An introduction to the protection of personal information in the healthcare practice
7. Example analysis of 7 relationships, roles & lawful grounds of processing
In this sub-chapter, we want to use the POPIA relationships diagram as an example of how to decide:
- who is who in a particular POPIA relationship and why?
- what are the grounds for legal processing and why?
Example 1:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the adult patient |
Healthcare services |
| Which role does the patient fulfil? | DS | The practice processes PI of the adult patient (information received directly from the patient) |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | Contract between RP & DS | The practice and patient enter into an agreement in terms whereof the practice is providing healthcare services to the patient. |
Example 2:
| Question | Answer | Reason |
| Relationship under investigation? | The practice and the unconscious adult emergency patient brought in by a family member | Emergency healthcare services |
| Which role does the patient fulfil? | DS | The practice processes PI of the adult patient (information received from another source than the patient = ligitimate in the circumstances) |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | RP protects the legitimate interest of the DS | The practice tries to save the life of the DS, which is a vital interest to be protected. |
Example 3:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the minor patient who is assisted by the parent | Healthcare services |
| Which role does the patient fulfil? | DS | The practice processes PI of the minor patient |
| Which role does the parent fulfil? | CP | The parent is legally competent to assist the minor patient in concluding an agreement in terms whereof the practice is providing healthcare services to the patient. |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | Contract | The practice and minor patient, assisted by the parent, enter into an agreement in terms whereof the practice is providing healthcare services to the patient. |
Example 4:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the parent / guardian of a minor patient who has accepted responsibility for the account | Account collection |
| Which role does the patient fulfil? | None | |
| Which role does the parent fulfil? | DS | The parent provides his/her PI so that the practice can process the information for purposes of collecting fees and expenses. |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Legal ground for processing? | Contract | The practice and the parent enter into an agreement in terms whereof the parent will settle the account for medical services rendered to his/her child. |
Example 5:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the bureau who bills obo the practice | Service provider |
| Which role does the practice fulfil? | RP | The practice decides to collect PI, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Which role does the bureau fulfill? | Operator | The bureau follows instructions from the practice regarding the processing of the PI of the patient, does not decide on the purpose for processing, do not decide how long to retain the PI, do not decide to whom to disclose etc |
| Legal ground for processing? | Contract | The practice and bureau contract for the rendering of services. Take note: a written operator agreement MUST be concluded ito the POPIA. |
Example 6:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the waste company | Service provider |
| Which role does the practice fulfil in the relationship with the patients whose PI is being destroyed? | RP | The practice decides to collect PI from patients, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Which role does the waste company fulfill? | Operator | The waste company follows instructions from the practice regarding the destruction of the PI of the patient |
| Legal ground for processing? | Contract | The practice and waste company contract for the rendering of services of destruction of patient PI on documents / other medical waste Take note: a written operator agreement MUST be concluded ito the POPIA. |
Example 7:
| Question | Answer | Reason |
| Relationship under investigation? | The practice & the employee of the practice | Employment relationship |
| Which role does the practice fulfil in the relationship with the employee whose PI is being processed? | RP | The practice decides to collect PI from the employee, the purpose for collection, the means of collection, which information is to be collected, what the lawful ground is etc |
| Which role does the employee fulfil when his or her PI is being processed? | DS | The employee's PI is processed by the practice. |
| Which role does a next of kin fulfil? | DS | The next of kin's PI is processed by the practice. |
| Which role does the employee fulfill with regards to the PI of the practice? | RP | The employee comes into possession of the PI of the practice. |
| Which role does the practice fulfill with regards to the PI of the practice that is shared with the employee? | DS | The practice's data is in possession of the employee. |
| 1st Legal ground for processing? | Legal Obligation to comply with legislation | The practice must report to SARS and therefore needs to process PI of the employee |
| 2nd Legal ground for processing? | Pursuing the legitimate interest of the practice | E.g. Perusing email communication of a work email address belonging to the practice, protects the ligitimate interest of the practice, for instance if information was sent to the email address, and the employee is on sick leave. |
| 3rd Legal ground for processing? | Protecting the legitimate interest of the employee | E.g. Collecting next of kin information in case of an emergency. |
| Legal ground for processing the practice's information by the employee? | Employment contract. | The practice's data is in possession of the employee by virtue of the employment contract. |
In this example it is clear that depending on the type of information and the reason for processing, the legal ground for processing can be determined