Best Practice Guidelines: Healthcare Practice Management & POPIA Compliance Framework

Best Practice Guidelines: Healthcare Practice Management

POPIA Compliance Framework




Copyright © 2021 GoodX Software. All rights reserved.

GoodX online Learning Centre

learning.goodx.co.za

2. The POPIA Compliance Framework: Implementing the POPIA Provisions

Abbreviations

The following abbreviations apply throughout these guidelines (in alphabetical order):

  • CP - Competent Person
  • DIO - Deputy Information Officer
  • DS - Data Subject
  • IO - Information Officer (Private)
  • IR - Information Regulator (State)
  • LIA - Legitimate Interest Assessment
  • NDA - Non-Disclosure Agreement (terms to secure confidentiality between parties)
  • PAIA - Promotion of Access to Information Act 2 of 2000
  • PI - Personal Information
  • PIIA - Personal Information Impact Assessment
  • POPIA - Protection of Personal Information Act 4 of 2013
  • RP - Responsible Party
  • SPI - Special Personal Information

Introduction

The commencement date for all the Protection of Personal Information Act 4 of 2013 (The POPIA) provisions was 1 July 2020. However, there was a one year grace period, during which all businesses had to get their house in order, and 1 July 2021 marked the date when compliance became enforceable. The POPIA contains eight conditions for the lawful processing of personal information and other legal requirements. This diagram summarises the eight conditions for the lawful processing of PI:


For detailed information on the POPIA and how it applies to the healthcare practice:

  1. read our book An introduction to the protection of personal information in the healthcare practice (you can find this book on the GoodX Learning Centre under the Data Management book on the bookcase); and
  2. enrol on our CPD course available on our GoodX Courses Platform.
This practice management guidelines book assumes that you are familiar with the information in the POPIA book. Some information has been duplicated if we felt it necessary for ease of reference. However, if you are unfamiliar with the provisions of the POPIA, please first consult the introduction book so that the information about POPIA in this book will make sense.


The compliance framework

The condition of accountability requires that every medical practice be proactive and organised about their approach to data protection while demonstrating their compliance by providing evidence of the steps taken to comply. To achieve this, the practice must create a compliance framework by which systematic and demonstrable compliance is embedded across the practice. Amongst other things, a compliance framework should include:

  1. robust program controls informed by the requirements of the POPIA
  2. appropriate reporting structures
  3. implementation of comprehensive but proportionate policies and procedures for handling PI;
  4. proper training to ensure a good level of understanding and awareness of data protection amongst employees
  5. assessment procedures
  6. keeping records of what is done and why.

This book has been developed to be used as the first document in the practice's compliance framework. It contains all the best practices for the healthcare practice. It can be read in conjunction with the POPIA action maps to ensure all the POPIA provisions are implemented in all the critical business processes. If policies and documents are added to this document, this book can be used as a compliance framework for your practice.


Implementation of the POPIA & Action Maps

The act does not follow an order that aids the healthcare practice to implement the provisions of the POPIA systematically. Therefore, we have developed this diagram below to help the practice systematically implement the requirements by stage.

This diagram is the basis of our action maps that will guide the implementation of the POPIA provisions per logical stage:


The four implementation stages are:

  1. Establishing Compliance - the first step toward compliance - getting new policies and procedures in place.
  2. The Collection Stage - making sure the collection process complies with the law.
  3. Compliance Continuity - making certain compliance is maintained as an ongoing process.
  4. The Post-use Stage - what happens after PI is no longer in active use.

Each of these stages consists of two or eight collections of requirements. We have grouped the provisions and practicalities into a checklist to make it easier to follow a logical system to implement the POPIA provisions.

The action maps:

Example:


  1. The first row in all the action maps is the four stages of compliance, as seen on the diagram. The active stage is highlighted to make it easy to see the stage within the big picture.
  2. The second (and third) row(s) in the action maps are systematic collections of requirements. The active collection is highlighted.
  3. The icon indicates which requirements are expanded into a checklist.
  4. The checkboxes provide an easy way to ensure all items/requirements are checked.

These action maps can be downloaded as a PDF document from the online Learning Centre. Click on the Data Management book on the bookcase and scroll to the heading "The Protection of Pesonal Information". The booklet is called "POPIA implementation: Action Maps with Stages of Implementation".


POPIA indicators in the Critical Business Processes chapters

In the chapters on the critical business processes, we will use the following icon so that you will immediately see which information is relevant to POPIA compliance: