An introduction to the protection of personal information in the healthcare practice

2. Purpose, Application & Content of the POPIA

Topics

  1. The purpose of the POPIA
  2. The application of the POPIA
  3. Content of the POPIA

The following information will lay a foundation to an understanding of the rights and responsibilities applicable when dealing with Personal Information.


1. The purpose of the POPIA:

  1. To give effect to the constitutional right to privacy, by safeguarding PI when processed by a RP, subject to justifiable limitations that are aimed at
    1. balancing the right to privacy against other rights, particularly the right of access to information; and
    2. protecting important interests, including the free flow of information within the Republic and across international borders.
  2. To regulate the manner in which PI may be processed, by establishing 8 conditions, in harmony with international standards, that prescribe the minimum requirements for the lawful processing of personal information;
  3. To provide persons with rights and remedies to protect their PI from processing that is not in accordance with this Act; and
  4. To establish voluntary and compulsory measures, including the establishment of an IR, to ensure respect for and to promote, enforce and fulfil the rights protected by this Act.

This therefore means that the flow of information is a necessary right and is protected, so that normal day to day life and activities can continue. The act is written not to stop the good guys from using information, but to stop the bad guys from infringing on the rights of Data Subjects.

This Act must be interpreted in a manner that—

  1. gives effect to the purpose of the Act set out in section 2; and
  2. does not prevent any public or private body from exercising or performing its powers, duties and functions in terms of the law as far as such powers, duties and functions relate to the processing of PI and such processing is in accordance with this Act or any other legislation, as referred to in subsection (2), that regulates the processing of PI.

In summary, the POPIA:

  1. Promotes the protection of PI
  2. Protects the free flow of information
  3. Establishes minimum requirements for the manner of processing (the 8 conditions & other responsibilities.)
  4. Establishes the IR & remedies
  5. Provides protection against
    1. unsolicited electronic communications (direct marketing)
    2. automated decision-making (profiling e.g. to make guestimates based on previous acquisitions.)
  6. Regulates the trans-border flow of information.


2. The application of the POPIA

The POPIA is applicable when Personal Information is processed by private and public bodies.
  • Processing involves the following with regards to PI:
    • Collection
    • Use
    • Sharing
    • Further processing
    • Storage/retention
    • Destruction.
  • Processing must comply with the 8 conditions required by the POPIA for the lawful processing of personal information.

The POPIA applies to the exclusion of any provision of any other legislation that regulates the processing of PI and that is materially inconsistent with an object, or a specific provision of the POPIA. If any other legislation provides for conditions for the lawful processing of PI that are more extensive than those set out in Chapter 3, the extensive conditions prevail.

Exclusions:

The POPIA does NOT apply to processing of the following PI

  1. of deceased persons
  2. for personal / household activity
  3. that is permanently de-identified
  4. for national security, cabinet, courts
  5. for journalistic, literary, artistic expression (freedom of expression)


3. Content of the POPIA

It is helpful to understand the framework into which the provisions of the POPIA are set: The POPIA is divided into 12 chapters, each dealing with different subjects.

Chapter 1 - Definitions & Purpose of POPIA

Chapter 2 - Application & Interpretation of POPIA

Chapter 3 - 8 Conditions for lawful processing of Personal Information

Part A - General provisions: 8 Conditions of processing

Part B - Processing of Special Personal Information

Part C - Processing of Personal Information of Children

Chapter 4 - Exemption from conditions for processing

Chapter 5 - Supervision - the two enforcers of the provisions of the Act

Part A - Information Regulator (Government body)

Part B - Information Officer (Private body)

Chapter 6 - Prior Authorisation

Chapter 7 - Codes of Conduct

Chapter 8 - Direct Marketing

Chapter 9 - Enforcements

Chapter 11 - Offences, Penalties & Fines

Chapter 12 - General Provisions