Best Practice Guidelines: Healthcare Practice Management & POPIA Compliance Framework

Best Practice Guidelines: Healthcare Practice Management

POPIA Compliance Framework

Copyright © 2021 GoodX Software. All rights reserved.

GoodX online Learning Centre

3. The POPIA Compliance Framework: Implementing the POPIA Provisions


The following abbreviations apply throughout these guidelines (in alphabetical order):

  • CP - Competent Person
  • DIO - Deputy Information Officer
  • DS - Data Subject
  • IO - Information Officer (Private)
  • IR - Information Regulator (State)
  • LIA - Legitimate Interest Assessment
  • NDA - Non-Disclosure Agreement (terms to secure confidentiality between parties)
  • PAIA - Promotion of Access to Information Act 2 of 2000
  • PI - Personal Information
  • PIIA - Personal Information Impact Assessment
  • POPIA - Protection of Personal Information Act 4 of 2013
  • RP - Responsible Party
  • SPI - Special Personal Information


The commencement date for all the provisions of the Protection of Personal Information Act 4 of 2013 (The POPIA) was 1 July 2020. However, there is a one year grace period, during which all businesses must get their house in order. The POPIA contains eight conditions for the lawful processing of personal information as well as other legal requirements. This diagram summarises the eight conditions for the lawful processing of PI:

For detailed information on the POPIA and how it applies to the healthcare practice:

  1. read our book An introduction to the protection of personal information in the healthcare practice (you can find this book on the GoodX Learning Centre under the Data Management book on the bookcase); and/or
  2. enrol for our CPD course (details available on the GoodX website).
This book assumes that you are familiar with the information in the introduction book. Some information has been duplicated if we felt it necessary for ease of reference. However, if you are unfamiliar with the provisions of the POPIA, please first consult the introduction book before continuing with these chapters.

The compliance framework

The condition of accountability requires that every medical practice be proactive and organised about their approach to data protection while demonstrating their compliance by providing evidence of the steps taken to comply. To achieve this, the practice must create a compliance framework by which systematic and demonstrable compliance is embedded across the practice. Amongst other things, a compliance framework should include:

  1. robust program controls informed by the requirements of the POPIA
  2. appropriate reporting structures
  3. implementation of comprehensive but proportionate policies and procedures for handling PI;
  4. appropriate training to ensure a good level of understanding and awareness of data protection amongst employees
  5. assessment procedures
  6. keeping records of what is done and why.

This book has been developed to be used as the first document in the practice's compliance framework. It contains all the best practices for the healthcare practice and provides checklists to ensure all the POPIA provisions, are implemented in all areas of the practice and its critical business processes. If policies and documents are added to this document, they could be used as a compliance framework for your practice.

Implementation of the POPIA & Action Maps

The act does not follow an order that aids the healthcare practice to implement the provisions of the POPIA systematically. Therefore, we have developed this diagram below to help the practice systematically implement the requirements by stage.

This diagram is the basis of our action maps that will guide the implementation of the POPIA provisions per logical stage:

The four implementation stages are:

  1. Establishing Compliance - the first step toward compliance - getting new policies and procedures in place.
  2. The Collection Stage - making sure the collection process complies with the law.
  3. Compliance Continuity - making sure compliance is maintained as an ongoing process.
  4. The Post-use Stage - what happens after PI is no longer in active use.

Each of these stages consists of two or eight collections of requirements. We have grouped the provisions and practicalities to make it easier to follow a logical system to implement the POPIA provisions.

The action maps:


  1. The first row in all the action maps is the four stages of compliance, as seen on the diagram. The active stage is highlighted so that it is easy to see the stage within the big picture.
  2. The second (and third) row(s) in the action maps are systematic collections of requirements. The active collection is highlighted.
  3. The icon indicates which requirements are expanded into a checklist.
  4. The checkboxes provide an easy way to make sure all items/requirements are checked.

Information & Checklists

The sub-chapters of this book contain the following information:
  1. An overview of the roles involved in the processing of personal information;
  2. POPIA relationships in the practice (for a detailed discussion, see the introduction book on the POPIA);
  3. Action maps for each stage that expand into the requirements of the POPIA - it will make checking the boxes easier;
  4. A summary checklist for information necessary in the policy document of the practice;
  5. A summary checklist for documents to be attached to the compliance framework.

POPIA indicators in the Critical Business Processes chapters

In the chapters on the critical business processes, we will use the following icon so that you will immediately see which information is relevant to POPIA compliance: