An introduction to the protection of personal information in the healthcare practice

8. The 8 conditions for lawful processing of PI

8.6. Openness (Sections 17-18)

Topics

  1. Documentation
  2. Notification
  3. Exceptions


1. Documentation

Practices are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention.

Documenting this information is a great way to take stock of what you do with PI. Knowing what information you have, where it is and what you do with it makes it much easier for you to comply with other aspects of the POPIA, such as making sure that the information you hold about people is accurate and secure. You also need to keep records of consent and any PI breaches.


2. Notification

The DS has the right to be notified that

  1. PI about him, her or it is being collected as provided for in terms of section 18; or
  2. his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22 - in other words when a security breach has occured.

If PI is collected, the RP must take reasonably practicable steps to ensure that the DS is aware of the following privacy information:

  1. the information being collected and where the information is not collected from the DS, the source from which it is collected
  2. the name and address of the RP
  3. the purpose for which the information is being collected
  4. whether or not the supply of the information by that DS is voluntary or mandatory
  5. the consequences of failure to provide the information
  6. any particular law authorising or requiring the collection of the information
  7. the fact that, where applicable, the RP intends to transfer the information to a third country or international organisation and the level of protection afforded to the information by that third country or international organisation
  8. any further information such as the:
    1. recipient or category of recipients of the information;
    2. nature or category of the information;
    3. existence of the following rights:
      1. right of access to the PI
      2. right to rectify the PI collected
      3. right to object to the processing of certain PI
      4. right to lodge a complaint to the IR and the contact details of the IR
all of which is necessary, having regard to the specific circumstances in which the information is or is not to be processed, to enable processing in respect of the DS to be reasonable.

These  steps must be taken:

  1. if the PI is collected directly from the DS, before the information is collected, unless the DS is already aware of the information
  2. in any other case, before the information is collected or as soon as reasonably practicable after it has been collected.

 A RP that has previously taken the above steps still complies with the duty of notification in relation to the subsequent collection from the DS of the same information or information of the same kind if the purpose of collection of the information remains the same.

It is often most effective to provide privacy information to people using a combination of different techniques, for example emails and cellphone apps.

You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s PI to their attention before you start the processing. Getting the right to be informed correct can help you to comply with other aspects of the POPIA and build trust with people, but getting it wrong can leave you open to fines and lead to reputational damage.


3. Exceptions

It is not necessary for a RP to notify a DS if:

  1. the DS has provided consent for the non-compliance
  2. non-compliance would not prejudice the legitimate interests of the DS
  3. non-compliance is necessary:
    1. to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
    2. to comply with an obligation imposed by law or to enforce legislation concerning the collection of revenue by SARS
    3. for the conduct of proceedings in any court or tribunal that have been commenced or are reasonably contemplated
    4. in the interests of national security.
  4. compliance would prejudice a lawful purpose of the collection
  5. compliance is not reasonably practicable in the circumstances of the particular case
  6. the information will:
    1. not be used in a form in which the DS may be identified
    2. be used for historical, statistical or research purposes.