An introduction to the protection of personal information in the healthcare practice

8. The 8 conditions for lawful processing of PI

8.1. Accountability (Section 8 & Regulation 4)

Topics

  1. The Information Officer
  2. The compliance framework
  3. The PI Impact Assessments (PIIA)
  4. Reportable
  5. Privacy policies
  6. Internal awareness sessions


1. The Information Officer (IO)

Section 8 of the POPIA places the responsibility on the RP to ensure that the 8 conditions set out in chapter 3 of the act, and all the measures that give effect to such conditions, are complied with

  • at the time of the determination of the purpose &
  • at the time of the determination of the means of the processing &
  • during the processing itself.

It makes the RP

  1. responsible for complying with the POPIA; and
  2. responsible for demonstrating compliance.             

The practice needs to put in place appropriate technical measures (IT & software etc) and organisational measures (employee structures, tasks & processes) to meet the requirement of accountability.

There are a number of measures that needs to be put in place:

  1. appointing an Information Officer
  2. adopting, implementing, monitoring and maintaining a compliance framework
  3. performing PI impact assessments (PIIA)
  4. maintaining documentation of your processing activities for auditing and reporting purposes
  5. implementing privacy policies
  6. host internal employee awareness sessions to create a culture of privacy protection.

The first measure to put in place, is the appointment of the IO. All private bodies, of which the practice is one, should register the IO with the IR.

One or more DIOs may be appointed to assist the IO with his or her duties, depending on the size of the practice.  Your DIO must report to your highest level of management, operate independently, and have adequate resources to carry out their tasks.

Even if you’re not obliged to appoint a DIO, it is very important that you have

  • sufficient employees to implement the provisions of the POPIA
  • who have relevant skills to perform the duties
  • appropriate reporting structures in place to meet your obligations under the POPIA.

Accountability obligations are ongoing. You must continually review and, where necessary, update the measures you put in place.

Being accountable can help you to build trust with individuals and may help you mitigate enforcement action.


2. The compliance framework

Accountability is not a one-time box-ticking exercise. Being responsible for compliance with the POPIA means that you need to be proactive and organised about your approach to data protection while demonstrating your compliance means that you must be able to evidence the steps you take to comply.

To achieve this, you have to put a compliance framework in place - see regulation 4. This can help you create a culture of commitment to data protection, by embedding systematic and demonstrable compliance across your practice. Amongst other things, your framework should include:

  1. robust program controls informed by the requirements of the POPIA
  2. appropriate reporting structures
  3. implement comprehensive but proportionate policies and procedures for handling PI;
  4. appropriate training to ensure a good level of understanding and awareness of data protection amongst your employees
  5. assessment procedures
  6. keeping records of what you do and why.


3. The PI Impact Assessments (PIIA)

A PIIA is an essential accountability tool and is also prescribed by regulation 4. It also helps you to identify and minimise the data protection risks of any new projects you undertake.

When done properly, a PIIA helps you assess how to comply with the requirements of the POPIA, while also acting as documented evidence of your decision-making and the steps you took.


4. Reportable

The practice must be able to

  1. audit and report on the measures implemented to protect the processing of PI
  2. report PI breaches to the IR and to the affected DS.

You need to be able to detect, investigate, report (both internally and externally) and document any breaches. Having robust policies, procedures and reporting structures helps you do this.


5. Privacy policies

Policies and procedures provide clarity and consistency, by communicating what people need to do and why. Policies can also communicate goals, values and a positive tone. Data protection law specifically requires you to put in place data protection policies where proportionate. What you have policies for and their level of detail varies, but effective data protection policies and procedures can help your practice to take the practical steps to comply with your legal obligations.


6. Internal awareness sessions

Employees must be:

  1. fully aware of the policies and procedures that are relevant to their roles
  2. provided with induction and refresher training
  3. assessed so that the practice can report on the awareness of employees.

Ways to meet this requirement:

  1. Draft policies and procedures and highlight their importance for compliance:
    1. communicate the policies and procedures to employees
    2. make the policies and procedure easily available - on an intranet & on paper in the practice (e.g. guidelines, posters or publications that help to emphasise key messages and raise employee awareness of policies and procedures)
  2. Create an all-employees data protection and information governance training programme:
    1. incorporate national and healthcare profession-specific requirements
    2. include training for all employees on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management
    3. consider the training needs of all employees and use this information to compile the training programme
    4. assign responsibilities for managing information governance and data protection training and have training plans or strategies in place to meet training needs within agreed time-scales
    5. have dedicated and trained resources available to deliver training to all employees
    6. regularly review your programme to ensure that it remains accurate and up to date.
  3. Create specialised training for specialised roles or functions with key data protection responsibilities (such as DIOs and practice managers) to receive additional training and professional development beyond the basic level provided to all employees:
    1. complete a training needs analysis for information governance and data protection to inform the training plan and to ensure it is specific to the individual’s responsibilities
    2. detail training and skills requirements in job descriptions
    3. have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development
    4. keep on record copies of the training material provided as well as details of who receives the training.
  4. Your training programmes must include induction and refresher training for all employees on data protection and information governance:
    1. appropriate employees, such as the DIO, to oversee or approve induction training
    2. let employees receive induction and refresher training, regardless of how long they will be working for your practice or their contractual status
    3. let employees receive induction training prior to accessing personal data and within one month of their start date
    4. let employees complete refresher training at appropriate intervals
  5. The practice must keep records to demonstrate that employees understand the training:
    1. conduct an assessment at the end of the training to test employees' understanding and make sure that it is effective, which could include a minimum pass mark
    2. keep copies of the training material provided on record as well as details of who receives the training
    3. monitor training completion in line with the practice's requirements and follow up with employees who do not complete the training
    4. employees must be able to provide feedback on the training they receive.
  6. Regularly raise awareness of data protection, information governance and associated policies and procedures in meetings or employees forums. Make it easy for employees to access relevant material:
    1. have evidence that your practice regularly uses a variety of appropriate methods to raise employees awareness and the profile of data protection and information governance, for example by emails, briefings and meetings, posters and handouts
    2. make it easy for employees to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.

To be compliant is therefore an ongoing training and awareness project.