An introduction to the protection of personal information in the healthcare practice

9. Additional rights & responsibilities

Topics

  1. The processing of SPI (Section 26-33)
  2. The processing of PI of children (Section 34-35)
  3. Direct marketing (Section 69)
  4. Profiling of DS (with legal consequences) based on the automated processing of PI (Section 71)
  5. The transfer of PI to other countries (Section 72)


There are additional responsibilities that have not been included into the 8 conditions for lawful processing that should be noted - these should be documented for investigation purposes:


1. The processing of SPI (Section 26-33)

Special Personal Information MAY NOT BE PROCESSED UNLESS the following conditions apply:

  1. processing is carried out with the consent of a DS;
  2. processing is necessary for the establishment, exercise or defence of a right or obligation in law; or
  3. processing is necessary to comply with an obligation of international public law;
  4. processing is for historical, statistical or research purposes to the extent that:
    1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
    2. it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the DS to a disproportionate extent;
  5. information has deliberately been made public by the DS;
  6. with regards to religious or philosophical beliefs data may be collected if processing is necessary to protect the spiritual welfare of the DS, unless the DS have indicated that they object to the processing. This information may not be supplied to third parties without the consent of the DS;
  7. with regards to race or ethnic origin data can be collected to identify DS and only when this is essential for that purpose;
  8. with regards to health or sex life medical professionals, healthcare institutions or facilities or social services may process data if such processing is necessary for the proper treatment and care of the DS or for the administration of the institution or professional practice concerned. This information must be treated as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to processsuch information in accordance with the Act;
  9. insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations may process information about health or sex life if such processing is necessary for:
    1. assessing the risk to be insured by the insurance company or covered by the medical scheme and the DS has not objected to the processing; or
    2. the performance of an insurance or medical scheme agreement; or
    3. the enforcement of any contractual rights and obligations.

The prohibition on processing any of the categories of PI does not apply if it is necessary to supplement the processing of PI concerning a DS's health for the proper treatment or care of the DS.


2. The processing of PI of children (Section 34-35)

No personal information concerning a child may be processed, unless it is:

  1. carried out with the prior consent of a competent person;
  2. necessary for the establishment, exercise or defence of a right or obligation in law;
  3. necessary to comply with an obligation of international public law;
  4. for historical, statistical or research purposes to the extent that:
    1. the purpose serves a public interest and the processing is necessary for the purpose concerned; or
    2. it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child to a disproportionate extent;
  5. of personal information which has deliberately been made public by the child with the consent of a competent person.


3. Direct marketing (Section 69)

The processing of PI of a DS for the purpose of direct marketing by means of any form of electronic communication is prohibited unless the DS:

  • has given consent to the processing; OR
  • is a client of the RP.

Remember: a client is a patient and e.g. a parent, who has a contract with the practice to settle accounts of a patient.

The RP may approach a DS whose consent is required and who has not previously withheld such consent, only once in order to request the consent of that DS. The RP may only process the PI of a DS who is a customer of the RP:

  • if the RP has obtained the contact details of the DS in the context of the sale of a product or service;
  • for the purpose of direct marketing of the RP’s own similar products or services; and
  • if the DS has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details
    • at the time when the information was collected; and
    • on the occasion of each communication with the DS for the purpose of marketing if the DS has not initially refused such use.

Any communication for the purpose of direct marketing must contain

  • details of the identity of the sender or the person on whose behalf the communication has been sent; and
  • an address or other contact details to which the recipient may send a request that such communications cease.

Take note: It is advisable that the practice obtain in their client forms permission to send marketing messages, e.g. reminders of 6 months dental appointments, communication of new services or products.


4. Profiling of DS (with legal consequences) based on the automated processing of PI (Section 71)

A DS may not be subject to a decision which results in legal consequences for him, her or it, or which affects him, her or it to a substantial degree, which is based solely on the basis of the automated processing of PI intended to provide a profile of such person including his or her performance at work, or his, her or its credit worthiness, reliability, location, health, personal preferences or conduct.
This prohibition is not applicable if the decision:
  1. has been taken in connection with the conclusion or execution of a contract, and
    1. the request of the DS in terms of the contract has been met; or
    2. appropriate measures* have been taken to protect the DS’s legitimate interests; or
  2. is governed by a law or code of conduct in which appropriate measures are specified for protecting the legitimate interests of DS.
* The appropriate measures must:
  1. provide an opportunity for a DS to make representations about such a decision; and
  2. require a responsible party to provide a DS with sufficient information about the underlying logic of the automated processing of the information relating to him or her to enable him or her to make such representations.


5. The transfer of PI to other countries (Section 72)

A RP in South Africa may not transfer PI about a DS to a third party who is in a foreign country unless:

  1. the third party who is the recipient of the PI is subject to a law, binding corporate rules or binding agreement which provide an adequate level of protection that
    1. effectively upholds principles for reasonable processing of the PI that are substantially similar to the conditions for the lawful processing of PI relating to a DS who is a natural person and, where applicable, a juristic person; and
    2. includes provisions, that are substantially similar to the POPIA, relating to the further transfer of PI from the recipient to third parties who are in a foreign country;
  2. the DS consents to the transfer;
  3. the transfer is necessary for the performance of a contract between the DS and the RP, or for the implementation of pre-contractual measures taken in response to the DS’s request;
  4. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the DS between the RP and a third party; or
  5. the transfer is for the benefit of the DS, and
    1. it is not reasonably practicable to obtain the consent of the DS to that transfer; and
    2. if it were reasonably practicable to obtain such consent, the DS would be likely to give it.

Some definitions:

  • "Binding corporate rules" means personal information processing policies, within a group of undertakings, which are adhered to by a responsible party or operator within that group of undertakings when transferring personal information to a responsible party or operator within that same group of undertakings in a foreign country; and
  • "Group of undertakings" means a controlling undertaking and its controlled undertakings.