Protection Of Personal Information (POPIA) Policy

The purpose of this policy is to ensure that HCV Underwriting Managers adheres to the requirements as set out in the Protection Of Personal Information Act 4 of 2013 (POPI Act), which relates to the handling, use, process and protection of a Data Subjects Personal Information.

HCV is committed to ensuring that all our operations relating to the processing of personal Information complies with the POPI Act in the interest of protecting our Clients, Brokers and the Insurer.

This policy provides guidelines on the management and processing of Personal Information within HCV, as well as the rights of our clients to the protection of their Personal Information.

This policy is reviewed annually to ensure that it continues to meet its purpose.

Personal information may be obtained from the data subject either directly or via an alternative source, should the data subject consent, if it is not practical to request directly from the data subject, or an alternative law request requests such method.

The information must be obtained for a particular purpose and related to the core processing functions of the responsible party.

Personal information which is obtained must be deleted/de-identified as soon as it is no longer required, however whilst under the control of HCV all reasonable measures should be taken to ensure this information is safe from the unauthorised access/theft/destruction.

‘Data Subject’ means the person to whom the Personal Information relates to.
‘Consent’ means any voluntary, specific, and informed expression of will in terms of which permission is given the processing of Personal Information.
‘Personal Information’ means information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person and defined in the POPI Act.
‘Operator’ means a person who processes Personal Information for a Responsible Party in terms of a mandate or contract.
‘Processing’ means any operation or activity or any set of operations, whether by automatic means, concerning Personal Information.

Condition 1: Accountability
HCV undertakes to comply with the requirements of the POPI Act in the processing of Personal Information. We will take reasonable precautions to ensure the adequate storage and protection of all Personal Information that we have access to, in the daily operation of our business.

Condition 2: Processing Limitation
Every effort is made to ensure that the processing of Personal Information is done in a lawful manner and does not infringe on the privacy of the Data Subject. All personal information in our possession will only be processed for its intended purpose.

Due to the nature of our business, all Personal information is obtained by our brokers directly from the Data Subject and is then sent to us to assist with their short term insurance requirements. Alternatively, we obtain information from service providers i.e. assessors, investigators etc. The Personal Information is necessary for our operation and as we rely on our business partners to obtain consent in a lawful manner before sharing this information with HCV.

We collect data directly from a Data subject only when necessary to perform our functions, for an alternative purpose which is linked to short term insurance business. This data would be required for our standard business processes and is saved and protected in the same manner as Personal Information acquired from our business partners.

Condition 3: Purpose specification

All Personal Information collected from a Data Subject is for the purpose of providing the potential policyholder with an insurance solution which best fits their circumstances.

All data is retained on our policy administration system, in line with the relevant laws regarding the retention and destruction of Personal Information.

All Personal Information that is no longer required but has already complied with the record keeping requirement of the short
term insurance industry will be discarded or kept in encrypted or de-identified format.

Condition 4: Further Processing Information
As HCV does not obtain the Personal Information from the Data Subject directly. The further processing of Personal Information will be conducted in compliance with the POPI Act. We may obtain further information from other sources as indicated in the ACT as it may be required in terms of an alternative law. All Personal Information HCV collects is required to assess a client and provide a suitable short term solution to the broker to present to the Data Subject.

Condition 5: Information Quality
We have agreements in place with all our Brokers to provide us with updated Personal Information on a regular basis and to ensure that all Personal Information is accurate and complete. Any information not required for our operations is deleted.

Condition 6: Openness/Transparency
HCV relies on our business partners to inform Data Subjects that their Personal Information is being shared with HCV, the purpose thereof, safeguards that are in place, and when required deleted.

HCV is also committed to being transparent to a Data Subject regarding the type of Personal Information that we have as well as what it may be used for.

Condition 7: Security Safeguards
HCV makes use of various security measures to ensure the protection of Personal Information.

All required Personal Information is uploaded and stored on our administration system, this information is protected from unauthorized access and all confidentiality protocols are observed in terms of segregation of duties and access control afforded to our broker partners.

We make use of virus protection and other IT security measures to combat any potential cyber threats to our systems.

Conditions 8: Data Subject Participation
All Data Subjects are entitled to know what Personal Information HCV has in their possession as well as what this information is used for. Each Data Subject is also entitled to know who has access to their Personal Information.

Each Data Subject is encouraged to correct any incorrect information HCV has, or to request HCV to delete any Personal Information held which is outdated or no longer required.

Should a Data Subject who does not have a current policy with HCV request what Personal Information we may have, it will be necessary for them to provide verified identification before any information is supplied.

Monitoring
The HCV management team is responsible for the oversight and compliance with this policy.

HCV IT, as well as Dexani Management have put appropriate security controls in place to ensure that the Personal Information held by HCV and Dexani are protected as far as possible.

HCV Compliance will include monitoring of the provisions of this ACT in file audits undertaken.

All HCV staff will be trained at least annually on the provisions of the POPI Act and strict adherence to the provisions are encouraged.

Security Controls

HCV employs various security controls to ensure the protection of Personal Information:

• We use ESET Endpoint Security anti-virus protection software: it protects us from ransomware and other virus threats.
• All users are password driven.
• All User passwords to the network and email are set with complexity requirements.
• All emails are hosted and backed up on the Microsoft Office 365 environment, and all accounts are password protected for emails and domain.
• All remote access is controlled through VPN and a user needs to enter their domain credentials to gain access to the network.
• Firewalls are in place controlling all incoming and outgoing connections including VPN.

Non-Compliance
Any breach of the POPI Act may result in disciplinary action.

Signoff
This policy has been signed off and accepted by the management of HCV Underwriting Managers (Pty) Ltd.