An introduction to the protection of personal information in the healthcare practice

4. Role players - who is who?

Topic

Roles involved in the processing of PI
    1. Data Subject
    2. Child
    3. Competent Person
    4. Responsible Party
    5. Information Officer
    6. Employee
    7. Operator
    8. Information Regulator


Roles involved in the processing of PI

Understanding your role in relation to the PI you are processing is crucial to ensure compliance with the POPIA and the fair treatment of individuals. Your obligations under the POPIA will vary depending on your role in the different relationships you have and therefore your rights and obligations will differ. You should take the time to assess and document the role of each relationship the practice has with regards to PI and processing activities.

The following roles are involved in the processing of PI:


In the above image you can see that the practice could either be a DS or a RP. In relationships where others process the PI of the practice, the practice will be the DS and will have the rights of the DS. If the practice is a RP, the practice needs to make sure to comply with the obligations imposed by the POPIA.


 1. The Data Subject (DS)

The person to whom PI relates:

  1. Adult natural live person
    1. Makes own decisions OR
    2. Mentally disabled + assisted by CP
  2. Child natural live person
    1. Under 18 years
    2. NOT legally competent
    3. Assisted by a CP
  3. Juristic person


 2. The Child

A natural person under the age of 18 years who is NOT legally competent to take any action or decision in respect of any matter concerning him or herself. The child has to be assisted by a CP, e.g. to give consent for the processing of PI.

Take note: if a law allows a child to obtain medical procedures without the knowledge or consent of a CP, the RP may process PI without further consent of a CP.

See the chapter on additional rights & responsibilities with regards to the processing of PI of children.


 3 The Competent Person (CP)

Any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child or legally incompetent person (e.g. a mentally disabled person).

Examples of CPs: parents or legal guardians.


 4. The Responsible Party (RP)

A private body or public body* or any other person which, alone or in conjunction with others:

  1. determines the purpose of processing &
  2. determines the means for processing PI &
  3. is located in South Africa.

The RP takes full responsibility and accountability for the lawful processing of the DS's PI and the responsibility cannot be delegated to e.g. employees or Operators.

* A public body means

  1. Any department of state or administration in the national or provincial sphere of government or any municipality in the local sphere of government; or
  2. Any other functionary or institution when
    1. exercising a power or performing a duty in terms of the Constitution or a provincial constitution; or
    2. exercising a public power or performing a public function in terms of any legislation.


 5. The Information Officer (IO)

The head of a private body:

    1. in the case of a natural person, that natural person or any person duly authorised by that natural person
    2. in the case of a partnership, any partner of the partnership
    3. in the case of a juristic person
      1. the chief executive officer (CEO) or equivalent officer of the juristic person; or
      2. the person who is acting as such.

The IO can appoint a DIO to assist the IO with compliance. Even though the role can be delegated, it is important to note that the accountability of the RP cannot be delegated away from the head of the entity.


 6. The Employee

A person working under the direct control of the Responsible Party. This could be practitioners or administrative staff.
It is essential that the Responsible Party (Employer) make sure that the HR procedures and Standard Operating Procedures (SOP) of the practice be POPIA compliant. More about this in later chapters.


 7. The Operator

A person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of that party.

It is therefore a third party data processor, like a cloud provider. Section 20 of the POPIA requires that:

  1. the mandate be written - The GoodX Licence Agreement fulfills this requirement;
  2. there must be proper security measures in place - the GoodX Cloud's data security will be discussed in a later chapter;
  3. the responsibility and accountability remains with the Responsible Party.


 8. The Information Regulator

The Information Regulator established in terms of Section 39 - the government body that regulates the processing of PI.

Duties:

  1. Education & advice
  2. Monitoring & enforcing compliance
  3. Consultation with interested parties
  4. Handling of complaints
  5. Conducting research & reporting to Parliament
  6. Issueing codes of conduct for sectors
  7. Facilitating cross-border cooperation.


This diagram illustrates how the IR and IO work together to enforce the provisions of the POPIA: