Short-Term Insurance Act, 1998 (Act No. 53 of 1998)Policyholder Protection RulesPolicyholder Protection Rules (Short-Term Insurance), 2017Chapter 6 : Product Performance and Acceptable ServiceRule 13 : Data Management |
| 13.1 | In this rule any reference to "policyholder" includes a potential policyholder, a member of a group scheme and a potential member of a group scheme, except for rule 13.4, in which "policyholder" excludes a potential policyholder and potential member of a group scheme. |
| 13.2 | In this rule "processing" has the meaning assigned to it in section 1 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) and includes processing of all policy-level and policyholder-level data including personal information. |
| 13.3 | An insurer must have an effective data management framework that includes appropriate strategies, policies, systems, processes and controls relating to the processing of any data which enables the insurer at all times to— |
| (a) | have access, as and when required, to data that is up-to-date, accurate, reliable, secure and complete; |
| (b) | properly identify, assess, measure and manage the conduct of business risks associated with its insurance business to ensure the ongoing monitoring and consistent delivery of fair outcomes to policyholders; |
| (c) | comply with all relevant legislation relating to confidentiality, privacy, security and retention of data; |
| (d) | comply with any regulatory reporting requirements; |
| (e) | assess its liability under each of its policies, including data pertaining to each risk that is covered by a policy and each risk that is covered by a policy and each outstanding claim in respect of a policy; |
| (f) | adequately categorise, record and report on complaints as required in terms of rule 18; and |
| (g) | have access to any other relevant data as prescribed by the Authority. |
| 13.4 | An insurer must at a minimum, for the purposes of complying with rule 13.3, have access to the names, identify numbers and contact details of all its policyholders. |
| 13.5 | The contact details referred to in rule 13.4 must be as complete as possible, and where available include the mobile number and email address of the policyholder. |
| 13.6 | Where an insurer outsources the processing of any data, the insurer must be able to access such data at any time as and when required by the insurer. |
| 13.7 | An insurer must have sufficient organisational resources and the operational ability to ensure that its data management framework is effective, adequately implemented and complies with this rule. |
| 13.8 | An insurer must regularly review its data management framework and document any changes thereto. |