meaning assigned to it in section 1 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) and includes processing of all policy-level and policyholder-level data including personal information.

 

13.3An insurer must have an effective data management framework that includes appropriate strategies, policies; systems, processes and controls relating to the processing of any data which enables the insurer at all times to—
(a)have access, as and when required, to data that is up-to-date, accurate, reliable, secure and complete;
(b)properly identify, assess, measure and manage the conduct of business risks associated with its insurance business to ensure the ongoing monitoring and consistent delivery of fair outcomes to policyholders;
(c)comply with all relevant legislation relating to confidentiality, privacy, security and retention of data;
(d)comply with any regulatory reporting requirements;
(e)assess its liability under each of its policies, including data pertaining to each risk that is covered by a policy and each outstanding claim in respect of a policy;
(f)adequately categorise, record and report on complaints as required in terms of rule 18; and
(g)have access to any other relevant data as prescribed by the Authority.

 

13.4An insurer must at a minimum, for the purposes of complying with rule 13.3, have access to the names, identity numbers and contact details of all its policyholders.

 

13.5The contact details referred to in rule 13.4 must be as complete as possible, and where available include the mobile number and email address of the policyholder.

 

13.6Where an insurer outsources the processing of any data, the insurer must be able to access such data at any time as and when required by the insurer.

 

13.7An insurer must have sufficient  organisational  resources  and  the operational ability to ensure that its data management framework is effective, adequately implemented and complies with this rule.

 

13.8An insurer must regularly review its data management framework and document any changes thereto.