An introduction to the protection of personal information in the healthcare practice

6. The 6 grounds for lawful processing

Topics

    1. Contract
    2. Legislation
    3. Legitimate interests of the DS
    4. Legitimate interests of the RP / 3rd party
    5. Consent
    6. How to choose?


There are 6 lawful grounds for processing in terms of Section 11 of the POPIA:

  1. Is it necessary for the conclusion or performance of a contract ?
  2. Is it necessary for compliance with legislation?
  3. Are you protecting a legitimate interest of the DS? (They can object.)
  4. Are you pursuing a legitimate interest of your practice or a third party? (They can object.)
  5. Do you have the consent of the DS / CP? (You should consider this as a last resort.)
  6. Are you a public body performing a public law duty? (They can object.)

  • As this guidelines book does not deal with public bodies, we will not discuss ground number 6.
  • See the Checklist: When may we process?


1. Contract

The RP can process PI if the processing is necessary to carry out actions for the conclusion or performance of a contract to which the DS is party.

Examples:

  1. Processing PI of a patient who contracts the practitioner for healthcare services.
  2. Sharing PI of a patient with the medical aid so that the account can be settled.
  3. Processing PI of an employee.
  4. Processing PI of a parent / guardian / other party who takes responsibility for settlement of the account on behalf of a patient, be it a minor patient or not.
  5. Processing PI of a bureau.


2. Legislation

The RP can process PI if the processing complies with an obligation imposed by law on the responsible party.

Examples:

  1. Processing PI of a patient in terms of the obligations imposed by the HPCSA with regards to minimum information to be kept for medical records.
  2. Processing PI of employees to comply with the SARS tax provisions.
  3. Processing PI of patients to co-operate with Healthcare Inspectors.


3. Legitimate interests of the DS

The RP can process PI if the processing protects a legitimate interest of the data subject.

Examples:

  1. Processing PI to save the life of the unconcious emergency patient (without the co-operation of the patient, there can be no contract).
  2. Obtaining next of kin information from an employee, the next of kin being another DS, in order to be able to contact the next of kin in case of an emergency.
  3. Sending a patient's PI to the medical aid for pre-authorisation of a procedure.


4. Legitimate interests of the RP / 3rd party

The RP can process PI if the processing is necessary for pursuing the legitimate interests of the RP or of a third party to whom the information is supplied.

Take note: A LIA (see chapter on Legitimate interest processing & LIA) must be completed if the practice is to rely on this ground for processing PI so that it is reportable.

Examples:

  1. The practice hands the patient over to a debt collecting company. This is to pursue the interest of the practice. No patient will give consent for this! ;-)
  2. The practice shares information with the employer of the patient in an injury on duty claim to pursue the legitimate interest of the third party, the patient employer.


5. Consent

The RP can process PI if the DS or a CP where the DS is a child consents to the processing.

As per the definition of consent, there are three elements of consent that need to be present in order for a RP party to rely on consent of the DS as a legal ground for processing PI:

  1. It must be voluntary;
  2. It must be specific;
  3. It must be informed so that a DS can truly consent to processing.

From these it is quite obvious that consent should be the last resort for processing PI, as there are numerous problems with the application of consent:

Example: A person is employed by the practice and included in the practice's employment contract is a consent form in terms whereof the employee gives consent that the practice may have access and the right to read the work emails received and sent by the employee by means of the practice's business email allocated to the employee.

Let's look at the pitfalls of consent as a lawful ground for processing:

  1. Voluntary: In some European countries the courts are now finding that those consents are not voluntary, as the employee is not on the same bargaining level as the employer. If any processing based on consent is found to lack the voluntary element, processing will be deemed illegal.
  2. Specific: Consent can never be open ended. The processing and processing purpose must be clearly defined. General consent is not good enough to fulfil the requirement of specific consent. Consent needs to deal with the what, why, how, where and in each instance whether information will be given to anyone else.
  3. Informed: The RP must be able to prove that the DS understood how his or her PI will be processed.
  4. Burden of proof: The RP bears the burden of proof that the DS consented to the processing of PI and if it is not in writing, it can be a serious problem.
  5. Withdrawal of consent: The DS can withdraw their consent at any time, whereafter the RP will not be able to process the PI anymore. This can lead to unworkable situations.


6. How to choose your lawful ground?

  • This depends on your specific purposes and the context of the processing. You should think about why you want to process the PI, and consider which lawful ground best fits the circumstances.
  • You might consider that more than one ground applies, in which case you should identify and document all of them from the start.
  • You must not adopt a one-size-fits-all approach. No one ground should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the POPIA.
  • Several of the lawful grounds relate to a particular specified purpose – a legal obligation, performing a contract with the individual or protecting someone’s legitimate interests. If you are processing for these purposes then the appropriate lawful ground may well be obvious, so it is helpful to consider these first.
  • In other cases you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:
    • Who does the processing benefit?
    • Would individuals expect this processing to take place?
    • What is your relationship with the individual?
    • Are you in a position of power over them?
    • What is the impact of the processing on the individual?
    • Are they vulnerable?
    • Are some of the individuals concerned likely to object?
    • Are you able to stop the processing at any time on request?
  • You may prefer to consider legitimate interests as your lawful ground if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them.
  • On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.