An introduction to the protection of personal information in the healthcare practice
| Site: | GoodX Software Learning Centre |
| Course: | Data Management |
| Book: | An introduction to the protection of personal information in the healthcare practice |
| Printed by: | Guest user |
| Date: | Sunday, 19 July 2026, 5:02 AM |
Table of contents
- 1. Privacy in South Africa
- 2. Purpose, Application & Content of the POPIA
- 3. The meaning of POPIA words
- 4. Role players - who is who?
- 5. POPIA Relationships
- 6. The 6 grounds for lawful processing
- 7. Example analysis of 7 relationships, roles & lawful grounds of processing
- 8. The 8 conditions for lawful processing of PI
- 8.1. Accountability (Section 8 & Regulation 4)
- 8.2. Purpose Specification (Section 13-14)
- 8.3. Processing Limitation (Sections 9-12)
- 8.4. Further Processing Limitation (Section 15)
- 8.5. Information quality (Section 16)
- 8.6. Openness (Sections 17-18)
- 8.7. Security Safeguards (Sections 19-22)
- 8.8. Data Subject Participation (Sections 23-35)
- 9. Additional rights & responsibilities
- 10. Practical implementation observations
1. Privacy in South Africa
Topics
- What is privacy?
- How is privacy infringed?
- How is privacy protected?
- Common law
- The constitution
- Other legislation
- Codes of conduct - the HPCSA ethical rules
- The protection of personal information act (POPIA)
- Why care about knowing all about POPIA?
- Mitigation of damages
- Benefits
- Abbreviations.
1. What is privacy?
One of the big questions to ask oneself is: “What is privacy?”
"Privacy can be defined as an individual condition of life characterised by seclusion from the public and publicity. This condition embraces all those personal facts which the person concerned has himself determined to be excluded from the knowledge of outsiders and in respect of which he has the will that they be kept private."
Neethling’s Law of Personality 2005 50
2. How is privacy infringed?
Infringement is committed by
- intrusion into the private sphere of individuals, e.g.
- Reading of private documents
- Sending unsolicited communication
- disclosure of private information, which is information pertinent to the private domain which a DS wishes to be kept private, e.g.
- Sharing information about a patient's health and wellbeing
- Disclosing facts which have been wrongfully obtained
3. How is privacy protected?
The healthcare industry is in possession of a lot of sensitive and confidential Personal Information (PI) of patients and so healthcare practitioners have a huge responsibility towards patients to keep that information safe. Practitioners are used to keeping such PI confidential, as the ethical rules of the HPCSA and other legislation deals with patient confidentiality.
There are however other relationships that the practice also has to consider as falling under the provisions of the POPIA.
South Africa has always protected the right to privacy by:
3.1. Common law
The Common law has always protected the right to privacy by means of the law of delict. (Personality rights = Right to body, life, physical liberty, a good name, dignity, feelings, privacy, identity.)
3.2. The Constitution
Section 14 of the Constitution of South Africa protects the right to privacy.
3.3. Other legislation
Examples would be:
Children’s Act 38 of 2005
13. Information on health care
13. (1) Every child has the right to -
(a) have access to information on health promotion and the prevention and treatment of ill-health and disease, sexuality and reproduction;
(b) have access to information regarding his or her health status;
(c) have access to information regarding the causes and treatment of his or her health status; and
(4 confidentiality regarding his or her health status and the health status of a parent, care-giver or family member, except when maintaining such confidentiality is not in the best interests of the child.
( 2 ) Information provided to children in terms of this subsection must be relevant and must be in a format accessible to children, giving due consideration to the needs of disabled children.
Choice on Termination of Pregnancy Act 92 of 1996
5 Consent
(3) In the case of a pregnant minor, a medical practitioner or a registered midwife, as the case may be, shall advise such minor to consult with her parents, guardian, family members or friends before the pregnancy is terminated: Provided that the termination of the pregnancy shall not be denied because such minor chooses not to consult them.
Disaster Management Act 52 of 2002
- Forced screening & testing allowed without consent of DS
- Contact tracing regulations ito the act allow for limitation of privacy rights e.g. the tracing database.
The Electronic Communications and Transactions Act 25 of 2002
- Prohibits the unauthorised access to or interception of information
- Prevents unauthorised intentional interference resulting in modification, rendering ineffective or destruction of information - for instance computer viruses,
- Prevents the overcoming of security measures which protect data, Computer related fraud, forgery and extortion, for example hackers that plant Ransomware and keep a practice’s data at ransom.
3.4. Codes of conduct - the HPCSA ethical rules
Core ethical value nr 8 speaks specifically to Confidentiality between practitioners and patients in saying “Health care practitioners should treat personal or private information as confidential in professional relationships with patients - unless overriding reasons confer a moral or legal right to disclosure.”
BOOKLET 1:
5.3 INFORMED CONSENT
Health care practitioners should:
5.3.1 Give their patients the information they ask for or need about their condition, its treatment and prognosis.
5.3.2 Give information to their patients in the way they can best understand it. The information must be given in a language that the patient understands and in a manner that takes into account the patient’s level of literacy, understanding, values and belief systems.
5.3.3 Refrain from withholding from their patients any information, investigation, treatment or procedure the health care practitioner knows would be in the patient’s best interests.
5.3.4 Apply the principle of informed consent as an on-going process
5.3.5 Allow patients access to their medical records
For detailed information consult the HPCSA Ethical Booklet on Informed Consent
5.4 PATIENT CONFIDENTIALITY
Health care practitioners should:
5.4.1 Recognise the right of patients to expect that health care practitioners will not disclose any personal and confidential information they acquire in the course of their professional duties, unless the disclosure thereof is:
- made in accordance with patient’s consent;
- made in accordance with the court order to that effect;
- required by law; or
- in the interest of the patient.
5.4.2 Not breach confidentiality without sound reason and without the knowledge of their patients
5.4.3 When claiming from medical schemes explain to patients the significance of ICD-10 coding and get the permission of patients to breach confidentiality when making a medical scheme claim.
3.5. The Protection of Personal Information Act 4 of 2013 (POPIA)
Personal Information is a valuable commodity and it has become more and more difficult for individuals to retain autonomy over their private information.
The POPIA has been signed into law on 13 November 2013. On 1 July 2020 the provisions were promulgated (put into effect) and all persons or companies coming into contact with personal data have one year to become compliant with the provisions of the act.
The questions to ask about the POPIA is:
1. What does the POPIA require?
2. How do we implement the provisions of the POPIA, since the act provides lots of principles, but no specific examples and we don’t yet have a body of case law to understand how the principles will be applied by the South African courts.
In drafting the POPIA, our legislator used the predecessor of the European General Data Protection Regulation 2016/679 (EU) or GDPR, as a template, thus making its provisions on par with international law. There are obviously some differences between these bodies of legislation, but the general principles are the same and it helps us in South Africa to be able to see how other countries have implemented the GDPR so that we can implement the POPIA provisions here in South Africa.
Take note: care must be taken not to indiscriminately implement the practical applications of the GDPR into our South African circumstances, as the legal instruments differ in some ways.
4. Why care about knowing all about POPIA?
1. Mitigation of damages
The practice can suffer many kinds of damages, of which the least are the fines prescribed in the POPIA.

Examples of these damages can be:
- Financial loss due to e.g. unplanned expenses for updated IT security
- Loss of Business continuity due to e.g. loss of patient data;
- Reputational damages, which is loss of goodwill, due to patients bad mouthing the practice;
- Litigation that is time consuming and might result in more financial loss;
- Contractual losses due to clients cancelling contracts with the practice or never returning to the practice
- Lastly the fines that can be incurred from the IR - which is actually not a big risk if the practice co-operates with the IR after a security breach.
2. Benefits

Examples of benefits are:
- Compliance provides a means for the practice to reassess old practices and processes. The practice can save operational costs when processing of PI is researched and streamlined, which often cuts out unnecessary processing and work.
- Being compliant obviously reduces legal risk, therefore leading to further cost saving.
- When clients and patients feel confident in the way the practice is handling their PI, the chances of word of mouth marketing by patients and the retainer of clients and patients are huge.
5. Abbreviations
The following abbreviations will be used in this guidelines book:
|
POPIA |
Protection of Personal Information Act 4 of 2013 |
| PAIA | Promotion of Access to Information Act 2 of 2000 |
|
PI |
Personal Information |
|
SPI |
Special Personal Information |
|
RP |
Responsible Party |
|
DS |
Data Subject |
|
CP |
Competent Person |
|
IR |
Information Regulator (State) |
|
IO |
Information Officer (Private) |
| DIO | Deputy Information Officer |
|
LIA |
Legitimate Interest Assessment |
|
PIIA |
Personal Information Impact Assessment |
2. Purpose, Application & Content of the POPIA
Topics
- The purpose of the POPIA
- The application of the POPIA
- Content of the POPIA
The following information will lay a foundation to an understanding of the rights and responsibilities applicable when dealing with Personal Information.
1. The purpose of the POPIA:
- To give effect to the constitutional right to privacy, by safeguarding PI when processed by a RP, subject to justifiable limitations that are aimed at
- balancing the right to privacy against other rights, particularly the right of access to information; and
- protecting important interests, including the free flow of information within the Republic and across international borders.
- To regulate the manner in which PI may be processed, by establishing 8 conditions, in harmony with international standards, that prescribe the minimum requirements for the lawful processing of personal information;
- To provide persons with rights and remedies to protect their PI from processing that is not in accordance with this Act; and
- To establish voluntary and compulsory measures, including the establishment of an IR, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.
This therefore means that the flow of information is a necessary right and is protected, so that normal day to day life and activities can continue. The act is written not to stop the good guys from using information, but to stop the bad guys from infringing on the rights of Data Subjects.
This Act must be interpreted in a manner that—
- gives effect to the purpose of the Act set out in section 2; and
- does not prevent any public or private body from exercising or performing its powers, duties and functions in terms of the law as far as such powers, duties and functions relate to the processing of PI and such processing is in accordance with this Act or any other legislation, as referred to in subsection (2), that regulates the processing of PI.
In summary, the POPIA:
- Promotes the protection of PI
- Protects the free flow of information
- Establishes minimum requirements for the manner of processing (the 8 conditions & other responsibilities.)
- Establishes the IR & remedies
- Provides protection against
- unsolicited electronic communications (direct marketing)
- automated decision-making (profiling e.g. to make guestimates based on previous acquisitions.)
- Regulates the trans-border flow of information.
2. The application of the POPIA
The POPIA is applicable when Personal Information is processed by private and public bodies.- Processing involves the following with regards to PI:
- Collection
- Use
- Sharing
- Further processing
- Storage/retention
- Destruction.
- Processing must comply with the 8 conditions required by the POPIA for the lawful processing of personal information.
The POPIA applies to the exclusion of any provision of any other legislation that regulates the processing of PI and that is materially inconsistent with an object, or a specific provision of the POPIA. If any other legislation provides for conditions for the lawful processing of PI that are more extensive than those set out in Chapter 3, the extensive conditions prevail.

The POPIA does NOT apply to processing of the following PI
- of deceased persons
- for personal / household activity
- that is permanently de-identified
- for national security, cabinet, courts
- for journalistic, literary, artistic expression (freedom of expression)
3. Content of the POPIA
It is helpful to understand the framework into which the provisions of the POPIA are set: The POPIA is divided into 12 chapters, each dealing with different subjects.
Chapter 1 - Definitions & Purpose of POPIA
Chapter 2 - Application & Interpretation of POPIA
Chapter 3 - 8 Conditions for lawful processing of Personal Information
Part A - General provisions: 8 Conditions of processing
Part B - Processing of Special Personal Information
Part C - Processing of Personal Information of Children
Chapter 4 - Exemption from conditions for processing
Chapter 5 - Supervision - the two enforcers of the provisions of the Act
Part A - Information Regulator (Government body)
Part B - Information Officer (Private body)
Chapter 6 - Prior Authorisation
Chapter 7 - Codes of Conduct
Chapter 8 - Direct Marketing
Chapter 9 - Enforcements
Chapter 11 - Offences, Penalties & Fines
Chapter 12 - General Provisions
3. The meaning of POPIA words
Topics
- Person
- Private body
- Personal Information
- Special Personal Information
- Process
- Record
- Unique identifiers
- Consent
Person
A natural person OR a juristic person. This is a significant difference from the application of the European GDPR, as the GDPR does not include protection of PI of juristic / legal persons.
Private body
A private body means one of three things:
- It can mean a natural person who carries on or has carried on any trade, business or profession, but only in such capacity, in other words a sole proprietor.
- It can mean a partnership which carries or has carried on any trade, business or profession.
- It can mean any former or existing juristic person, but excludes a public body.
Take note: A person can therefore be part of a private body, and a private body is defined in connection to the business or profession and needs to appoint an Information Officer with the Information Regulator.
Personal Information (PI)
Information relating to a person who is
- identifiable;
- living natural / existing juristic.
There is no limited list in the Act, but the following information is included (* is SPI):
- Body - race*, gender, sex life*, pregnancy, sexual orientation, age, colour
- Status - marital, nationality, ethnicity*, social origin
- Medical - health* (physical & mental), well-being, disability, biometrics*
- Beliefs - religion*, conscience, opinions, views, preferences, philosophical beliefs*
- Behaviour - criminal if only alleged / sub iudice*
- Background - language, culture, birth
- Numbers - ID, symbols, email & physical address, tel nr, location, online ID
- Correspondence - original / further identifying to original
- Name if it links person to other personal information
Notes:
- Deceased persons fall outside the ambit of the POPIA.
- This is not a closed list - just examples of PI.
- Biometric is defined as a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition - could also include photographs of the person.
Special Personal Information (SPI)
SPI is information pertaining to:
- the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a DS; or
- the criminal behaviour of a DS to the extent that such information relates to:
- the alleged commission by a DS of any offence; or
- any proceedings in respect of any offence allegedly committed by a DS or the disposal of such proceedings.
May only process with consent of DS, or
- To exercise right / obligation in law / international law
- For statistical & research purposes to serve public interest & disproportionate effort to ask for consent
- Health & sex life: healthcare practitioners / healthcare institutions / insurance co / medical schemes & administrators may process to comply with contract (Sec 32)
Process
Processing means any operation or activity or any set of operations, whether or not by automatic means, concerning PI, including:
- the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use;
- dissemination by means of transmission, distribution or making available in any other form; or
- merging, linking, as well as restriction, degradation, erasure or destruction of information.
Processing of PI must always be done lawfully.
Record
A record is ANY recorded information regardless of form or medium. A record must be in possession OR under control of the RP.
The record does not have to be created by RP and it does not matter when the data came into existence.
Unique identifiers
A unique identifier means any identifier that is assigned to a DS and is used by a RP for the purposes of the operations of that RP and that uniquely identifies that DS in relation to that RP.
The RP may process a unique identifier without the prior authorisation of the IR if:
- the purpose of the processing of the unique identifier is the same for which the identifier was specifically intended at collection and the unique identifier is linked together with information processed by other RPs (e.g. switching to medical aids - the purpose of collection is to submit to the medical aids and link it to the medical aid's database); or
- the RP transfers special personal information or the PI of children to a third party in a foreign country that provides an adequate level of protection for the processing of personal information.
Consent
Consent is
- any voluntary
- specific
- informed expression of will
in terms of which permission is given for the processing of PI.
All three elements of consent MUST be present before there can be lawful consent.
4. Role players - who is who?
Topic
Roles involved in the processing of PI- Data Subject
- Child
- Competent Person
- Responsible Party
- Information Officer
- Employee
- Operator
- Information Regulator
Roles involved in the processing of PI
Understanding your role in relation to the PI you are processing is crucial to ensure compliance with the POPIA and the fair treatment of individuals. Your obligations under the POPIA will vary depending on your role in the different relationships you have and therefore your rights and obligations will differ. You should take the time to assess and document the role of each relationship the practice has with regards to PI and processing activities.The following roles are involved in the processing of PI:

In the above image you can see that the practice could either be a DS or a RP. In relationships where others process the PI of the practice, the practice will be the DS and will have the rights of the DS. If the practice is a RP, the practice needs to
make sure to comply with the obligations imposed by the POPIA.
1. The Data Subject (DS)
The person to whom PI relates:
- Adult natural live person
- Makes own decisions OR
- Mentally disabled + assisted by CP
- Child natural live person
- Under 18 years
- NOT legally competent
- Assisted by a CP
- Juristic person
2. The Child
A natural person under the age of 18 years who is NOT legally competent to take any action or decision in respect of any matter concerning him or herself. The child has to be assisted by a CP, e.g. to give consent for the processing of PI.
Take note: if a law allows a child to obtain medical procedures without the knowledge or consent of a CP, the RP may process PI without further consent of a CP.
See the chapter on additional rights & responsibilities with regards to the processing of PI of children.
3 The Competent Person (CP)
Any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child or legally incompetent person (e.g. a mentally disabled person).
Examples of CPs: parents or legal guardians.
4. The Responsible Party (RP)
A private body or public body* or any other person which, alone or in conjunction with others:
- determines the purpose of processing &
- determines the means for processing PI &
- is located in South Africa.
The RP takes full responsibility and accountability for the lawful processing of the DS's PI and the responsibility cannot be delegated to e.g. employees or Operators.
* A public body means
- Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
- Any other functionary or institution when
- exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
- exercising a public power or performing a public function in terms of any legislation.
5. The Information Officer (IO)
The head of a private body:
- in the case of a natural person, that natural person or any person duly authorised by that natural person
- in the case of a partnership, any partner of the partnership
- in the case of a juristic person
- the chief executive officer (CEO) or equivalent officer of the juristic person; or
- the person who is acting as such.
The IO can appoint a DIO to assist the IO with compliance. Even though the role can be delegated, it is important to note that the accountability of the RP cannot be delegated away from the head of the entity.
6. The Employee
A person working under the direct control of the Responsible Party. This could be practitioners or administrative staff.
It is essential that the Responsible Party (Employer) make sure that the HR procedures and Standard Operating Procedures (SOP) of the practice be POPIA compliant. More about this in later chapters.
7. The Operator
A person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.
It is therefore a third party data processor, like a cloud provider. Section 20 of the POPIA requires that:
- the mandate be written - The GoodX Licence Agreement fulfills this requirement;
- there must be proper security measures in place - the GoodX Cloud's data security will be discussed in a later chapter;
- the responsibility and accountability remains with the Responsible Party.
8. The Information Regulator
The Information Regulator established in terms of Section 39 - the government body that regulates the processing of PI.
Duties:
- Education & advice
- Monitoring & enforcing compliance
- Consultation with interested parties
- Handling of complaints
- Conducting research & reporting to Parliament
- Issueing codes of conduct for sectors
- Facilitating cross-border cooperation.
This diagram illustrates how the IR and IO work together to enforce the provisions of the POPIA:

4.1. Checklist: Who is who? RP / OP

4.2. Rights of the Data Subject
Topics
A DS has the right to have his, her or its PI processed in accordance with the 8 conditions for the lawful processing of PI, including the rights of:- Notice
- Access
- Correction / destruction
- Objection against processing (general)
- Objection against direct marketing
- Not to receive unsolicited electronic communication
- Not to be subjected to decisions based on profiling
- Submission of complaints to the IR
- Instituting civil action
1. Notice
- The DS has the right to be notified that
- personal information about him, her or it is being collected as provided for in terms of section 18; or
- his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22 - in other words when a security breach has occured.
- See chapter on Openness.
2. Access
- To establish whether a RP holds PI of that DS and to request access to the PI.
- See chapter on DS Participation.
3. Correction / Destruction
- To request, where necessary, the correction or destruction of his, her or its personal information.
- See chapter on Purpose specification.
4. Objection against processing (general)
- The DS can object, on reasonable grounds relating to his, her or its particular situation to the processing of his, her or its personal information.
- See chapter on the 6 grounds for processing.
5. Objection against direct marketing
- The DS kan object to the processing of his, her or its PI at any time for purposes of direct marketing.
See chapter on additional rights and responsibilities.
- See chapter on additional rights and responsibilities.
6. Not to receive unsolicited electronic communication
- The DS has the right not to have his, her or its PI processed for purposes of direct marketing by means of unsolicited electronic communications.
- See chapter on additional rights & responsibilities.
7. Not to be subjected to decisions based on profiling
- Not to be subjected, under certain circumstances, to a decision which is based solely on the basis of the automated processing of his, her or its PI intended to provide a profile of such person.
- See chapter on additional rights and responsibilities
8.Submission of complaints to the IR
The DS has the right to submit complaints to the IR- if the DS is of the opinion that his or her PI has been unlawfully processed
- regarding the alleged interference with the protection of the PI of any DS
- in respect of a determination of an adjudicator.
9. Instituting civil action
The DS has the right to institute legal action against a RP if the DS is of the opinion that his/her PI has been unlawfully processed. The DS can also request the IR to institute legal action on his/her behalf should the DS not have the financial capability to institute action by him/herself.
4.3. Responsibilities of the Information Officer
Topic
- Responsibilities of Information Officers
1. Responsibilities of Information Officers
With the coming into force of the POPIA, the role of the Information Officer as governed by the PAIA has expanded.
Section 55 of the POPIA read together with Regulation provide that the IO is responsible for, amongst other things:
- ensuring that the RP complies with the conditions of lawful processing of PI
- deals with requests made to the RP
- works with the IR in relation to any investigations conducted in accordance with the relevant provisions of the POPIA
- ensure a compliance framework is developed, implemented, monitored and maintained
- attend to a PIIA to ensure that adequate measures and standards exist within the RP in order to comply with the various conditions for lawful processing of PI as contemplated in the POPIA
- ensure that a manual as contemplated in the PAIA is developed, monitored, maintained and made available
- ensure that internal employee awareness sessions are conducted regarding the provisions of POPIA.
The position of the IO is an automatic appointment, but the IO is required to register with the IR prior to taking up their duties as an IO under POPIA.
The RP is entitled to appoint as many Deputy Information Officers (DIO) as may be necessary to perform the duties placed on the IO. However the RP must carefully consider who will take the position of DIO. Selecting the right individual for this role is important because if a DIO fails to perform the duties delegated to them, it could have adverse implications for not only the RP but also the IO.
5. POPIA Relationships

6. The 6 grounds for lawful processing
Topics
- Contract
- Legislation
- Legitimate interests of the DS
- Legitimate interests of the RP / 3rd party
- Consent
- How to choose?
There are 6 lawful grounds for processing in terms of Section 11 of the POPIA:
- Is it necessary
for the conclusion or performance of a contract
?
- Is it necessary for compliance with legislation?
- Are you protecting a legitimate interest of the DS? (They can object.)
- Are you pursuing a legitimate interest of your practice or a third party? (They can object.)
- Do you have the consent of the DS / CP? (You should consider this as a last resort.)
- Are you a public body performing a public law duty? (They can object.)
- As this guidelines book does not deal with public bodies, we will not discuss ground number 6.
- See the Checklist: When may we process?
1. Contract
The RP can process PI if the processing is necessary to carry out actions for the conclusion or performance of a contract to which the DS is party.
Examples:
- Processing PI of a patient who contracts the practitioner for healthcare services.
- Sharing PI of a patient with the medical aid so that the account can be settled.
- Processing PI of an employee.
- Processing PI of a parent / guardian / other party who takes responsibility for settlement of the account on behalf of a patient, be it a minor patient or not.
- Processing PI of a bureau.
2. Legislation
The RP can process PI if the processing complies with an obligation imposed by law on the responsible party.
Examples:
- Processing PI of a patient in terms of the obligations imposed by the HPCSA with regards to minimum information to be kept for medical records.
- Processing PI of employees to comply with the SARS tax provisions.
- Processing PI of patients to co-operate with Healthcare Inspectors.
3. Legitimate interests of the DS
The RP can process PI if the processing protects a legitimate interest of the data subject.
Examples:
- Processing PI to save the life of the unconcious emergency patient (without the co-operation of the patient, there can be no contract).
- Obtaining next of kin information from an employee, the next of kin being another DS, in order to be able to contact the next of kin in case of an emergency.
- Sending a patient's PI to the medical aid for pre-authorisation of a procedure.
4. Legitimate interests of the RP / 3rd party
The RP can process PI if the processing is necessary for pursuing the legitimate interests of the RP or of a third party to whom the information is supplied.
Take note: A LIA (see chapter on Legitimate interest processing & LIA) must be completed if the practice is to rely on this ground for processing PI so that it is reportable.
Examples:
- The practice hands the patient over to a debt collecting company. This is to pursue the interest of the practice. No patient will give consent for this! ;-)
- The practice shares information with the employer of the patient in an injury on duty claim to pursue the legitimate interest of the third party, the patient employer.
5. Consent
The RP can process PI if the DS or a CP where the DS is a child consents to the processing.
As per the definition of consent, there are three elements of consent that need to be present in order for a RP party to rely on consent of the DS as a legal ground for processing PI:
- It must be voluntary;
- It must be specific;
- It must be informed so that a DS can truly consent to processing.
From these it is quite obvious that consent should be the last resort for processing PI, as there are numerous problems with the application of consent:
Example: A person is employed by the practice and included in the practice's employment contract is a consent form in terms whereof the employee gives consent that the practice may have access and the right to read the work emails received and sent by the employee by means of the practice's business email allocated to the employee.
Let's look at the pitfalls of consent as a lawful ground for processing:
- Voluntary: In some European countries the courts are now finding that those consents are not voluntary, as the employee is not on the same bargaining level as the employer. If any processing based on consent is found to lack the voluntary element, processing will be deemed illegal.
- Specific: Consent can never be open ended. The processing and processing purpose must be clearly defined. General consent is not good enough to fulfil the requirement of specific consent. Consent needs to deal with the what, why, how, where and in each instance whether information will be given to anyone else.
- Informed: The RP must be able to prove that the DS understood how his or her PI will be processed.
- Burden of proof: The RP bears the burden of proof that the DS consented to the processing of PI and if it is not in writing, it can be a serious problem.
- Withdrawal of consent: The DS can withdraw their consent at any time, whereafter the RP will not be able to process the PI anymore. This can lead to unworkable situations.
6. How to choose your lawful ground?
- This depends on your specific purposes and the context of the processing. You should think about why you want to process the PI, and consider which lawful ground best fits the circumstances.
- You might consider that more than one ground applies, in which case you should identify and document all of them from the start.
- You must not adopt a one-size-fits-all approach. No one ground should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the POPIA.
- Several of the lawful grounds relate to a particular specified purpose – a legal obligation, performing a contract with the individual or protecting someone’s legitimate interests. If you are processing for these purposes then the appropriate lawful ground may well be obvious, so it is helpful to consider these first.
- In other cases you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:
- Who does the processing benefit?
- Would individuals expect this processing to take place?
- What is your relationship with the individual?
- Are you in a position of power over them?
- What is the impact of the processing on the individual?
- Are they vulnerable?
- Are some of the individuals concerned likely to object?
- Are you able to stop the processing at any time on request?
- You may prefer to consider legitimate interests as your lawful ground if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them.
- On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.
6.1. Checklist: When may we process PI?

6.2. Legitimate Interest Processing & LIA
Topics
- The three part test
- Legitimate Interest Assessments (LIA)
- How do we decide the outcome?
- What happens next?
- How does this tie in to PIIAs?
1. The three part test
Legitimate interests is the most flexible lawful ground for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s PI in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
There are three elements to the legitimate interests ground. It helps to think of this as a three-part test. You need to:
- The purpose test (identify the legitimate interest);
- The necessity test (consider if the processing is necessary); and
- The balancing test (consider the individual’s interests).
Purpose test
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
Necessity test
The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
Balancing test
You must balance your interests against the DS. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
2. Legitimate Interest Assessments
A LIA is a simple risk assessment based on the specific context and circumstances of processing. A LIA provides the opportunity to ask yourself the right questions about your processing and objectively consider what the reasonable expectations of the DS are and any impact of the processing on them. It is necessary to keep a record of your Legitimate Interests Assessment (LIA) to help you demonstrate compliance if required.
Conducting a LIA helps you ensure that your processing is lawful. It helps you to think clearly and sensibly about your processing and the impact it could have on the individual.
As your LIA determines if the legitimate interests ground applies, you must perform it before you start processing the PI. You cannot start processing the PI retrospectively try and apply legitimate interests. Your processing is unlawful without a lawful ground, and this will lead to inevitable breaches of transparency and accountability requirements.
The LIA doesn’t have to take any particular form, but you need to address each part of the three-part test and record the outcome. You should record all the relevant factors, whether or not they support your conclusion, as this shows that you have taken everything into account prior to making your decision.
How do we do the purpose test?
You need to identify your purpose and decide whether it counts as a legitimate interest. Be as specific as possible, as this helps you when it comes to the necessity and balancing tests.
You should ask:
- Why do you want to process the data?
- What benefit do you expect to get from the processing?
- Do any third parties benefit from the processing?
- Are there any wider public benefits to the processing?
- How important are those benefits?
- What would the impact be if you couldn’t go ahead?
- What is the intended outcome for individuals?
- Are you complying with other relevant laws?
- Are you complying with industry guidelines or codes of practice?
- Are there any ethical issues with the processing?
How do we do the necessity test?
You must consider carefully whether the processing is actually necessary for the purpose you have identified in step one.
You need to ask:
- Will the processing actually help you achieve your purpose?
- Is the processing proportionate to that purpose, or could it be seen as using a sledgehammer to crack a nut?
- Can you achieve your purpose without processing the data, or by processing less data?
- Can you achieve your purpose by processing the data in another more obvious or less intrusive way?
Be honest in your consideration of whether the processing is necessary. If on the face of it there are potentially other less intrusive alternatives you need to be clear in your LIA why these are not reasonable alternatives.
If you find it difficult to explain how the processing helps achieve your objective, or there are many alternative methods which simply aren’t your chosen business model, you may need to go back to step one and be more specific about your purpose. A clearly defined purpose should make the necessity test easier to navigate.
How do we do the balancing test?
You need to consider the interests and fundamental rights and freedoms of the individual, and whether these override the legitimate interests you have identified.
There is no exhaustive list of what you should take into account when conducting the balancing test. However you should as a minimum consider:
- the nature of the PI you want to process;
- the reasonable expectations of the individual; and
- the likely impact of the processing on the individual and whether any safeguards can be put in place to mitigate negative impacts.
1. Nature of the data
You need to think about the sensitivity of the PI you intend to process.
For example:
- Is it SPI?
- Is it criminal offence data?
- Is it another type of data that people are likely to consider particularly ‘private’, for example financial data?
- Are you processing children’s data or data relating to other vulnerable individuals?
- Is it data about people in their personal or professional capacity?
The more sensitive or ‘private’ the data, the more likely the processing is to be considered intrusive or to create significant risks to the individual’s rights and freedoms. For example, by putting them at risk of unlawful discrimination. You are likely to need a more compelling reason to use this type of data, and take particular care to put adequate safeguards in place.
In contrast, if the processing involves PI which is considered less sensitive or private, such as that of individuals in their work capacity, then it may be that the impact is less (although you should still give some thought to the likely impact).
Example
An employer asks its employees to provide emergency contact details of a family member or friend in case they have an accident or become seriously ill at work.
It is not practical for the employer to have consent from the family or friends of all its employees in order to process their contact details for the purposes of being used in an emergency. The employer therefore considers if the legitimate interests ground applies.
The employer considers that being able to contact an individual’s designated family member or friend in an emergency is a legitimate interest as a responsible employer. It also notes that it is in the interests of the employee that a family member or friend knows about the emergency and likewise it is in the interests of nominated person to be told.
It decides that asking employees to provide the PI of other individuals is necessary for this purpose and that there is no other reasonable way of achieving the purpose.
The employer goes on to consider the balancing test. It takes into account that the data that it will be processing is not sensitive (names and contact details) and determines that the impact of holding these details in case of an emergency is minimal. The employer decides that only its HR department will have access to the contact details and will ensure that these details can only be used in an actual emergency. It determines that the balance favours their legitimate interest in processing the data.
2. Reasonable expectations
You need to consider whether people will reasonably expect you to use their data in this way in the particular circumstances. See the information in the chapter on Processing limitation for more on the reasonable manner of processing.
3. Impact and safeguards
You need to consider the potential impact on individuals and any damage that your processing might cause.
Firstly, you should consider whether your processing is of a type inherently likely to result in a high risk to individuals’ rights and freedoms. In other words, you need to do a risk assessment to consider whether your processing might cause any harm to individuals’ interests, rights and freedoms, even if this falls short of a high risk. You should in particular think about whether your processing might contribute to:
- a barrier to individuals exercising their rights (including but not limited to privacy rights);
- a barrier to individuals accessing services or opportunities;
- any loss of control over the further use of PI;
- physical harm;
- financial loss, identity theft or fraud; or
- any other significant economic or social disadvantage (such as discrimination, loss of confidentiality or reputational damage).
You should look at both the likelihood and severity of any harm.
If you identify the potential for a high risk (either due to a chance of severe harm or a high likelihood of some harm), you need a much more compelling legitimate interest to satisfy the balancing test. You need to demonstrate that your legitimate interests can override a serious impact. This also triggers the need for a PIIA to assess those risks in more detail.
If you identify a lower risk of some harm, you need to weigh this against the potential benefits of the processing.
You may also wish to consider if there are any safeguards that you could put in place to reduce or mitigate this risk. For example could you collect less data, or provide individuals with an opt-out?
3. How do we decide the outcome?
You need to weigh up all the factors identified during your LIA for and against the processing, and decide whether you still think your interests should take priority over any risk to individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible.
You must be confident that you can show why the benefits of the processing justify any risks you have identified. The more significant the risks, the more compelling your justification must be.
Sometimes the outcome very obviously weighs in one direction in which case making the decision should be straightforward.
Example
A practice is deciding whether to dismiss one of its employees for misconduct. The practice decides that it needs advice about employment law and wants to send details of the employee’s alleged misconduct to its external legal advisors.
Purpose test: the practice needs to be able to manage the performance of its workforce and ensure employees act appropriately. It also needs to ensure that any action it takes is in accordance with its employment law obligations. This is in the legitimate interest business interests of the company. It is also in the legitimate interests of employees that the practice acts fairly and within the law in its dealings with employees.
Necessity test: it is necessary to obtain external legal expertise about the alleged misconduct and the relevant legal framework for this purpose. Only the PI that is relevant to the allegations will be shared with its legal advisors, subject to professional confidentiality obligations.
Balancing test: the data concerns the individual’s professional life rather than private life. There is a clearly defined employer-employee relationship and employees would reasonably expect the practice to process details of professional conduct to manage performance, and to seek legal advice when dealing with potential dismissals. Whilst the sharing of the data might contribute to significant harm to the individual if the advice supports dismissal, it should also help to ensure that the decision is not arbitrary or unlawful. The data is also shared subject to professional confidentiality obligations, which provides a safeguard against other risks or loss of control over the data.
The outcome for the practice having considered all the relevant factors is that the employee’s interests do not outweigh its legitimate interests in obtaining legal advice, and processing is lawful on the ground of these legitimate interests.
In other cases you may find the outcome is harder to determine. If you are not sure, it may be safer to look for another lawful ground. Legitimate interests is not often the most appropriate ground for processing which is unexpected or high risk.
4. What happens next?
If you have conducted your LIA and decided to rely on legitimate interests as your lawful ground, you should not assume that this is where your responsibilities end.
Keep your LIA under regular review. If anything significant changes – such as the purpose, nature or context of the processing – that may affect the balance between you and the individual you should revisit your LIA and refresh it as appropriate.
For example if a new and unforeseen impact of your processing comes to light you need to revisit your LIA and the balancing test, and perhaps consider if any further safeguards are needed.
If your LIA concludes that the impact on individual overrides your legitimate interests, then you are not able to process the data for that particular purpose using the legitimate interest ground. You may be able to consider another lawful ground instead.
If it’s a borderline call and you’re not confident that your interests justify the impact on individuals, then you may also wish to look for other lawful ground. For example you may wish to consider if consent is appropriate, to give the individuals full control over the use of their data.
If your LIA identifies potential high risks to the rights and freedoms of the individual you need to go on to do a PIIA to assess the risks and potential safeguards in more detail.
5. How does this tie in to PIIAs?
There are similarities between a LIA and a PIIA. Both involve considering the purpose of the processing, identifying and assessing risk, and considering possible safeguards.
However a LIA is intended as a simpler form of risk assessment, to prompt you to properly identify your purpose and think about the impact on individuals. You need to do a LIA in any case where you are considering using the legitimate interests ground, whether or not there are any particular reasons for concern. There are no absolute requirements for content or process, as long as you are confident that your processing is justifiable.
By contrast, a PIIA is a much more in-depth end-to-end process, with more specific minimum requirements as to content and process. You only need to do a PIIA if you identify that the processing is of a type considered likely to result in high risk, but you need to do it irrespective of what lawful ground you are considering. If you cannot mitigate risks, you need to consult the IR before you can start processing.
However, there is some overlap between the two and you should recognise this in your processes. In practice, it is sensible to incorporate the PIIA screening checklist for types of processing likely to result in high risk as part of your balancing test as a simple way of identifying risks to individuals.
A LIA is also a potential trigger for a PIIA. If your LIA identifies the potential for high risks to individuals’ rights and freedoms (either because of the severity or likelihood of the harm) then you are likely to need to carry out a PIIA.
You may be able to build on or adapt your LIA into your PIIA. If you have not yet carried out a LIA, there is no need to do both. You can use your PIIA instead of a LIA to demonstrate how legitimate interests applies, as it covers the same ground in more detail.
7. Example analysis of 7 relationships, roles & lawful grounds of processing
In this sub-chapter, we want to use the POPIA relationships diagram as an example of how to decide:
- who is who in a particular POPIA relationship and why?
- what are the grounds for legal processing and why?
Example 1:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the adult patient |
Healthcare services |
| Which role does the patient fulfil? | DS | The practice processes PI of the adult patient (information received directly from the patient) |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | Contract between RP & DS | The practice and patient enter into an agreement in terms whereof the practice is providing healthcare services to the patient. |
Example 2:
| Question | Answer | Reason |
| Relationship under investigation? | The practice and the unconscious adult emergency patient brought in by a family member | Emergency healthcare services |
| Which role does the patient fulfil? | DS | The practice processes PI of the adult patient (information received from another source than the patient = ligitimate in the circumstances) |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | RP protects the legitimate interest of the DS | The practice tries to save the life of the DS, which is a vital interest to be protected. |
Example 3:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the minor patient who is assisted by the parent | Healthcare services |
| Which role does the patient fulfil? | DS | The practice processes PI of the minor patient |
| Which role does the parent fulfil? | CP | The parent is legally competent to assist the minor patient in concluding an agreement in terms whereof the practice is providing healthcare services to the patient. |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | Contract | The practice and minor patient, assisted by the parent, enter into an agreement in terms whereof the practice is providing healthcare services to the patient. |
Example 4:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the parent / guardian of a minor patient who has accepted responsibility for the account | Account collection |
| Which role does the patient fulfil? | None | |
| Which role does the parent fulfil? | DS | The parent provides his/her PI so that the practice can process the information for purposes of collecting fees and expenses. |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | Contract | The practice and the parent enter into an agreement in terms whereof the parent will settle the account for medical services rendered to his/her child. |
Example 5:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the bureau who bills obo the practice | Service provider |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Which role does the bureau fulfill? | Operator | The bureau follows instructions from the practice regarding the processing of the PI of the patient, does not decide on the purpose for processing, do not decide how long to retain the PI, do not decide to whom to disclose etc |
| Legal ground for processing? | Contract | The practice and bureau contract for the rendering of services. Take note: a written operator agreement MUST be concluded ito the POPIA. |
Example 6:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the waste company | Service provider |
| Which role does the practice fulfil in the relationship with the patients whose PI is being destroyed? | RP | The practice decides to collect PI from patients, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Which role does the waste company fulfill? | Operator | The waste company follows instructions from the practice regarding the destruction of the PI of the patient |
| Legal ground for processing? | Contract | The practice and waste company contract for the rendering of services of destruction of patient PI on documents / other medical waste Take note: a written operator agreement MUST be concluded ito the POPIA. |
Example 7:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the employee of the practice | Employment relationship |
| Which role does the practice fulfil in the relationship with the employee whose PI is being processed? | RP | The practice decides to collect PI from the employee, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Which role does the employee fulfil when his or her PI is being processed? | DS | The employee's PI is processed by the practice. |
| Which role does a next of kin fulfil? | DS | The next of kin's PI is processed by the practice. |
| Which role does the employee fulfill with regards to the PI of the practice? | RP | The employee comes into possession of the PI of the practice. |
| Which role does the practice fulfill with regards to the PI of the practice that is shared with the employee? | DS | The practice's data is in possession of the employee. |
| 1st Legal ground for processing? | Legal Obligation to comply with legislation | The practice must report to SARS and therefore needs to process PI of the employee |
| 2nd Legal ground for processing? | Pursuing the legitimate interest of the practice | E.g. Perusing email communication of a work email address belonging to the practice, protects the ligitimate interest of the practice, for instance if information was sent to the email address, and the employee is on sick leave. |
| 3rd Legal ground for processing? | Protecting the legitimate interest of the employee | E.g. Collecting next of kin information in case of an emergency. |
| Legal ground for processing the practice's information by the employee? | Employment contract. | The practice's data is in possession of the employee by virtue of the employment contract. |
In this example it is clear that depending on the type of information and the reason for processing, the legal ground for processing can be determined
8. The 8 conditions for lawful processing of PI
The 8 conditions for lawful processing of PI in terms of Chapter 3 of the POPIA are:
- Accountability
- Purpose Specification
- Processing Limitation
- Further Processing Limitation (secondary use)
- Information Quality
- Openness
- Security Safeguards
- Data Subject Participation
The following diagram illustrates the 8 conditions and their content for the lawful processing of PI:

The next sub-chapters will discuss the content of each condition.
8.1. Accountability (Section 8 & Regulation 4)
Topics
- The Information Officer
- The compliance framework
- The PI Impact Assessments (PIIA)
- Reportable
- Privacy policies
- Internal awareness sessions
1. The Information Officer (IO)
1. The Information Officer (IO)Section 8 of the POPIA places the responsibility on the RP to ensure that the 8 conditions set out in chapter 3 of the act, and all the measures that give effect to such conditions, are complied with
- at the time of the determination of the purpose &
- at the time of the determination of the means of the processing &
- during the processing itself.
It makes the RP
- responsible for complying with the POPIA; and
- responsible for demonstrating compliance.
The practice needs to put in place appropriate technical measures (IT & software etc) and organisational measures (employee structures, tasks & processes) to meet the requirement of accountability.
There are a number of measures that needs to be put in place:
- appointing an Information Officer
- adopting, implementing, monitoring and maintaining a compliance framework
- performing PI impact assessments (PIIA)
- maintaining documentation of your processing activities for auditing and reporting purposes
- implementing privacy policies
- host internal employee awareness sessions to create a culture of privacy protection.
The first measure to put in place, is the appointment of the IO. All private bodies, of which the practice is one, should register the IO with the IR.
One or more DIOs may be appointed to assist the IO with his or her duties, depending on the size of the practice. Your DIO must report to your highest level of management, operate independently, and have adequate resources to carry out their tasks.
Even if you’re not obliged to appoint a DIO, it is very important that you have
- sufficient employees to implement the provisions of the POPIA
- who have relevant skills to perform the duties
- appropriate reporting structures in place to meet your obligations under the POPIA.
Accountability obligations are ongoing. You must continually review and, where necessary, update the measures you put in place.
Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.
2. The compliance framework
Accountability is not a one-time box-ticking exercise. Being responsible for compliance with the POPIA means that you need to be proactive and organised about your approach to data protection while demonstrating your compliance means that you must be able to evidence the steps you take to comply.
To achieve this, you have to put a compliance framework in place - see regulation 4. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your practice. Amongst other things, your framework should include:
- robust program controls informed by the requirements of the POPIA
- appropriate reporting structures
- implement comprehensive but proportionate policies and procedures for handling PI;
- appropriate training to ensure a good level of understanding and awareness of data protection amongst your employees
- assessment procedures
- keeping records of what you do and why.
3. The PI Impact Assessments (PIIA)
A PIIA is an essential accountability tool and is also prescribed by regulation 4. It also helps you to identify and minimise the data protection risks of any new projects you undertake.
When done properly, a PIIA helps you assess how to comply with the requirements of the POPIA, while also acting as documented evidence of your decision-making and the steps you took.
4. Reportable
The practice must be able to
- audit and report on the measures implemented to protect the processing of PI
- report PI breaches to the IR and to the affected DS.
You need to be able to detect, investigate, report (both internally and externally) and document any breaches. Having robust policies, procedures and reporting structures helps you do this.
5. Privacy policies
Policies and procedures provide clarity and consistency, by communicating what people need to do and why. Policies can also communicate goals, values and a positive tone. Data protection law specifically requires you to put in place data protection policies
where proportionate. What you have policies for and their level of detail varies, but effective data protection policies and procedures can help your practice to take the practical steps to comply with your legal obligations.
6. Internal awareness sessions
Employees must be:
- fully aware of the policies and procedures that are relevant to their roles
- provided with induction and refresher training
- assessed so that the practice can report on the awareness of employees.
Ways to meet this requirement:
- Draft policies and procedures and highlight their importance for compliance:
- communicate the policies and procedures to employees
- make the policies and procedure easily available - on an intranet & on paper in the practice (e.g. guidelines, posters or publications that help to emphasise key messages and raise employee awareness of policies and procedures)
- Create an all-employees data protection and information governance training programme:
- incorporate national and healthcare profession-specific requirements
- include training for all employees on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management
- consider the training needs of all employees and use this information to compile the training programme
- assign responsibilities for managing information governance and data protection training and have training plans or strategies in place to meet training needs within agreed time-scales
- have dedicated and trained resources available to deliver training to all employees
- regularly review your programme to ensure that it remains accurate and up to date.
- Create specialised training for specialised roles or functions with key data protection responsibilities (such as DIOs and practice managers) to receive additional training and professional development beyond the basic level provided to all employees:
- complete a training needs analysis for information governance and data protection to inform the training plan and to ensure it is specific to the individual’s responsibilities
- detail training and skills requirements in job descriptions
- have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development
- keep on record copies of the training material provided as well as details of who receives the training.
- Your training programmes must include induction and refresher training for all employees on data protection and information governance:
- appropriate employees, such as the DIO, to oversee or approve induction training
- let employees receive induction and refresher training, regardless of how long they will be working for your practice or their contractual status
- let employees receive induction training prior to accessing personal data and within one month of their start date
- let employees complete refresher training at appropriate intervals
- The practice must keep records to demonstrate that employees understand the training:
- conduct an assessment at the end of the training to test employees' understanding and make sure that it is effective, which could include a minimum pass mark
- keep copies of the training material provided on record as well as details of who receives the training
- monitor training completion in line with the practice's requirements and follow up with employees who do not complete the training
- employees must be able to provide feedback on the training they receive.
- Regularly raise awareness of data protection, information governance and associated policies and procedures in meetings or employees forums. Make it easy for employees to access relevant material:
- have evidence that your practice regularly uses a variety of appropriate methods to raise employees awareness and the profile of data protection and information governance, for example by emails, briefings and meetings, posters and handouts
- make it easy for employees to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.
To be compliant is therefore an ongoing training and awareness project.
8.2. Purpose Specification (Section 13-14)
Topics
- Define processing purpose
- Communicate purpose
- Retention
- Restriction
- Destruction
1. Define processing purpose
PI must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the RP.
This means that it is necessary to define the purpose for collection before collection starts and to document the purposes for collection of different types of PI so that:
- employees know the purposes for collection
- the process is auditable for purposes of reporting during investigations or legal action.
All processing depends on the purpose for which PI is processed, so it will do the practice well to take some time to review all forms where PI is collected and make sure that the purposes are defined, since not all PI is collected for the same purpose.
Examples of different purposes for collection:
- Personal (identifying) particulars of the patient are collected to comply with the minimum requirement of the HPCSA of information to be included in a patient’s medical record.
- Medical aid details are collected so that the practice can submit claims to the medical aid on behalf of patients.
- Next of kin details are collected so that the practice can contact them in case of emergency.
2. Communicate purpose
The RP must take steps to ensure that the DS is aware of the purpose of the collection of the PI unless the exceptions are applicable. (See discussion under the chapter on Openness).This means that forms collecting PI should indicate the purpose of the collection so that it is easy to prove that the DS took congnisance of the purpose for collection.
3. Retention
Records of PI must not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed, unless:
- retention of the record is required or authorised by law
- the RP reasonably requires the record for lawful purposes related to its functions or activities
- retention of the record is required by a contract between the parties thereto
- the DS or a CP where the DS is a child has consented to the retention of the record.
Records of PI may be retained for longer periods for historical, statistical or research purposes if the RP has established appropriate safeguards against the records being used for any other purposes.
A RP that has used a record of PI of a DS to make a decision about the DS, must:
- retain the record for such period as may be required or prescribed by law or a code of conduct; or
- if there is no law or code of conduct prescribing a retention period, retain the record for a period which will afford the DS a reasonable opportunity, taking all considerations relating to the use of the PI into account, to request access to the record.
4. Restriction
The RP must restrict processing of PI if:
- its accuracy is contested by the DS, for a period enabling the RP to verify the accuracy of the information;
- the RP no longer needs the PI for achieving the purpose for which the information was collected or subsequently processed, but it has to be maintained for purposes of proof;
- the processing is unlawful and the DS opposes its destruction or deletion and requests the restriction of its use instead; or
- the DS requests to transmit the PI into another automated processing system.
This PI may, with the exception of storage, only be processed for purposes of proof, or with the DS’s consent, or with the consent of a CP in respect of a child, or for the protection of the rights of another natural or legal person or if such processing is in the public interest.
Where processing of PI is restricted as a result of the above reasons, the RP must inform the DS before lifting the restriction on processing.
5. Destruction
A RP must destroy or delete a record of PI or de-identify it as soon as reasonably practicable after the RP is no longer authorised to retain the record as described above.
The destruction or deletion of a record of PI must be done in a manner that prevents its reconstruction in an intelligible form.
8.3. Processing Limitation (Sections 9-12)
Topics
- Lawful manner
- Reasonable manner
- Minimality with regards to the purpose
- The 6 lawful grounds for processing
- Objection
- Lawful sources of collection.
1. Lawful manner
- PI must be processed lawfully, which means that you must have a valid lawful ground in order to process PI.
- We have discussed the lawful grounds for processing. No single ground is better or more important than the others, but it must be determined which ground is most appropriate to use depending on the purpose and relationship with the individual.
- Most lawful grounds require that processing is necessary for a specific purpose. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful ground.
- You must determine your lawful ground before you begin processing, and you should document it.
- Take care to get it right first time - you should not swap to a different lawful ground at a later date without good reason. In particular, you cannot usually swap from consent to a different ground.
- Your privacy notice should include your lawful grounds for processing as well as the purposes of the processing.
- If your purposes change, you may be able to continue processing under the original lawful ground if your new purpose is compatible with your initial purpose (unless your original lawful ground was consent).
- If you are processing SPI / PI of children you need to identify both a lawful ground for general processing and any additional condition for processing this type of PI.
- If you are processing criminal conviction PI or PI about offences you need to identify both a lawful ground for general processing and any additional condition for processing this type of PI.
2. Reasonable manner
- PI must be processed in a reasonable manner that does not infringe the privacy of the DS.
- You need to consider whether people will reasonably expect you to use their PI in this way in the particular circumstances. You should consider all relevant factors, including:
- Do you have an existing relationship with the individual?
- If you have an existing relationship, what is the nature of that relationship?
- How have you used their PI in the past?
- Did you collect PI directly from the DS?
- What did you tell individuals at the time?
- If you obtained the PI from a third party, what did they tell individuals about reuse of the PI by third parties for other purposes?
- How long ago was the PI collected? Are there any changes in technology or other context since that time that would affect current expectations?
- Is your intended purpose and method obvious or widely understood?
- Are you intending to do anything new or innovative?
- Do you have any actual evidence about expectations, eg from market research, focus groups or other forms of consultation?
- Are there any other factors in the particular circumstances that mean they would or would not expect the processing?
- This is an objective test. You do not have to show that every individual does in fact expect you to use their PI in this way. Instead, you have to show that a reasonable person would expect the processing in light of the particular circumstances.
3. Minimality with regards to the purpose
PI may only be processed if, given the purpose for which it is processed, it is:
- adequate &
- relevant &
- not excessive.
The HPCSA & record keeping
The Health Professions Council of South Africa places healthcare practitioners (persons registered with the HPCSA) under an obligation to keep proper medical records.
The HPCSA has published guidelines on the keeping of patient records (HPCSA Pretoria 2008), and compliance with these guidelines is critical for both continuity of patient care and for defending complaints or negligence claims.
A health record is defined as any relevant record made by a healthcare practitioner at the time of or subsequent to a consultation and / or examination or the application of health management, and contains the information about the health of an identifiable individual recorded by a healthcare professional, either personally or at his or her direction.
The following documents are regarded as the essential components of a health record, depending on the nature of the individual case:
- Hand-written contemporaneous notes taken by the health care practitioner;
- Notes taken by previous practitioners attending to health care or other health care practitioners, including a typed patient discharge summary or summaries;
- Referral letters to and from other health care practitioners;
- Laboratory reports and other laboratory evidence such as histology sections, cytology slides and printouts from automated analysers, X-ray films and reports, ECG traces, etc;
- Audiovisual records such as photographs, videos and tape-recordings;
- Clinical research forms and clinical trial data;
- Other forms completed during the health interaction such as insurance forms, disability assessments and documentation of injury on duty;
- Death certificates and autopsy reports.
The HPCSA requires that the following minimum information be included in a patient’s medical record:
- Personal (identifying) particulars of the patient;
- The biological, psychological and social history of the patient, including allergies and idiosyncrasies;
- The time, date and place of every consultation;
- The assessment of the patient’s condition;
- The proposed clinical management of the patient;
- The medication and dosage prescribed;
- Details of referrals to specialists, if any;
- The patient’s reaction to treatment or medication, including adverse effects;
- Test results;
- Imaging investigation results;
- Information on the times that the patient was booked off from work and the relevant reasons;
- Written proof of informed consent, where applicable.
Medical records must be objective recordings of what a health care practitioner has been told or discovered through investigation or examination, must be clear and legible, made contemporaneously and signed and dated. The records should be stored securely for a period of not less than six (6) years from the date on which they become dormant. Adherence to the guidelines can make all the difference with regard to a clinical negligence claim being successfully defended, so it is vital to keep this PI in the pursuit of the legitimate interest of the healthcare practitioner and the practice.
The HPCSA further requires that records should be complete, but concise, containing all the facts and drawn conclusions which are essential for patient care.
4. The 6 lawful grounds for processing
See the chapter
on the 6 lawful grounds for processing.
5. Objection
A DS may object, at any time, to the processing of personal information:
- in terms of the following legal grounds for processing:
- processing protects a legitimate interest of the DS;
- processing is necessary for pursuing the legitimate interests of the RP or of a third party to whom the information is supplied.
- in the prescribed manner, on reasonable grounds relating to his, her or its particular situation, unless legislation provides for such processing; or
- for purposes of direct marketing as discussed in the chapter of additional rights & responsibilities.
If a DSt has objected to the processing of PI in as mentioned above, the RP may no longer process the PI.
6. Lawful sources of collection
Section 12 of the POPIA states that all Personal information must be collected directly from the DS, with the following exceptions:
- if the information is contained in or derived from a public record - take note that the internet is not a public record held by a public body and information collected from the internet is therefore not applicable to this rule
- if the information has deliberately been made public by the DS
- the DS or a CP where the DS is a child has consented to the collection of the information from another source
- collection of the information from another source would not prejudice a legitimate interest of the DS;
- collection of the information from another source is necessary:
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997)
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated
- in the interests of national security
- to maintain the legitimate interests of the responsible party or of a third party to whom the information is supplied
- compliance would prejudice a lawful purpose of the collection
- compliance is not reasonably practicable in the circumstances of the particular case.
8.4. Further Processing Limitation (Section 15)
Topics
- Purpose
- Lawful grounds
1. Purpose
Once we collect PI for a specified purpose, can we use it for other purposes (secondary use)?
The POPIA does not ban this altogether, but there are restrictions. In essence, if your purposes change over time or you want to use PI for a new purpose which you did not originally anticipate, you can only go ahead if the further processing is in in accordance or compatible with the purpose for which it was originally collected.
To assess whether further processing is compatible with the purpose of collection, the RP must take account of:
- the relationship between the purpose of the intended further processing and the purpose for which the information was originally collected (is there any link between your original purpose and the new purpose?)
- the nature of the information concerned (the nature of the PI – e.g. is it particularly sensitive)
- the consequences of the intended further processing for the DS
- the manner in which the information has been collected
- any contractual rights and obligations between the parties (the context in which you originally collected the PI – in particular, your relationship with the individual and what they would reasonably expect)
As a general rule, if the new purpose is either:
- very different from the original purpose
- would be unexpected to the DS
- would have an unjustified impact on the DS
Example:
A general practitioner discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation. Disclosing the information for this purpose would be incompatible with the purposes for which it was obtained.
2. Lawful grounds
The further processing of personal information is not incompatible with the purpose of collection if:
- the DS or a CP where the DS is a child has consented to the further processing of the information
- the information is available in or derived from a public record
- the information has deliberately been made public by the DS
- further processing is necessary:
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue as defined in section 1 of the South African Revenue Service Act, 1997 (Act No. 34 of 1997)
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated
- in the interests of national security
- the further processing of the information is necessary to prevent or mitigate a serious and imminent threat to:
- public health or public safety
- the life or health of the DS or another individual
- the information is used for historical, statistical or research purposes and the responsible party ensures that the further processing is carried out solely for such purposes and will not be published in an identifiable form; or
- the further processing of the information is in accordance with an exemption granted by the IR.
8.5. Information quality (Section 16)
Topics
A RP must take reasonably practicable steps, with regards to the purpose for which PI is collected or further processed, to ensure that the PI is:- Complete
- Accurate
- Not misleading
- Updated
1. Complete
A record can be accurate, but incomplete.
Examples:
- Submission of claims to medical aids that have incomplete patient information can result in unnecessary unpaid claims, adding an unnecessary financial burden to the DS.
- Incomplete PI can lead to erroneous patient treatment, e.g. a patient can have allergic reactions to medications prescribed due to incomplete allergies data.
2. Accurate
This refers to the correctness of a record.
Examples:
- A failure to update contact details of a patient can lead to PI coming into possession of unauthorised persons.
- Failure to update a new practice address can lead to suppliers delivering at a wrong address.
3. Not misleading
Inaccurate or outdated PI can easily be misleading.
Examples:
- A failure to update a dependant on a medical aid on the system can lead to the false impression that a patient has funds to settle medical aid claims.
- If a dispencing license is not renewed and communicated on the practice's documentation, the inaccurate information can lead to misleading impressions of patients about the available services of the practice.
4. Updated
If a mistake or inaccuracy comes to the attention of a responsible party, steps should be taken to rectify it. What those steps should entail will depend on the circumstances, the type of PI involved and the purposes for which it is used. The accuracy
of highly sensitive PI or PI that is used to make important decisions about the DS, e.g. a patient's treatment plan, is more important than more mundane PI, e.g. the next of kin of an employee or patient.Examples:
- A failure to update PI can lead to the wrong treatment of a patient.
- A failure to update contract information with your service provider (software / bureau) will lead to loss of income.
It is therefore of utmost importance to implement solutions that will assist the practice in making sure that the quality of their PI is of a high standard.
8.6. Openness (Sections 17-18)
Topics
- Documentation
- Notification
- Exceptions
1. Documentation
Practices are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention.
Documenting this information is a great way to take stock of what you do with PI. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of the POPIA, such as making sure that the information you hold about people is accurate and secure. You also need to keep records of consent and any PI breaches.
2. Notification
The DS has the right to be notified that
- PI about him, her or it is being collected as provided for in terms of section 18; or
- his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22 - in other words when a security breach has occured.
If PI is collected, the RP must take reasonably practicable steps to ensure that the DS is aware of the following privacy information:
- the information being collected and where the information is not collected from the DS, the source from which it is collected
- the name and address of the RP
- the purpose for which the information is being collected
- whether or not the supply of the information by that DS is voluntary or mandatory
- the consequences of failure to provide the information
- any particular law authorising or requiring the collection of the information
- the fact that, where applicable, the RP intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation
- any further information such as the:
- recipient or category of recipients of the information;
- nature or category of the information;
- existence of the following rights:
- right of access to the PI
- right to rectify the PI collected
- right to object to the processing of certain PI
- right to lodge a complaint to the IR and the contact details of the IR
These steps must be taken:
- if the PI is collected directly from the DS, before the information is collected, unless the DS is already aware of the information
- in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.
A RP that has previously taken the above steps still complies with the duty of notification in relation to the subsequent collection from the DS of the same information or information of the same kind if the purpose of collection of the information remains the same.
It is often most effective to provide privacy information to people using a combination of different techniques, for example emails and cellphone apps.
You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s PI to their attention before you start the processing. Getting the right to be informed correct can help you to comply with other aspects of the POPIA and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.
3. Exceptions
It is not necessary for a RP to notify a DS if:
- the DS has provided consent for the non-compliance
- non-compliance would not prejudice the legitimate interests of the DS
- non-compliance is necessary:
- to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
- to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue by SARS
- for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated
- in the interests of national security.
- compliance would prejudice a lawful purpose of the collection
- compliance is not reasonably practicable in the circumstances of the particular case
- the information will:
- not be used in a form in which the DS may be identified
- be used for historical, statistical or research purposes.
8.7. Security Safeguards (Sections 19-22)
Topics
- Integrity
- Confidentiality
- Risk management
- Operators
- Notification of breaches
1. Integrity
A RP must secure the integrity of PI in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information.
Backup regime
If your practice operates on your own server and does not have a proper backup regime in place, you are vulnerable to data loss due to viruses, ransomware, hardware failure, theft or fire.
The data that you collect on your software is of the utmost importance and it should be a priority for each practice to make sure that you contract an expert IT consultant to make sure that your IT is dealt with properly. It is imperative that your hardware keeps up to date and your backup process is implemented with all due diligence.
It is the responsibility of the practice to verify the validity of backups by checking that backups were successful with no errors and to confirm that backup files are present at the backup locations after every backup. If there is any indication that the backup is not successful, it is the responsibility of the practice to contact the IT company immediately to resolve the problem.
A big concern is that practices do not implement proper safety precautions for their servers, making the data especially vulnerable to viruses and ransomware. Best practice dictates that no emails should be opened on a server and proper fire wall protection for your server should be implemented.
The following internal controls diagram describes the processes that should be followed during the year in every practice. You will notice that each period ends with a backup to be made of the data. Different sets of hardware should be
used for the different backups, as some viruses go undetected for a while.

A good procedure is to have different hardware for:
1. Monday to Friday backups
2. Week 1 - 4 backups
3. Month 1- 4 backups
4. Yearly backups.
Make independent backups i.e. to different USB media instead of rewriting to one medium. If a virus is picked up on Week 3 of Month 2, and you notice the virus only during Week 1 of Month 4, you will at least have an uncorrupted backup from
Week 2 of Month 2 and not lose all your data.
Verify backup media after making a backup by testing archives and file sizes.
It is imperative that backups be kept off site in case of theft or fire. Leaving a backup device connected to the PC will not be of any use in such circumstances or in case of ransomware or viruses.
2. Confidentiality
A RP must secure the confidentiality of PI in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent unlawful access to or processing of PI.
You can take the following practical steps to secure confidentiality of PI:
- You have an access control policy which specifies that users must follow your practice's procedures in the use of PI, for example passwords on software.
- You implement a formal user access provisioning procedure to assign access rights for employees (including temporary staff) and third-party contractors to all relevant systems and services required to fulfil their role, for example a 'new starter process'.
- You restrict and control the allocation and use of privileged access rights.
- You keep a log of user access to software holding PI.
- You regularly review users’ access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the practice.
3. Risk management
To give effect to the duty to secure the integrity and confidentiality of the PI, the RP must take reasonable measures to manage the risk by:
- identifying all reasonably foreseeable internal and external risks to personal information in its possession or under its control
- establishing and maintaining appropriate safeguards against the risks identified
- regularly verifying that the safeguards are effectively implemented
ensuring that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations. Amongst other things, this may include information security policies, access controls, security monitoring, and recovery plans.
To be compliant is therefore an ongoing concern which needs to be managed as a separate project.
4. Operators

Take note:
In this diagram, the bureau is an operator of the practice, and the software can either be an operator, if it directly contracts with the RP, or it can be a sub-operator, if it contracts with the bureau.
An Operator processing PI on behalf of a RP or a sub-Operator processing PI on behalf of another Operator, must:
- process such information only with the knowledge or authorisation of the RR
- treat PI which comes to their knowledge as confidential and must not disclose it
A RP must have a written contract with the Operator to ensure that the Operator which processes PI for the RP establishes and maintains the security measures as required of the RP.
Using clear and comprehensive contracts with your Operators helps to ensure that everyone understands their data protection obligations and is a good way to demonstrate this formally.
5. Notification of breaches
The Operator must notify the RP immediately where there are reasonable grounds to believe that the PI of a DS has been accessed or acquired by any unauthorised person.
Where there are reasonable grounds to believe that the PI of a DS has been accessed or acquired by any unauthorised person, the RP must notify:
- the DS, unless the identity of such DS cannot be established
- the IR.
The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the RP’s information system.
The notification to a DS must be in writing and communicated to the DS in at least one of the following ways:
mailed to the DS’s last known physical or postal address sent by email to the DS’s last known email address placed in a prominent position on the website of the RP published in the news media as may be directed by the IR.
The notification must provide sufficient information to allow the DS to take protective measures against the potential consequences of the compromise, including
- a description of the possible consequences of the security compromise
- a description of the measures that the RP intends to take or has taken to address the security compromise
- a recommendation with regard to the measures to be taken by the DS to mitigate the possible adverse effects of the security compromise
- if known to the RP, the identity of the unauthorised person who may have accessed or acquired the PI.
The IR may direct a RP to publicise, in any manner specified, the fact of any compromise to the integrity or confidentiality of PI, if the IR has reasonable grounds to believe that such publicity would protect a DS who may be affected by the compromise.
8.8. Data Subject Participation (Sections 23-35)
Topics
- Confirmation
- Requests
- Fees
- Refusal
- Access
- Correction
1. Confirmation
A DS, having provided adequate proof of identity, has the right to request a RP to confirm, free of charge, whether or not the RP holds PI about the DS.
2. Requests
A DS, having provided adequate proof of identity, has the right to request from a RP:
- the record or a description of the PI about the DS held by the RP
- particulars of the identity of all third parties, or categories of third parties, who have, or have had, access to the information.
- within a reasonable time
- at a prescribed fee, if any
- in a reasonable manner and format
- in a form that is generally understandable.
The practice therefore needs to make sure that dealing with such request are as effortless as possible by putting systems in place that will help the practice deal with such requests.
3. Fees
If the RP requests a fee from the DS for providing the requested information, the RP:
- must give the DS a written estimate of the fee before providing the information
- may require the DS to pay a deposit for all or part of the fee.
4. Refusal
A RP may or must refuse, as the case may be, to disclose any information requested by the DS on the following applicable grounds:
- if it would endanger the life or safety of an individual
- privileged documents (in the context of legal proceedings) must not be disclosed.
If a request for access to PI is made to a RP and part of that information may or must be refused, every other part must be disclosed.
The Promotion of Access to Information Act dictates the following with regards to access to healthcare records:
If the IO who has to grant a request for access to a record provided by a healthcare practitioner in his or her capacity as such about the physical or mental health, or well-being of the DS or CP and the IO is of the opinion that the disclosure of the record to the DS might cause serious harm to his or her physical or mental health or well-being:
- the IO may, before giving access, consult with a healthcare practitioner who has been nominated by the DS or CP (is the DS is under the age of 16 years) or the court (if the DS is mentally incompetent)
- the IO may only give access if the DS proves to the satisfaction of the IO that adequate provision is made for such counseling or arrangements as are reasonably practicable before, during or after the disclosure of the record to limit, alleviate or avoid such harm to the DS
- the counselor must be given access to the record before the disclosure to the DS.
5. Access
The manner in which the DS must request access is regulated by sections 18 and 53 of the PAIA act.
A request for access to a record of a RP must be made to the RP concerned at its address, fax number or email address.
The DS must at least provide the following sufficient particulars to the RP to enable the IO:
- to identify the record or records requested
- to identify the DS
- to indicate which form of access is required
- to specify a postal address or email of the requester in the Republic
- to identify the right the DS is seeking to exercise or protect and provide an explanation of why the requested record is required for the exercise or protection of that right
- if, in addition to a written reply, the requester wishes to be informed of the decision on the request in any other manner, to state that manner and the necessary particulars to be so informed
- if the request is made on behalf of a person, to submit proof of the capacity in which the requester is submitting the request, to the reasonable satisfaction of the IO.
6. Correction
If, in response to a request to confirm PI held by the RP, PI is communicated to a DS, the DS must be advised of the right to request the correction of information.
A DS may request a RP to:
- correct or delete PI about the DS in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully
- destroy or delete a record of PI about the DS that the RP is no longer authorised to retain.
On receipt of a request a RP must, as soon as reasonably practicable:
- correct the information
- destroy or delete the information
- provide the data subject, to his or her satisfaction, with credible evidence in support of the information
- where agreement cannot be reached between the RP and the DS, and if the DS so requests, take such steps as are reasonable in the circumstances, to attach to the information in such a manner that it will always be read with the information, an indication that a correction of the information has been requested but has not been made.
If the RP has taken steps that result in a change to the PI and the changed PI has an impact on decisions that have been or will be taken in respect of the DS in question, the RP must, if reasonably practicable, inform each person or body or RP to whom the PI has been disclosed of those steps.
The RP must notify a DS who has made a request of the action taken as a result of the request.
9. Additional rights & responsibilities
Topics
- The processing of SPI (Section 26-33)
- The processing of PI of children (Section 34-35)
- Direct marketing (Section 69)
- Profiling of DS (with legal consequences) based on the automated processing of PI (Section 71)
- The transfer of PI to other countries (Section 72)
There are additional responsibilities that have not been included into the 8 conditions for lawful processing that should be noted - these should be documented for investigation purposes:
1. The processing of SPI (Section 26-33)
Special Personal Information MAY NOT BE PROCESSED UNLESS the following conditions apply:
- processing is carried out with the consent of a DS;
- processing is necessary for the establishment, exercise or defence of a right or obligation in law; or
- processing is necessary to comply with an obligation of international public law;
- processing is for historical, statistical or research purposes to the extent that:
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the DS to a disproportionate extent;
- information has deliberately been made public by the DS;
- with regards to religious or philosophical beliefs data may be collected if processing is necessary to protect the spiritual welfare of the DS, unless the DS have indicated that they object to the processing. This information may not be supplied to third parties without the consent of the DS;
- with regards to race or ethnic origin data can be collected to identify DS and only when this is essential for that purpose;
- with regards to health or sex life medical professionals, healthcare institutions or facilities or social services may process data if such processing is necessary for the proper treatment and care of the
DS or for the administration of the institution or professional practice concerned. This information must be treated as confidential, unless the responsible party is required by law or in connection with their duties to communicate
the information to other parties who are authorised to processsuch information in accordance with the Act;
- insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations may process information about health or sex life if such processing is necessary for:
- assessing the risk to be insured by the insurance company or covered by the medical scheme and the DS has not objected to the processing; or
- the performance of an insurance or medical scheme agreement; or
- the enforcement of any contractual rights and obligations.
The prohibition on processing any of the categories of PI does not apply if it is necessary to supplement the processing of PI concerning a DS's health for the proper treatment or care of the DS.
2. The processing of PI of children (Section 34-35)
No personal information concerning a child may be processed, unless it is:
- carried out with the prior consent of a competent person;
- necessary for the establishment, exercise or defence of a right or obligation in law;
- necessary to comply with an obligation of international public law;
- for historical, statistical or research purposes to the extent that:
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent;
- of personal information which has deliberately been made public by the child with the consent of a competent person.
3. Direct marketing (Section 69)
The processing of PI of a DS for the purpose of direct marketing by means of any form of electronic communication is prohibited unless the DS:
- has given consent to the processing; OR
- is a client of the RP.
Remember: a client is a patient and e.g. a parent, who has a contract with the practice to settle accounts of a patient.
The RP may approach a DS whose consent is required and who has not previously withheld such consent, only once in order to request the consent of that DS. The RP may only process the PI of a DS who is a customer of the RP:
- if the RP has obtained the contact details of the DS in the context of the sale of a product or service;
- for the purpose of direct marketing of the RP’s own similar products or services; and
- if the DS has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details
- at the time when the information was collected; and
- on the occasion of each communication with the DS for the purpose of marketing if the DS has not initially refused such use.
Any communication for the purpose of direct marketing must contain
- details of the identity of the sender or the person on whose behalf the communication has been sent; and
- an address or other contact details to which the recipient may send a request that such communications cease.
Take note: It is advisable that the practice obtain in their client forms permission to send marketing messages, e.g. reminders of 6 months dental appointments, communication of new services or products.
4. Profiling of DS (with legal consequences) based on the automated processing of PI (Section 71)
A DS may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of PI intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.This prohibition is not applicable if the decision:
- has been taken in connection with the conclusion or execution of a contract, and
- the request of the DS in terms of the contract has been met; or
- appropriate measures* have been taken to protect the DS’s legitimate interests; or
- is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of DS.
- provide an opportunity for a DS to make representations about such a decision; and
- require a responsible party to provide a DS with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make such representations.
5. The transfer of PI to other countries (Section 72)
A RP in South Africa may not transfer PI about a DS to a third party who is in a foreign country unless:
- the third party who is the recipient of the PI is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that
- effectively upholds principles for reasonable processing of the PI that are substantially similar to the conditions for the lawful processing of PI relating to a DS who is a natural person and, where applicable, a juristic person; and
- includes provisions, that are substantially similar to the POPIA, relating to the further transfer of PI from the recipient to third parties who are in a foreign country;
- the DS consents to the transfer;
- the transfer is necessary for the performance of a contract between the DS and the RP, or for the implementation of pre-contractual measures taken in response to the DS’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the DS between the RP and a third party; or
- the transfer is for the benefit of the DS, and
- it is not reasonably practicable to obtain the consent of the DS to that transfer; and
- if it were reasonably practicable to obtain such consent, the DS would be likely to give it.
Some definitions:
- "Binding corporate rules" means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
- "Group of undertakings" means a controlling undertaking and its controlled undertakings.
10. Practical implementation observations
It is of vital importance that the healthcare practice implement all these requirements of the POPIA as discussed in this introductory guidelines book.
Some final summary remarks:
- POPIA compliance is not a "get it done, be certified and that is the end of it" process.
- POPIA compliance is an ongoing process of implementation and management.
- If the practice does not have enough human resources to keep ahead of the implementation and maintenance of the POPIA provisions, it will do the practice well to outsource some of the responsibilities.
- Examples of things you can easily outsource:
- Assistance with registration of the IO
- Assistance with drafting compliance frameworks
- Assistance with drafting PIIAs & LIAs
- Drafting of operator contracts & privacy policies
- Internal employee awareness sessions
- Software systems that provide good communication lines between the practice and its patients
- Risk management assessments
- PI data management assistance
- Assistance with breach notifications
- Assistance with dealing with DS requests
To implement the provisions of the POPIA as discussed in this book, you can download the action maps PDF under Data Management on the GoodX Learning Centre.