Document 394733

A joint publication of the Attorneys Fidelity Fund and the Attorneys Insurance Indemnity Fund NPC
(A Non Profit Company, Registration No. 93/03588/08)
RISKALERT
NOVEMBER 2014 NO 5/2014
RISK MANAGER’S COLUMN
IN THIS EDITION
RISK MANAGER’S COLUMN
Claims trends as at 30 June 2014
1
GENERAL PRESCRIPTION MATTERS
Important Notice from Prescription Alert
2
FRAUD ALERT
RAF MATTERS
Adjustment of statutory limit for loss of income/
loss of support as at 31 July 2014
Article by the Risk Manager: Why do RAF claims
prescribe?
Prescription of claims in terms of Section 17(4)(a)
undertakings by the Road Accident Fund? 3
3
4
CONVEYANCING MATTERS
Details of a new SCAM A case study
5
5
GENERAL PRACTICE
Amendment to Magistrates’ Court rules
(June 2014)
Sandra Sithole writes about the duty of attorneys
to protect personal information (in terms of POPI)
I
n response to numerous requests from the
profession, Prescription Alert will be extending its services. Please read the important
notice about this on page 2.
6
6
Please note that our contact details have changed – (see below)
NEW SCAM : Imposters intercepting
e-mails and changing payee’s
banking details
Please read more on page 5.
We have received requests from
practitioners who would like their
staff to be put on a mailing list
to receive electronic copies of the
Risk Alert Bulletin and notifications
about new case law and legislation.
GRAPH 1: TOTAL INCURRED RAND VALUES* BY CLAIM TYPE FOR
THE 2013 INSURANCE YEAR (AS AT 30 JUNE 2014)
Commercial 3 608 880,43
Conveyancing 5 752 535,66
General
Prescription 4 904 100,00
Litigation 5 077 252,13
Total 47 993 609,28
MVA
Prescription 21 885 272,03
Attorneys Fidelity Fund, 5th Floor, Waalburg Building,
28 Wale Street, Cape Town 8001 • PO Box 3062, Cape Town, 8000,
South Africa, Docex 154 • Tel: (021) 424 5351 • Fax: (021) 423 4819
E-mail: [email protected] • Website: www.fidfund.co.za
DISCLAIMER
Please note that the Risk Alert Bulletin is intended to provide
general information to practising attorneys and its contents are not
intended as legal advice.
If you would like us to put you
and your staff on our mailing list,
please send your request (with the
e-mail addresses of the recipients)
to Lucia Snyman ([email protected]).
CLAIMS TRENDS
AIIF: Ann Bertelsmann, Risk Manager, Aon, Risk Solutions,
1256 Heuwel Avenue, Centurion 0127 • PO Box 12189, Die Hoewes
0163 • Docex 24 , Centurion • Tel: 012 622 3900
• Website: www.aiif.co.za • Twitter handle: @AIIFZA
Prescription Alert, 2nd Floor, Waalburg Building, 28 Wale Street,
Cape Town 8001 • PO Box 3062, Cape Town, 8000, South Africa,
Docex 149 • Tel: (021) 422 2830 • Fax: (021) 422 2990
E-mail: [email protected] • Website: www.aiif.co.za
Ann Bertelsmann,
Risk Manager
Other 3 854 569,03
The R21.9 million total-incurred
value of prescribed RAF claims
represents around 45.6% of the total
incurred value for the 2013 year of
insurance as at 30 June 2014.
General prescription claims taken
MVA Under settlement 2 911 000,00
together with the prescribed RAF
claims add up to R26.7million.
Prescription claims overall make up
55% of the total incurred value for
the 2013 year of insurance (as at 30
June 2014).
RISKALERT
RISK MANAGER’S COLUMN continued...
Graph 2: 2008 to 2013 years by VALUE as at June (12 months)
Graph 2 illustrates how, over the past six years, conveyancing claims values have decreased, while those of
RAF prescriptions have steadily increased and those of litigation claims have remained fairly stable.
GENERAL PRESCRIPTION MATTERS
Important Notice
The Board of the AIIF has agreed to extend the services offered by Prescription Alert (PA), to allow
for the registration of general civil matters, where prescription is governed by contract or by the
Prescription Act 68 of 1969.
Because there are numerous variables in the calculation of prescription dates for these matters,
it will be the practitioners’ sole responsibility to provide the correct prescription date for their
individual matters. PA cannot take responsibility for checking the accuracy of the prescription
dates provided.
As is the case with statutorily time-barred matters, the service offered by PA will be provided
merely as a back-up to practitioners’ own diary systems.
Please contact Lucia Snyman at (021) 422 2830 / [email protected] for more information.
2 Risk Alert Bulletin NOVEMBER 2014
RISKALERT
RAF MATTERS
ADJUSTMENT OF STATUTORY LIMIT IN RESPECT OF
CLAIMS FOR LOSS OF INCOME AND LOSS OF SUPPORT
The amount referred to in subsection 17(4)(c) of the Road
Accident Fund Act has been adjusted to R 24 120, with effect
from 31 July 2014.
WHY DO RAF CLAIMS PRESCRIBE?
Why the ongoing and escalating problem of RAF
claims prescribing in the hands of practitioners?
O
n page 1 we have reported that prescribed RAF claims
make up around 45.6% of the total incurred value of
claims for the 2013 insurance year, as at 30 June 2014.
This is an alarming statistic!
Because these claims are PREVENTABLE they attract a higher
deductible than other claim types. What can practitioners do to
prevent RAF claims from prescribing? We need to look at some
of the reasons why these claims prescribe in spite of reminders
being sent from Prescription Alert.
The major problem of course, is the fact that most often the
practice’s senior attorneys/directors are not aware of what their
junior/inexperienced employees are doing. They allow them
to take on RAF matters and deal with them without proper
supervision from start to finish. The most common problems we
come across are:
Wrong application or misunderstanding of the law. For example, the practitioner forgets or does not know:
— that for so-called “hit and run” matters, there is a two-year
period within which to lodge the claim – even where the claimant
is a minor or someone under a disability;
— that a medical report can be obtained from another medical
practitioner who treated the claimant, if the medical report cannot be obtained (See s24(2) (a):…….Provided that, if the medical
practitioner or superintendent (or his or her representative) concerned fails to complete the medical report on request within a
reasonable time and it appears that as a result of the passage
of time the claim concerned may become prescribed, the medical
report may be completed by another medical practitioner who has
fully satisfied himself or herself regarding the cause of the death
or the nature and treatment of the bodily injuries in respect of
which the claim is made); or
— what constitutes substantial compliance (See Mlenzana v Goodrick & Franklin Inc, 2012 (2) SA 433 FB) and Nkisimane and
Others v Santam Insurance Co Ltd 1978 (2) SA 430 (A) at 435H
– 436A for a discussion of the minimum information that has to
be supplied for substantial compliance.
Failure to take note of new case law. For example, where certain legislation had been declared unconstitutional or ultra vires
and the practitioner told the client that:
— s/he had no claim or a very limited claim as a passenger in a
taxi (being unaware of the decision Mvumvu and Others v Minister of Transport and Another (CCT 67/10) [2011] ZACC 1, where
the restrictions on s18 (1) passengers’ claims were declared un-
constitutional – resulting in the enactment of the Road Accident
Fund (Transitional Provisions) Act 15 of and the 2012);
— s/he had no claim against the RAF as a passenger injured in
a single vehicle collision, where her university student daughter
was the driver (being unaware of the decision in Vanessa da Silva v Road Accident Fund and the Minister of Transport ZAFSHC
1349/2008 24/01/2014 – confirmed in the Constitutional Court
[2014] ZACC21);
— s/he had no claim where s/he was involved in a “hit and run”
accident, where there was no physical contact between the vehicles
(being unaware of the decision in Bezuidenhout v Road Accident
Fund (355/2002) [2003] ZASCA 69; [2003] 3 All SA 249 (SCA) in
which Reg 2(1)(d) of the regulations promulgated in terms of s 26 of
the Road Accident Fund Act 56 of 1996 was held to be ultra vires);
Failure to understand the duties of an attorney to protect
client’s interests. For example: the client fails to pay a deposit,
provide important documents, respond to letters, attend consultations and the practitioner withdraws when prescription is imminent without ensuring that client knows his/her rights. (See
Mlenzana v Goodrick & Franklin Inc, 2012 (2) SA 433 FB);
Failure to timeously obtain information from the SAPS with
regards to the accident report and docket. The practitioner fails
to follow up/visit the SAPS;
Using the incorrect date for prescription
— The client gives the incorrect date of accident and the practitioner calculates the prescription date by reference to this incorrect date, failing to pick up the error from the correct dates in the
accident reports and medical records;
— The practitioner miscalculates the date of prescription, for example where the accident date is 1 January 2009 he records the
prescription date as 1 January 2012;
— The client gives the practitioner the incorrect registration
number of the insured vehicle and the identified vehicle claim
becomes an unidentified vehicle claim;
The person dealing with the matter leaves the firm and either:
— Does no work on the matter and allows it to prescribe before
s/he leaves the firm (a supervision problem) or
— Leaves the firm without properly handing the file over to
someone else in the firm (absence of or non-adherence to minimum operating standards and procedures);
The file does not come out of diary because:
— It is not properly diarised;
— There is no reliable diary system;
— The file cannot be found because of an inadequate filing system and filing rules;
— The file is lost in a pile of files on the floor/desk/windowsill
or behind a cabinet;
Non-adherence to PRESCRIPTION ALERT reminders
We are concerned about the number of RAF claims being allowed
to prescribe in practices, often even where the matters have been
registered with Prescription Alert.
At present, reminders are sent only to the person responsible for
the RAF claim file. This leaves no safety net where, for example,
the responsible person:
— Leaves the firm and the reminder does not come to the attention of the person who has taken over the matter;
Risk Alert Bulletin NOVEMBER 2014 3
RISKALERT
RAF MATTERS continued...
— Leaves the firm, no one takes over the matter – and the reminder does not come to anyone else’s attention ;
— Leaves the firm, taking the matter with him and not notifying
Prescription Alert of his new contact details;
— Does not see the reminder or act on it timeously because it is
put into a bottomless pile of correspondence for a filing clerk to
put on files or bring with files;
— Ignores the reminder.
(In order to mitigate the risk of situations like the above happening,
Prescription Alert will, in future, require the contact details of a
second person in the firm - preferably a person that the responsible
person reports to. Duplicate reminders will be sent to the second
person, as back-up.)
Another practice takes over a file or a number of files from a
firm and fails to study the contents before prescription;
The matter is taken on too close to prescription and the practitioner is unable to lodge/serve summons in time;
The client cannot be contacted because the practitioner has
taken insufficient contact details (Details of next of kin/family/
friends/employer should be sourced at the first consultation);
The firm’s messenger fails to deliver the claim documents
in time (This happens usually because lodgement is left to the
very last minute and because of inadequate instructions or lack of
proper training);
Counsel fails to settle the particulars of claim in time for service of summons (The practitioner is responsible for ensuring
that this is done well in time);
The sheriff fails to serve summons in time (The practitioner is
responsible for ensuring that this is done well in time);
The action is brought in the incorrect court;
After the claim has been lodged, settlement negotiations
distract the practitioner from thinking about prescription and
serving summons in time;
The practitioner thinks he does not have a mandate but client
thinks he does. Very often there is confusion about this and the
Courts tend to favour the client. Make sure you have given the
claimant a timeous letter of withdrawal or a letter of non-engagement (it must come to his/her attention) ;
Not getting any feedback from the South African Police Service (SAPS) with regards to the accident report and the attorneys’
not following up/visiting the SAPS (See Mlenzana v Goodrick &
Franklin Inc, 2012 (2) SA 433 FB);
Not getting any feedback from the relevant hospital with regards to the hospital and medical records and the attorneys not
following up/visiting the hospital or obtaining a report from another medical practitioner (s24(2)(a).
Diarising the file ahead for long periods of time. For some
reason, where there is a matter against the RAF, practitioners often tend to leave investigations and lodgement to the very last
minute. (Typically in files where there is a claim for an RAF prescription, the file contains the mandate, client’s signed authority
to obtain medical records and first letters to the hospital and the
SAPS – all attended to in the first few weeks after the first consultation. Thereafter, the file is diarised ahead and nothing happens
for a year or so. The file comes out of diary and a follow-up letter
might be sent to the SAPS or hospital. The file is then re-diarised );
Leaving to the last minute, the obtaining of medico-legal reports/RAF 4 reports.
This list is not exhaustive, but senior practitioners are
4 Risk Alert Bulletin NOVEMBER 2014
requested to ensure that there are systems and standards
in place to ensure that junior staff is properly trained and
supervised to avoid making these avoidable errors.
Ann Bertelsmann
[email protected]
I
n the May 2013 Bulletin, at page 4, we wrote about Judge
Satchwell’s scathing observations about the conduct of
both the plaintiff’s and defendant’s attorneys in her judgment in the matter of Motswai v Road Accident Fund , GSJ
(case 2010/17220, 7/12/2012).
In a recent judgment- to be welcomed by the profession - the
Supreme Court of Appeal has overturned Judge Satchwell’s
findings regarding the conduct of the attorneys. See Motswai
v RAF (766/13) [2014] ZASCA 104 (29 August 2014)
Prescription of claims in respect of undertakings
by the Road Accident (RAF) in terms of Section
17(4)(a) of the Road Accident Fund Act 56 of
1996 (RAF Act)?
P
rofessor Hennie Kloppers has drawn our attention to the
practice of the RAF, in attempting to escape liability for the
payment of medical costs, whereby it contends that such
claims have prescribed (in terms of the Prescription Act 68
of 1969) if they are submitted more than three years after the
expenses have been incurred.
He has referred us to the judgment in E Niemann v Road Accident
Fund unreported case no 1549/2007 (NGHC), in which the Court
held that the Prescription Act of 1969 was applicable.
In his article in the Journal of Contemporary Roman-Dutch Law
(JCRDL), 2014 (77) at page 491, Professor Kloppers concludes
that:
“First, the Prescription Act of 1969 is not applicable to claims in
terms of the Road Accident Fund Act and second, a request
for payment in terms of section 17(4)(a) cannot be subject
to prescription because such request simply constitutes a
request for delayed payment of already proven compensation
claimed and proven in terms of the unitary common law claim
of section 17(1) of the Act and cannot under any circumstances
be a new and independent claim which is susceptible to
prescription. Any other interpretation would deny a third
party claimant compensation to which he or she is legally
entitled and will consequently be contrary to the object of the
RAF which essentially is to protect the third party from loss of
compensation.”
We are advised that another such matter is due to be heard shortly,
in the North Gauteng High Court. We will keep practitioners
advised of developments.
In the interim, as a precaution, it may be wise to warn clients to
submit their claims before the expiry of a period of three years
from the date on which the expenses are incurred.
Ann Bertelsmann
RISKALERT
CONVEYANCING MATTERS
SUCCESSFUL APPEAL TO THE CONSTITUTIONAL COURT
against the SCA’s order against the conveyancer in Royal
Anthem Investments 129 (Pty) Ltd v Yuen Fan Lau and
another (941/2012 [2014].
See RAB 3 and 4/2014 and Stopforth, Swanepoel & Brewis
Inc v Royal anthem Investments 129 (Pty) Ltd and Others
[2014] ZACC 26.
NEW CONVEYANCING SCAM JULY 2014
W
e have been advised of a new scam involving a slightly
different modus operandi from the one doing the rounds
for the past two years.
In one such matter, after a property sale had been cancelled, the
conveyancer needed to refund the deposit to the purchaser. He
sent an e-mail to the purchaser’s Gmail address, advising her
that the refund would be paid into the FNB account from which
the payment had been generated. He received an e-mail response
stating that the FNB account had been temporarily discontinued.
He thereafter received an e-mail with details of an account held
with Nedbank, into which the refund should be paid and he duly
made the payment using electronic banking.
In the meantime, the purchaser received e-mails (ostensibly from the
conveyancer) apologising for the delay in the transfer of the funds.
By the time the conveyancer became aware that the Nedbank
account did not belong to the purchaser, all the money had been
withdrawn from the account.
On closer examination it became clear that the e-mails sent to
the conveyancer, ostensibly by the purchaser, in fact came from
a Gmail address that was almost identical to the purchaser’s
address. One letter had been swapped around - for example the
address [email protected] became [email protected] The
conveyancer did not notice the slight discrepancy.
E-mails which the real purchaser received, ostensibly from the
conveyancer, also came from an almost identical address – for
example the address [email protected], became
[email protected] The purchaser did not notice the
slight discrepancy.
It seems that the fraudster was somehow able to intercept the
Gmails sent to the purchaser’s genuine Gmail address.
He then appears to have opened accounts with similar addresses
to those of the conveyancer and purchaser.
This enabled him to send messages to the conveyancer and the
purchaser, which at first glance, came from their genuine e-mail
addresses.
WE WARN ALL PRACTITIONERS TO BE EXTREMELY VIGILANT
WHEN RECEIVING ANY INSTRUCTIONS VIA E-MAIL,
PARTICULARLY WHERE THEY CONTAIN INSTRUCTIONS TO
MAKE PAYMENTS.
Carefully check the e-mail address to ensure that it is
IDENTICAL to the one on file.
Please give the party who ostensibly sent the e-mail a call at a
verifiable contact number. DO NOT USE A NUMBER PROVIDED
IN THE E-MAIL CONCERNED! Do not pay out on an e-mail
instruction alone.
Attorneys should not have possibly unreliable e-mail
addresses like Gmail, Yahoo, Webmail, Ymail and Hotmail. If
the client has such an address, then it might be a worthwhile
precaution to follow up any e-mail sent to that address with a
short telephone call to ensure that important correspondence
has in fact been received by the correct recipient.
NEVER PAY TRUST MONEY INTO AN ACCOUNT WITHOUT
VERIFYING THE BANKING DETAILS. YOU NEED TO HAVE A
FICA POLICY IN PLACE AND TO FOLLOW IT TO THE LETTER,
WITHOUT EXCEPTION.
A case study
A
conveyancer was instructed to draft a lease agreement, after
assisting with negotiations in concluding the agreement with
client’s prospective tenants. One of the terms agreed to was that
the rental would increase at the rate of 10% per annum.
The secretary, in calculating the rental repayments mistakenly
added an amount of R10.00 instead of 10% to the rental for the
second year. The problem was compounded when she made the
same error in the calculation for the third year.
How did this happen? What are the risk management
implications of this error?
Attention to detail
The secretary who made the error was clearly not paying attention or properly applying her mind to the task at hand. She
should have checked the document and her calculation. Had she
been concentrating, she would have realised that the rental increase was much too small and did not make commercial sense.
Emphasis should be placed on the importance of accuracy, when
employing and training employees in an attorneys practice and
especially those who work in the conveyancing department.
There should be sanctions for breaches of the firm’s policies in
this regard.
See Margalit v Standard Bank of SA Ltd(883/2011) [2012]
ZASCA 208 (3 December 2012)
“To avoid causing such harm, conveyancers should ...be fastidious
... and take great care in the preparation of documents”
Document checking
It is good risk management practice, not only to check the accuracy of your own documents, but also to call upon a colleague
to critically check your document with a fresh pair of eyes.
Ideally, your Minimum Operating Standards manual should contain provisions for the checking of important calculations, documents and correspondence.
Supervision
The secretary should have been better supervised by the conveyancer and not left to her own devices. It was ultimately the conveyancer’s responsibility to ensure the correctness of the work
delegated to her.
File audit
All practices should have a system of file audits in place. Had
the file been properly audited, there is a good chance that this
glaring error would have been picked up before it was repeated
in subsequent years.
Ann Bertelsmann, Risk Manager
[email protected]
Risk Alert Bulletin NOVEMBER 2014 5
RISKALERT
GENERAL PRACTICE
IMPORTANT ANNOUNCEMENT
The Legal Practice Act 28 of 2014 (LPA) was signed
into law on 20 September 2014 and gazetted in the
Government Gazette no 38022 of 22 September 2014.
DEPARTMENT JUSTICE AND CONSTITUTIONAL
DEVELOPMENT
No. R. 507
June 2014
RULES BOARD FOR COURTS OF LAW ACT,1985
(ACT NO. 107 OF 1985) AMENDMENT OF RULES
REGULATING THE CONDUCT OF THE PROCEEDINGS
OF THE MAGISTRATES’ COURTS OF SOUTH AFRICA
The Rules Board for Courts of Law has, under section
6 of the Rules Board for Courts of Law Act, 1985 (Act
No. 107 of 1985), with the approval of the Minister of
Justice and Constitutional Development, made the rules
in the Schedule.
Does this apply to your practice?
L
egalbrief of 8 July 2014, quotes from an article in
the British Law Gazette
“In most industries, basic IT competence is not a
matter of education. It is a necessary business skill that
everyone is expected to have, like being able to answer the
phone or write an e-mail….. However…. IT is a problem
for lawyers – because the billable hour is a disincentive
to efficiency and training. Charging clients per six-minute
interval means that the lawyers who struggle with simple
office tools or legal-specific applications get paid more for
the same work than those who use IT effectively. Learning
how to use software is ‘non-billable time’…The problem
was highlighted by Kia Motors corporate counsel D Casey
Flaherty, who created a basic technology competence
audit which he made part of his external counsel selection
process. His findings were as he expected – all the firms
failed his test because lawyers spent far too long on
straightforward tasks.”
Please note that:
a number of new forms have been substituted for the old ones
in Annexure 1 of the rules
the amendments have implications for divorce actions or actions for nullity of marriage
the amendments to the rules change a number of procedures,
affecting inter alia:
— R5 (summons)
— R6 pleadings generally
— R9 (service of process)
— R12 (default judgment)
— R13 (appearance to defend)
The duty of attorneys to protect
personal information
T
he Protection of Personal Information Act 4 of
2014 (“POPI”) (effective date still to be set) creates
significant exposure for businesses that process
the personal information of individuals and juristic
persons, by regulating how those businesses handle, keep
and secure that information.
— R18 (offer to settle)
Attorneys almost by definition process their clients’ most
personal information and will be affected by POPI when it
comes into operation.
— R21 (close of pleadings – R21B added -barring)
Definitions of role-players
— R14 (summary judgment)
— R22 (set-down of trial)
— R23 (discovery)
— R25 (pre-trial)
— R28 (intervention, joinder, consolidation of actions)
R28A (third party procedure)
48 (administration orders)
R55 (applications)
R55A ( amendment of pleadings)
R56 (arrests tanquam suspectus de fuga, interdicts etc)
R58 (maintenance pendente lite, contribution towards costs, interim custody and access)
R60 (non-compliance with rules)
6 Risk Alert Bulletin NOVEMBER 2014
A responsible party is a public or private body or any other
person which alone or in conjunction with others, determines
the purpose and means for processing personal information
of a data subject.
A data subject is the person to whom personal information
relates.
A professional legal adviser means any legally qualified
person, whether in private practice or not, who lawfully
provides a client, at his or her or its request, with independent,
confidential legal advice.
The Regulator means the Information Regulator established
in terms of section 39.
RISKALERT
GENERAL PRACTICE
The information officer (of a private body) means the head of
a private body as contemplated in section 1 of the Promotion
of Access to Information Act.
What does POPI do?
POPI regulates the way in which personal information of
data subjects is collected, used, secured, disseminated and
destroyed by responsible parties. Personal information
is widely defined and encompasses a range of information
relating to an identifiable living person (in the extended
sense). It includes things such as race, gender, marital status,
age, health, religion, education and company contact details
including name, e-mail addresses and telephone numbers.
The processing covers the entire cycle of collection of
information right through to its destruction and everything
in between.
POPI sets out eight principles for the lawful processing of
personal information which are an adaptation of the EU
Directive on Data Protection and the UK Data Protection Act.
The principles for lawful processing of information are:
Accountability
Process limitation
Purpose specification
Further processing limitation
Information quality
Openness
Security safeguards
Data subject participation
What you need to know about POPI in relation to your
practice
1.
Consent
The common feature of POPI is the requirement of consent
for the processing of personal information. However, as
attorneys, you do not need your client’s consent to process
information in the course of undertaking legal work in terms
of a mandate for the provision of legal services. This is
because POPI allows the processing of information if this is
necessary for the performance of a contract between you and
the client.
There is a category of sensitive information, for example,
relating to children (i.e. under the age of 18) and special
personal information (including private information relating
to religious beliefs, race, trade union membership, health
or sex life, biometrics or criminal offices) which is subject
to more onerous processing obligations and you need to be
mindful of those.
2.
Confidentiality
Personal information must be kept confidential and must not
be disclosed unless required by law or unless such disclosure
continued...
is necessary for the performance of your obligations in terms
of the contract for legal services with your client. You are
permitted to disclose personal information necessary in the
course of legal work.
3.
Security safeguards
The biggest exposure for attorneys under POPI relates to
the provisions dealing with security safeguards of personal
information held by responsible parties or by third parties.
POPI requires attorneys to take reasonable measures to
prevent the loss of or damage to or the unauthorised
destruction of personal information that is in their possession.
You must ensure that you and any third party who processes
personal information on your behalf establish and maintain
the security measures required by POPI.
You need to assess your own security risks and whether any
service providers who process information on your behalf,
for example, outsource companies such as debt collectors,
have considered and implemented good security safeguard
measures.
Because lawyers process intensely private information of
clients, their systems need to be modern and secure.
To illustrate, a monetary penalty of £120 000 was issued by
the UK Information Commission Office (ICO) against Stoke-onTrent City Council following a serious breach of the UK Data
Protection Act of 1998, which led to sensitive information
about a child protection legal case being e-mailed to the
wrong person. A solicitor employed by the data controller
was working on a child protection case and erroneously sent
11 e-mails (intended for counsel instructed on the case) to
the wrong e-mail address. The e-mails varied in sensitivity
but some of them contained confidential and highly sensitive
personal data about the non-accidental injuries sustained
by a child, together with medical information relating to
two adults. The e-mails also contained a brief to counsel
suggesting directions and miscellaneous comments about
the conduct of the case. The solicitor had typed in the wrong
e-mail address (she had a new IT system and did not have
access to her stored contact list). She acted in breach of the
data controller’s IT protocols because she did not mark the
e-mail protectively and did not send it via a secure network.
4.
Mandatory notification of data breach
You must inform the Regulator if you have reasonable grounds
to believe that personal information has been accessed or
acquired by an unauthorised person. The Regulator may
direct that a data breach be publicised if such publicity would
protect a data subject who may be affected.
5.
Enforcement
POPI establishes a body known as the Information Regulator
which will act as the enforcement agency with the power to
monitor and enforce compliance. It will also receive and
investigate complaints of violations of POPI and issue codes
Risk Alert Bulletin NOVEMBER 2014 7
RISKALERT
GENERAL PRACTICE continued...
of conduct for specific sectors. The Information Regulator
may also institute civil action for damages at the request
of the party whose privacy is breached. This creates the
opportunity for the Regulator to act as a form of legal aid
assistance for individuals whose rights have been breached
but who may not have the means or resources to institute
civil action.
example:
You need to designate an internal information officer who
must ensure that you comply with the conditions for the
lawful processing of personal information contained in POPI.
The information officer must register with the Regulator,
must deal with requests made under POPI and is responsible
for the business’s compliance with POPI.
— Ensure that laptops and other mobile devices are modern
and secure and have strong passwords which are preferably
encrypted.
Seeing that lawyers will be responsible for personal
information, they will need to appoint a compliance officer.
— Keep paper records secure. Do not leave files in your car
overnight and lock away information when it is not in use.
POPI also creates significant civil and criminal law exposure
where there are breaches. Ensuring efficient working systems
to protect the confidentiality of personal information is
essential. In addition to the civil remedies, administrative
fines not exceeding R10 million may also be enforced
depending on the nature and extent of the breach.
— Consider data minimisation techniques in order to ensure
that you are only carrying information that is essential to the
task at hand.
6.
Cross border transactions
— Train your staff on laptop data storage and mobile service
security;
— Put procedures in place to limit who can access certain
information on those devices and your practice’s computer
system;
The United Kingdom’s Information Commissioner’s Office
(ICO) has published the following useful tips on its website
(www.ico.org.uk):
— Where possible, store personal information on an encrypted memory stick or portable device. If the information is
properly encrypted it will be virtually impossible to access it,
even if the device is lost or stolen.
You need to be mindful of the restrictions placed on crossborder transfer of personal information when dealing with
clients outside South Africa. Cross border transfers of
information are subject to various conditions including the
requirement for consent or contractual necessity.
— When sending personal information by email consider
whether the information needs to be encrypted or password
protected. Avoid the pitfalls of auto-complete by double
checking to make sure the email address you are sending the
information to is correct.
7.
— Only keep information for as long as is necessary. You
must delete or dispose of information securely if you no longer need it.
Record retention periods
There are provisions dealing with record retention periods of
personal information.
Information may not be retained for longer than is necessary
to fulfil the original purpose for which it was collected, except
where the data subject consents or where the retention of the
records is required by law.
What you should be doing differently under POPI
Conduct a gap analysis now
Read the Act. It is not a highly technical piece of legislation
and it is easy to comply with, but there are substantial
penalties for non-compliance. Do not wait for POPI to be fully
operational before taking steps to ensure compliance with its
provisions.
Put privacy governance in place
Draft privacy policies and internal rules for handling
information.
Mitigate the risk of security breaches
You should ensure that your practice’s operations have
information security awareness training for your staff. For
8 Risk Alert Bulletin NOVEMBER 2014
— If you are disposing of an old computer, or other device,
make sure all the information held on the device is permanently deleted before disposal.
Revisit contracts which relate to the handling of personal
information
Your contracts with your service providers should ensure
that they have adequate safeguards and should contain the
necessary indemnities.
Start putting in place these systems and safeguards so that
you are ready to comply when POPI is fully operational after
the grace period of a year from the effective date.
Sandra Sithole
Director, Insurance practiceLitigation and Dispute
Resolution Department
Norton Rose Fulbright South Africa
Tel +27 011 685 8935
[email protected]