Document 394733
A joint publication of the Attorneys Fidelity Fund and the Attorneys Insurance Indemnity Fund NPC (A Non Profit Company, Registration No. 93/03588/08) RISKALERT NOVEMBER 2014 NO 5/2014 RISK MANAGER’S COLUMN IN THIS EDITION RISK MANAGER’S COLUMN Claims trends as at 30 June 2014 1 GENERAL PRESCRIPTION MATTERS Important Notice from Prescription Alert 2 FRAUD ALERT RAF MATTERS Adjustment of statutory limit for loss of income/ loss of support as at 31 July 2014 Article by the Risk Manager: Why do RAF claims prescribe? Prescription of claims in terms of Section 17(4)(a) undertakings by the Road Accident Fund? 3 3 4 CONVEYANCING MATTERS Details of a new SCAM A case study 5 5 GENERAL PRACTICE Amendment to Magistrates’ Court rules (June 2014) Sandra Sithole writes about the duty of attorneys to protect personal information (in terms of POPI) I n response to numerous requests from the profession, Prescription Alert will be extending its services. Please read the important notice about this on page 2. 6 6 Please note that our contact details have changed – (see below) NEW SCAM : Imposters intercepting e-mails and changing payee’s banking details Please read more on page 5. We have received requests from practitioners who would like their staff to be put on a mailing list to receive electronic copies of the Risk Alert Bulletin and notifications about new case law and legislation. GRAPH 1: TOTAL INCURRED RAND VALUES* BY CLAIM TYPE FOR THE 2013 INSURANCE YEAR (AS AT 30 JUNE 2014) Commercial 3 608 880,43 Conveyancing 5 752 535,66 General Prescription 4 904 100,00 Litigation 5 077 252,13 Total 47 993 609,28 MVA Prescription 21 885 272,03 Attorneys Fidelity Fund, 5th Floor, Waalburg Building, 28 Wale Street, Cape Town 8001 • PO Box 3062, Cape Town, 8000, South Africa, Docex 154 • Tel: (021) 424 5351 • Fax: (021) 423 4819 E-mail: [email protected] • Website: www.fidfund.co.za DISCLAIMER Please note that the Risk Alert Bulletin is intended to provide general information to practising attorneys and its contents are not intended as legal advice. If you would like us to put you and your staff on our mailing list, please send your request (with the e-mail addresses of the recipients) to Lucia Snyman ([email protected]). CLAIMS TRENDS AIIF: Ann Bertelsmann, Risk Manager, Aon, Risk Solutions, 1256 Heuwel Avenue, Centurion 0127 • PO Box 12189, Die Hoewes 0163 • Docex 24 , Centurion • Tel: 012 622 3900 • Website: www.aiif.co.za • Twitter handle: @AIIFZA Prescription Alert, 2nd Floor, Waalburg Building, 28 Wale Street, Cape Town 8001 • PO Box 3062, Cape Town, 8000, South Africa, Docex 149 • Tel: (021) 422 2830 • Fax: (021) 422 2990 E-mail: [email protected] • Website: www.aiif.co.za Ann Bertelsmann, Risk Manager Other 3 854 569,03 The R21.9 million total-incurred value of prescribed RAF claims represents around 45.6% of the total incurred value for the 2013 year of insurance as at 30 June 2014. General prescription claims taken MVA Under settlement 2 911 000,00 together with the prescribed RAF claims add up to R26.7million. Prescription claims overall make up 55% of the total incurred value for the 2013 year of insurance (as at 30 June 2014). RISKALERT RISK MANAGER’S COLUMN continued... Graph 2: 2008 to 2013 years by VALUE as at June (12 months) Graph 2 illustrates how, over the past six years, conveyancing claims values have decreased, while those of RAF prescriptions have steadily increased and those of litigation claims have remained fairly stable. GENERAL PRESCRIPTION MATTERS Important Notice The Board of the AIIF has agreed to extend the services offered by Prescription Alert (PA), to allow for the registration of general civil matters, where prescription is governed by contract or by the Prescription Act 68 of 1969. Because there are numerous variables in the calculation of prescription dates for these matters, it will be the practitioners’ sole responsibility to provide the correct prescription date for their individual matters. PA cannot take responsibility for checking the accuracy of the prescription dates provided. As is the case with statutorily time-barred matters, the service offered by PA will be provided merely as a back-up to practitioners’ own diary systems. Please contact Lucia Snyman at (021) 422 2830 / [email protected] for more information. 2 Risk Alert Bulletin NOVEMBER 2014 RISKALERT RAF MATTERS ADJUSTMENT OF STATUTORY LIMIT IN RESPECT OF CLAIMS FOR LOSS OF INCOME AND LOSS OF SUPPORT The amount referred to in subsection 17(4)(c) of the Road Accident Fund Act has been adjusted to R 24 120, with effect from 31 July 2014. WHY DO RAF CLAIMS PRESCRIBE? Why the ongoing and escalating problem of RAF claims prescribing in the hands of practitioners? O n page 1 we have reported that prescribed RAF claims make up around 45.6% of the total incurred value of claims for the 2013 insurance year, as at 30 June 2014. This is an alarming statistic! Because these claims are PREVENTABLE they attract a higher deductible than other claim types. What can practitioners do to prevent RAF claims from prescribing? We need to look at some of the reasons why these claims prescribe in spite of reminders being sent from Prescription Alert. The major problem of course, is the fact that most often the practice’s senior attorneys/directors are not aware of what their junior/inexperienced employees are doing. They allow them to take on RAF matters and deal with them without proper supervision from start to finish. The most common problems we come across are: Wrong application or misunderstanding of the law. For example, the practitioner forgets or does not know: — that for so-called “hit and run” matters, there is a two-year period within which to lodge the claim – even where the claimant is a minor or someone under a disability; — that a medical report can be obtained from another medical practitioner who treated the claimant, if the medical report cannot be obtained (See s24(2) (a):…….Provided that, if the medical practitioner or superintendent (or his or her representative) concerned fails to complete the medical report on request within a reasonable time and it appears that as a result of the passage of time the claim concerned may become prescribed, the medical report may be completed by another medical practitioner who has fully satisfied himself or herself regarding the cause of the death or the nature and treatment of the bodily injuries in respect of which the claim is made); or — what constitutes substantial compliance (See Mlenzana v Goodrick & Franklin Inc, 2012 (2) SA 433 FB) and Nkisimane and Others v Santam Insurance Co Ltd 1978 (2) SA 430 (A) at 435H – 436A for a discussion of the minimum information that has to be supplied for substantial compliance. Failure to take note of new case law. For example, where certain legislation had been declared unconstitutional or ultra vires and the practitioner told the client that: — s/he had no claim or a very limited claim as a passenger in a taxi (being unaware of the decision Mvumvu and Others v Minister of Transport and Another (CCT 67/10) [2011] ZACC 1, where the restrictions on s18 (1) passengers’ claims were declared un- constitutional – resulting in the enactment of the Road Accident Fund (Transitional Provisions) Act 15 of and the 2012); — s/he had no claim against the RAF as a passenger injured in a single vehicle collision, where her university student daughter was the driver (being unaware of the decision in Vanessa da Silva v Road Accident Fund and the Minister of Transport ZAFSHC 1349/2008 24/01/2014 – confirmed in the Constitutional Court [2014] ZACC21); — s/he had no claim where s/he was involved in a “hit and run” accident, where there was no physical contact between the vehicles (being unaware of the decision in Bezuidenhout v Road Accident Fund (355/2002) [2003] ZASCA 69; [2003] 3 All SA 249 (SCA) in which Reg 2(1)(d) of the regulations promulgated in terms of s 26 of the Road Accident Fund Act 56 of 1996 was held to be ultra vires); Failure to understand the duties of an attorney to protect client’s interests. For example: the client fails to pay a deposit, provide important documents, respond to letters, attend consultations and the practitioner withdraws when prescription is imminent without ensuring that client knows his/her rights. (See Mlenzana v Goodrick & Franklin Inc, 2012 (2) SA 433 FB); Failure to timeously obtain information from the SAPS with regards to the accident report and docket. The practitioner fails to follow up/visit the SAPS; Using the incorrect date for prescription — The client gives the incorrect date of accident and the practitioner calculates the prescription date by reference to this incorrect date, failing to pick up the error from the correct dates in the accident reports and medical records; — The practitioner miscalculates the date of prescription, for example where the accident date is 1 January 2009 he records the prescription date as 1 January 2012; — The client gives the practitioner the incorrect registration number of the insured vehicle and the identified vehicle claim becomes an unidentified vehicle claim; The person dealing with the matter leaves the firm and either: — Does no work on the matter and allows it to prescribe before s/he leaves the firm (a supervision problem) or — Leaves the firm without properly handing the file over to someone else in the firm (absence of or non-adherence to minimum operating standards and procedures); The file does not come out of diary because: — It is not properly diarised; — There is no reliable diary system; — The file cannot be found because of an inadequate filing system and filing rules; — The file is lost in a pile of files on the floor/desk/windowsill or behind a cabinet; Non-adherence to PRESCRIPTION ALERT reminders We are concerned about the number of RAF claims being allowed to prescribe in practices, often even where the matters have been registered with Prescription Alert. At present, reminders are sent only to the person responsible for the RAF claim file. This leaves no safety net where, for example, the responsible person: — Leaves the firm and the reminder does not come to the attention of the person who has taken over the matter; Risk Alert Bulletin NOVEMBER 2014 3 RISKALERT RAF MATTERS continued... — Leaves the firm, no one takes over the matter – and the reminder does not come to anyone else’s attention ; — Leaves the firm, taking the matter with him and not notifying Prescription Alert of his new contact details; — Does not see the reminder or act on it timeously because it is put into a bottomless pile of correspondence for a filing clerk to put on files or bring with files; — Ignores the reminder. (In order to mitigate the risk of situations like the above happening, Prescription Alert will, in future, require the contact details of a second person in the firm - preferably a person that the responsible person reports to. Duplicate reminders will be sent to the second person, as back-up.) Another practice takes over a file or a number of files from a firm and fails to study the contents before prescription; The matter is taken on too close to prescription and the practitioner is unable to lodge/serve summons in time; The client cannot be contacted because the practitioner has taken insufficient contact details (Details of next of kin/family/ friends/employer should be sourced at the first consultation); The firm’s messenger fails to deliver the claim documents in time (This happens usually because lodgement is left to the very last minute and because of inadequate instructions or lack of proper training); Counsel fails to settle the particulars of claim in time for service of summons (The practitioner is responsible for ensuring that this is done well in time); The sheriff fails to serve summons in time (The practitioner is responsible for ensuring that this is done well in time); The action is brought in the incorrect court; After the claim has been lodged, settlement negotiations distract the practitioner from thinking about prescription and serving summons in time; The practitioner thinks he does not have a mandate but client thinks he does. Very often there is confusion about this and the Courts tend to favour the client. Make sure you have given the claimant a timeous letter of withdrawal or a letter of non-engagement (it must come to his/her attention) ; Not getting any feedback from the South African Police Service (SAPS) with regards to the accident report and the attorneys’ not following up/visiting the SAPS (See Mlenzana v Goodrick & Franklin Inc, 2012 (2) SA 433 FB); Not getting any feedback from the relevant hospital with regards to the hospital and medical records and the attorneys not following up/visiting the hospital or obtaining a report from another medical practitioner (s24(2)(a). Diarising the file ahead for long periods of time. For some reason, where there is a matter against the RAF, practitioners often tend to leave investigations and lodgement to the very last minute. (Typically in files where there is a claim for an RAF prescription, the file contains the mandate, client’s signed authority to obtain medical records and first letters to the hospital and the SAPS – all attended to in the first few weeks after the first consultation. Thereafter, the file is diarised ahead and nothing happens for a year or so. The file comes out of diary and a follow-up letter might be sent to the SAPS or hospital. The file is then re-diarised ); Leaving to the last minute, the obtaining of medico-legal reports/RAF 4 reports. This list is not exhaustive, but senior practitioners are 4 Risk Alert Bulletin NOVEMBER 2014 requested to ensure that there are systems and standards in place to ensure that junior staff is properly trained and supervised to avoid making these avoidable errors. Ann Bertelsmann [email protected] I n the May 2013 Bulletin, at page 4, we wrote about Judge Satchwell’s scathing observations about the conduct of both the plaintiff’s and defendant’s attorneys in her judgment in the matter of Motswai v Road Accident Fund , GSJ (case 2010/17220, 7/12/2012). In a recent judgment- to be welcomed by the profession - the Supreme Court of Appeal has overturned Judge Satchwell’s findings regarding the conduct of the attorneys. See Motswai v RAF (766/13) [2014] ZASCA 104 (29 August 2014) Prescription of claims in respect of undertakings by the Road Accident (RAF) in terms of Section 17(4)(a) of the Road Accident Fund Act 56 of 1996 (RAF Act)? P rofessor Hennie Kloppers has drawn our attention to the practice of the RAF, in attempting to escape liability for the payment of medical costs, whereby it contends that such claims have prescribed (in terms of the Prescription Act 68 of 1969) if they are submitted more than three years after the expenses have been incurred. He has referred us to the judgment in E Niemann v Road Accident Fund unreported case no 1549/2007 (NGHC), in which the Court held that the Prescription Act of 1969 was applicable. In his article in the Journal of Contemporary Roman-Dutch Law (JCRDL), 2014 (77) at page 491, Professor Kloppers concludes that: “First, the Prescription Act of 1969 is not applicable to claims in terms of the Road Accident Fund Act and second, a request for payment in terms of section 17(4)(a) cannot be subject to prescription because such request simply constitutes a request for delayed payment of already proven compensation claimed and proven in terms of the unitary common law claim of section 17(1) of the Act and cannot under any circumstances be a new and independent claim which is susceptible to prescription. Any other interpretation would deny a third party claimant compensation to which he or she is legally entitled and will consequently be contrary to the object of the RAF which essentially is to protect the third party from loss of compensation.” We are advised that another such matter is due to be heard shortly, in the North Gauteng High Court. We will keep practitioners advised of developments. In the interim, as a precaution, it may be wise to warn clients to submit their claims before the expiry of a period of three years from the date on which the expenses are incurred. Ann Bertelsmann RISKALERT CONVEYANCING MATTERS SUCCESSFUL APPEAL TO THE CONSTITUTIONAL COURT against the SCA’s order against the conveyancer in Royal Anthem Investments 129 (Pty) Ltd v Yuen Fan Lau and another (941/2012 [2014]. See RAB 3 and 4/2014 and Stopforth, Swanepoel & Brewis Inc v Royal anthem Investments 129 (Pty) Ltd and Others [2014] ZACC 26. NEW CONVEYANCING SCAM JULY 2014 W e have been advised of a new scam involving a slightly different modus operandi from the one doing the rounds for the past two years. In one such matter, after a property sale had been cancelled, the conveyancer needed to refund the deposit to the purchaser. He sent an e-mail to the purchaser’s Gmail address, advising her that the refund would be paid into the FNB account from which the payment had been generated. He received an e-mail response stating that the FNB account had been temporarily discontinued. He thereafter received an e-mail with details of an account held with Nedbank, into which the refund should be paid and he duly made the payment using electronic banking. In the meantime, the purchaser received e-mails (ostensibly from the conveyancer) apologising for the delay in the transfer of the funds. By the time the conveyancer became aware that the Nedbank account did not belong to the purchaser, all the money had been withdrawn from the account. On closer examination it became clear that the e-mails sent to the conveyancer, ostensibly by the purchaser, in fact came from a Gmail address that was almost identical to the purchaser’s address. One letter had been swapped around - for example the address [email protected] became [email protected]. The conveyancer did not notice the slight discrepancy. E-mails which the real purchaser received, ostensibly from the conveyancer, also came from an almost identical address – for example the address [email protected], became [email protected]. The purchaser did not notice the slight discrepancy. It seems that the fraudster was somehow able to intercept the Gmails sent to the purchaser’s genuine Gmail address. He then appears to have opened accounts with similar addresses to those of the conveyancer and purchaser. This enabled him to send messages to the conveyancer and the purchaser, which at first glance, came from their genuine e-mail addresses. WE WARN ALL PRACTITIONERS TO BE EXTREMELY VIGILANT WHEN RECEIVING ANY INSTRUCTIONS VIA E-MAIL, PARTICULARLY WHERE THEY CONTAIN INSTRUCTIONS TO MAKE PAYMENTS. Carefully check the e-mail address to ensure that it is IDENTICAL to the one on file. Please give the party who ostensibly sent the e-mail a call at a verifiable contact number. DO NOT USE A NUMBER PROVIDED IN THE E-MAIL CONCERNED! Do not pay out on an e-mail instruction alone. Attorneys should not have possibly unreliable e-mail addresses like Gmail, Yahoo, Webmail, Ymail and Hotmail. If the client has such an address, then it might be a worthwhile precaution to follow up any e-mail sent to that address with a short telephone call to ensure that important correspondence has in fact been received by the correct recipient. NEVER PAY TRUST MONEY INTO AN ACCOUNT WITHOUT VERIFYING THE BANKING DETAILS. YOU NEED TO HAVE A FICA POLICY IN PLACE AND TO FOLLOW IT TO THE LETTER, WITHOUT EXCEPTION. A case study A conveyancer was instructed to draft a lease agreement, after assisting with negotiations in concluding the agreement with client’s prospective tenants. One of the terms agreed to was that the rental would increase at the rate of 10% per annum. The secretary, in calculating the rental repayments mistakenly added an amount of R10.00 instead of 10% to the rental for the second year. The problem was compounded when she made the same error in the calculation for the third year. How did this happen? What are the risk management implications of this error? Attention to detail The secretary who made the error was clearly not paying attention or properly applying her mind to the task at hand. She should have checked the document and her calculation. Had she been concentrating, she would have realised that the rental increase was much too small and did not make commercial sense. Emphasis should be placed on the importance of accuracy, when employing and training employees in an attorneys practice and especially those who work in the conveyancing department. There should be sanctions for breaches of the firm’s policies in this regard. See Margalit v Standard Bank of SA Ltd(883/2011) [2012] ZASCA 208 (3 December 2012) “To avoid causing such harm, conveyancers should ...be fastidious ... and take great care in the preparation of documents” Document checking It is good risk management practice, not only to check the accuracy of your own documents, but also to call upon a colleague to critically check your document with a fresh pair of eyes. Ideally, your Minimum Operating Standards manual should contain provisions for the checking of important calculations, documents and correspondence. Supervision The secretary should have been better supervised by the conveyancer and not left to her own devices. It was ultimately the conveyancer’s responsibility to ensure the correctness of the work delegated to her. File audit All practices should have a system of file audits in place. Had the file been properly audited, there is a good chance that this glaring error would have been picked up before it was repeated in subsequent years. Ann Bertelsmann, Risk Manager [email protected] Risk Alert Bulletin NOVEMBER 2014 5 RISKALERT GENERAL PRACTICE IMPORTANT ANNOUNCEMENT The Legal Practice Act 28 of 2014 (LPA) was signed into law on 20 September 2014 and gazetted in the Government Gazette no 38022 of 22 September 2014. DEPARTMENT JUSTICE AND CONSTITUTIONAL DEVELOPMENT No. R. 507 June 2014 RULES BOARD FOR COURTS OF LAW ACT,1985 (ACT NO. 107 OF 1985) AMENDMENT OF RULES REGULATING THE CONDUCT OF THE PROCEEDINGS OF THE MAGISTRATES’ COURTS OF SOUTH AFRICA The Rules Board for Courts of Law has, under section 6 of the Rules Board for Courts of Law Act, 1985 (Act No. 107 of 1985), with the approval of the Minister of Justice and Constitutional Development, made the rules in the Schedule. Does this apply to your practice? L egalbrief of 8 July 2014, quotes from an article in the British Law Gazette “In most industries, basic IT competence is not a matter of education. It is a necessary business skill that everyone is expected to have, like being able to answer the phone or write an e-mail….. However…. IT is a problem for lawyers – because the billable hour is a disincentive to efficiency and training. Charging clients per six-minute interval means that the lawyers who struggle with simple office tools or legal-specific applications get paid more for the same work than those who use IT effectively. Learning how to use software is ‘non-billable time’…The problem was highlighted by Kia Motors corporate counsel D Casey Flaherty, who created a basic technology competence audit which he made part of his external counsel selection process. His findings were as he expected – all the firms failed his test because lawyers spent far too long on straightforward tasks.” Please note that: a number of new forms have been substituted for the old ones in Annexure 1 of the rules the amendments have implications for divorce actions or actions for nullity of marriage the amendments to the rules change a number of procedures, affecting inter alia: — R5 (summons) — R6 pleadings generally — R9 (service of process) — R12 (default judgment) — R13 (appearance to defend) The duty of attorneys to protect personal information T he Protection of Personal Information Act 4 of 2014 (“POPI”) (effective date still to be set) creates significant exposure for businesses that process the personal information of individuals and juristic persons, by regulating how those businesses handle, keep and secure that information. — R18 (offer to settle) Attorneys almost by definition process their clients’ most personal information and will be affected by POPI when it comes into operation. — R21 (close of pleadings – R21B added -barring) Definitions of role-players — R14 (summary judgment) — R22 (set-down of trial) — R23 (discovery) — R25 (pre-trial) — R28 (intervention, joinder, consolidation of actions) R28A (third party procedure) 48 (administration orders) R55 (applications) R55A ( amendment of pleadings) R56 (arrests tanquam suspectus de fuga, interdicts etc) R58 (maintenance pendente lite, contribution towards costs, interim custody and access) R60 (non-compliance with rules) 6 Risk Alert Bulletin NOVEMBER 2014 A responsible party is a public or private body or any other person which alone or in conjunction with others, determines the purpose and means for processing personal information of a data subject. A data subject is the person to whom personal information relates. A professional legal adviser means any legally qualified person, whether in private practice or not, who lawfully provides a client, at his or her or its request, with independent, confidential legal advice. The Regulator means the Information Regulator established in terms of section 39. RISKALERT GENERAL PRACTICE The information officer (of a private body) means the head of a private body as contemplated in section 1 of the Promotion of Access to Information Act. What does POPI do? POPI regulates the way in which personal information of data subjects is collected, used, secured, disseminated and destroyed by responsible parties. Personal information is widely defined and encompasses a range of information relating to an identifiable living person (in the extended sense). It includes things such as race, gender, marital status, age, health, religion, education and company contact details including name, e-mail addresses and telephone numbers. The processing covers the entire cycle of collection of information right through to its destruction and everything in between. POPI sets out eight principles for the lawful processing of personal information which are an adaptation of the EU Directive on Data Protection and the UK Data Protection Act. The principles for lawful processing of information are: Accountability Process limitation Purpose specification Further processing limitation Information quality Openness Security safeguards Data subject participation What you need to know about POPI in relation to your practice 1. Consent The common feature of POPI is the requirement of consent for the processing of personal information. However, as attorneys, you do not need your client’s consent to process information in the course of undertaking legal work in terms of a mandate for the provision of legal services. This is because POPI allows the processing of information if this is necessary for the performance of a contract between you and the client. There is a category of sensitive information, for example, relating to children (i.e. under the age of 18) and special personal information (including private information relating to religious beliefs, race, trade union membership, health or sex life, biometrics or criminal offices) which is subject to more onerous processing obligations and you need to be mindful of those. 2. Confidentiality Personal information must be kept confidential and must not be disclosed unless required by law or unless such disclosure continued... is necessary for the performance of your obligations in terms of the contract for legal services with your client. You are permitted to disclose personal information necessary in the course of legal work. 3. Security safeguards The biggest exposure for attorneys under POPI relates to the provisions dealing with security safeguards of personal information held by responsible parties or by third parties. POPI requires attorneys to take reasonable measures to prevent the loss of or damage to or the unauthorised destruction of personal information that is in their possession. You must ensure that you and any third party who processes personal information on your behalf establish and maintain the security measures required by POPI. You need to assess your own security risks and whether any service providers who process information on your behalf, for example, outsource companies such as debt collectors, have considered and implemented good security safeguard measures. Because lawyers process intensely private information of clients, their systems need to be modern and secure. To illustrate, a monetary penalty of £120 000 was issued by the UK Information Commission Office (ICO) against Stoke-onTrent City Council following a serious breach of the UK Data Protection Act of 1998, which led to sensitive information about a child protection legal case being e-mailed to the wrong person. A solicitor employed by the data controller was working on a child protection case and erroneously sent 11 e-mails (intended for counsel instructed on the case) to the wrong e-mail address. The e-mails varied in sensitivity but some of them contained confidential and highly sensitive personal data about the non-accidental injuries sustained by a child, together with medical information relating to two adults. The e-mails also contained a brief to counsel suggesting directions and miscellaneous comments about the conduct of the case. The solicitor had typed in the wrong e-mail address (she had a new IT system and did not have access to her stored contact list). She acted in breach of the data controller’s IT protocols because she did not mark the e-mail protectively and did not send it via a secure network. 4. Mandatory notification of data breach You must inform the Regulator if you have reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person. The Regulator may direct that a data breach be publicised if such publicity would protect a data subject who may be affected. 5. Enforcement POPI establishes a body known as the Information Regulator which will act as the enforcement agency with the power to monitor and enforce compliance. It will also receive and investigate complaints of violations of POPI and issue codes Risk Alert Bulletin NOVEMBER 2014 7 RISKALERT GENERAL PRACTICE continued... of conduct for specific sectors. The Information Regulator may also institute civil action for damages at the request of the party whose privacy is breached. This creates the opportunity for the Regulator to act as a form of legal aid assistance for individuals whose rights have been breached but who may not have the means or resources to institute civil action. example: You need to designate an internal information officer who must ensure that you comply with the conditions for the lawful processing of personal information contained in POPI. The information officer must register with the Regulator, must deal with requests made under POPI and is responsible for the business’s compliance with POPI. — Ensure that laptops and other mobile devices are modern and secure and have strong passwords which are preferably encrypted. Seeing that lawyers will be responsible for personal information, they will need to appoint a compliance officer. — Keep paper records secure. Do not leave files in your car overnight and lock away information when it is not in use. POPI also creates significant civil and criminal law exposure where there are breaches. Ensuring efficient working systems to protect the confidentiality of personal information is essential. In addition to the civil remedies, administrative fines not exceeding R10 million may also be enforced depending on the nature and extent of the breach. — Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task at hand. 6. Cross border transactions — Train your staff on laptop data storage and mobile service security; — Put procedures in place to limit who can access certain information on those devices and your practice’s computer system; The United Kingdom’s Information Commissioner’s Office (ICO) has published the following useful tips on its website (www.ico.org.uk): — Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen. You need to be mindful of the restrictions placed on crossborder transfer of personal information when dealing with clients outside South Africa. Cross border transfers of information are subject to various conditions including the requirement for consent or contractual necessity. — When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct. 7. — Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it. Record retention periods There are provisions dealing with record retention periods of personal information. Information may not be retained for longer than is necessary to fulfil the original purpose for which it was collected, except where the data subject consents or where the retention of the records is required by law. What you should be doing differently under POPI Conduct a gap analysis now Read the Act. It is not a highly technical piece of legislation and it is easy to comply with, but there are substantial penalties for non-compliance. Do not wait for POPI to be fully operational before taking steps to ensure compliance with its provisions. Put privacy governance in place Draft privacy policies and internal rules for handling information. Mitigate the risk of security breaches You should ensure that your practice’s operations have information security awareness training for your staff. For 8 Risk Alert Bulletin NOVEMBER 2014 — If you are disposing of an old computer, or other device, make sure all the information held on the device is permanently deleted before disposal. Revisit contracts which relate to the handling of personal information Your contracts with your service providers should ensure that they have adequate safeguards and should contain the necessary indemnities. Start putting in place these systems and safeguards so that you are ready to comply when POPI is fully operational after the grace period of a year from the effective date. Sandra Sithole Director, Insurance practiceLitigation and Dispute Resolution Department Norton Rose Fulbright South Africa Tel +27 011 685 8935 [email protected]
© Copyright 2024