Discovery Life has disclosed detailed personal information about roughly 1 000 clients in court documents it lodged as part of a High Court application against one of its former brokers.
Broker Devan de Meyer resigned from the firm to join independent broking house MedBond. Concerned that he would contact clients to lure them away from the group, Discovery Life filed an urgent application in the Johannesburg High Court on September 10, asking the court to prohibit De Meyer from “contacting, enticing or soliciting away” any of the clients listed in five annexures accompanying its notice of motion.
The annexures list the names, identity numbers, landline and mobile numbers as well as e-mail addresses of the clients in question and effectively put the information in the public domain. Court documents are in principle public documents and can be accessed by the public.
The court refused to entertain Discovery Life’s application, citing a lack of urgency and ordered it to pay the wasted costs.
Responding via e-mail to questions, Discovery denied any wrongdoing, saying that its former employee’s alleged unlawful conduct left it with “no alternative” but to approach the court with proof that a breach had taken place to protect its clients’ data.
Court documents show that De Meyer resigned from Discovery Life under the apparent impression that the client book he previously serviced would be transferred to him at MedBond, as was ostensibly the case with some other brokers. Discovery denies that De Meyer had any basis to assume he was entitled to do so, as there was no such undertaking and there is no written evidence thereof.
In its founding affidavit, Discovery asks the court to protect it from the “unlawful interference” by De Meyer and draws the court’s attention to the employment contract with De Meyer which requires him to return all its assets upon resignation, which it says De Meyer ignored.
“[The] respondent appears intent on contacting Discovery clients for the purposes of enticing and/or soliciting those clients away from the Discovery group.”
In his answering affidavit, De Meyer denies that he ever provided Discovery with cause to believe that he intended to breach the terms of his employment contract. “I am well aware of the fact that should Discovery decline to transfer these clients and in the event of the above Honourable Court enforcing the restraint of trade, that I shall not be permitted to act in a manner contrary thereto. It is for precisely this reason that I have not breached the provisions of the agreement but sought to transfer the client book by legal means,” he says.
Unless settled, the matter will be heard in court in due course.
It is unclear why Discovery deemed it necessary to divulge the personal details of these clients in such detail when it seems possible that it could have used an alternative way of identifying the clients without putting their personal information in the public domain.
In e-mailed answers on this issue, Discovery said it detected that De Meyer unlawfully took confidential client details without its consent, that he shared [these details] with an unauthorised third party, and that he has refused to return [the information] despite their various requests in that regard.
“For this reason alone, we initiated urgent legal proceedings to protect the information he had stolen. Discovery applied to the Johannesburg High Court to interdict Mr Meyer [sic] from using any of this information and to ensure its return. Discovery is taking all reasonable and necessary steps to have this information returned, and to prevent its misuse in respect of the employment contract with Mr Meyer [sic], which is designed specifically for the protection of our clients.
“It is the very result of our data protection software and the full-time data monitoring systems that we have in place, that we were able to establish the theft and the nature of information taken. Under the circumstances, we had no alternative but to approach the court with proof that a breach had taken place in order to protect our clients’ data,” it adds.
De Meyer disputes this in court documents: “I deny that I had removed the client files in order to prejudice the applicant in any way.” His further affidavit notes that the content of the e-mails referred to is largely personal information that does not belong to Discovery and includes confidential information, but that he would make it available to the court if it so wishes.
Discovery contends that the Protection of Personal Information (PoPI) Act (Sections 6 and 11) caters specifically for circumstances such as this and provides an exemption for disclosure to be made to the court to demonstrate breach.
It says its submission contained no medical details, policy information and investment details which it believes the advisor to be in possession of. The objective of Discovery’s actions in this instance is “solely” to protect client information.
“To this end, as an additional precaution Discovery requested the Judge to seal the court papers – and it is now in the process of being sealed.”
The insurer says it has contacted all the affected clients by phone.
Discovery says it goes to significant lengths to ensure that any information, including personal information, provided by clients or which is collected from third parties, is stored in a secure manner and is constantly protected from unauthorised access.
“We commit to managing personal information in a transparent and fair manner, in full compliance with the letter and spirit of all applicable laws, as we have done in this instance.”
But these events raise serious concerns about the safety of personal information in the hands of corporations.
Consumer law attorney Trudie Broekmann says the PoPI Act has only been partially implemented. The only portions of the Act that already apply are ones allowing government to set up the Information Regulator and make regulations.
Broekmann says if PoPI had applied, it would in her view have prevented the applicant from disclosing the personal information of its clients (the ‘data subjects’) as it appears the precondition of minimality and reasonability have not been met, as the information does not appear to be necessary for purposes of the court application.
The ‘data subjects’ whose information was disclosed by the applicant can already complain to the Information Regulator, she adds.
Broekmann says the disclosure of the personal information may also be in breach of the code of conduct for financial services providers under the Financial Advisory and Intermediary Services (FAIS) Act in that the applicant has apparently failed to obtain its clients’ consent before making their personal information public. This she claims may also amount to the applicant failing to treat its clients fairly, reasonably and justly. The disclosure of the clients’ information, in this case, was, in her view, neither in the public interest, nor required by law.
“Any unhappy clients of the applicant can also complain to the Ombudsman for Long-term Insurance or the FAIS Ombud.”