Best Practice Guidelines: Healthcare Practice Management & POPIA Compliance Framework
Best Practice Guidelines: Healthcare Practice Management
POPIA Compliance Framework
Copyright © 2021 GoodX Software. All rights reserved.
GoodX online Learning Centre
3. The POPIA Compliance Framework: Implementing the POPIA Provisions
The following abbreviations apply throughout these guidelines (in alphabetical order):
- CP - Competent Person
- DIO - Deputy Information Officer
- DS - Data Subject
- IO - Information Officer (Private)
- IR - Information Regulator (State)
- LIA - Legitimate Interest Assessment
- NDA - Non-Disclosure Agreement (terms to secure confidentiality between parties)
- PAIA - Promotion of Access to Information Act 2 of 2000
- PI - Personal Information
- PIIA - Personal Information Impact Assessment
- POPIA - Protection of Personal Information Act 4 of 2013
- RP - Responsible Party
- SPI - Special Personal Information
The commencement date for all the provisions of the Protection of Personal Information Act 4 of 2013 (The POPIA) was 1 July 2020. However, there is a one year grace period, during which all businesses must get their house in order. The POPIA contains eight conditions for the lawful processing of personal information as well as other legal requirements. This diagram summarises the eight conditions for the lawful processing of PI:
For detailed information on the POPIA and how it applies to the healthcare practice:
- read our book An introduction to the protection of personal information in the healthcare practice (you can find this book on the GoodX Learning Centre under the Data Management book on the bookcase); and/or
- enrol for our CPD course (details available on the GoodX website).
The compliance framework
The condition of accountability requires that every medical practice be proactive and organised about their approach to data protection while demonstrating their compliance by providing evidence of the steps taken to comply. To achieve this, the practice must create a compliance framework by which systematic and demonstrable compliance is embedded across the practice. Amongst other things, a compliance framework should include:
- robust program controls informed by the requirements of the POPIA
- appropriate reporting structures
- implementation of comprehensive but proportionate policies and procedures for handling PI;
- appropriate training to ensure a good level of understanding and awareness of data protection amongst employees
- assessment procedures
- keeping records of what is done and why.
This book has been developed to be used as the first document in the practice's compliance framework. It contains all the best practices for the healthcare practice and provides checklists to ensure all the POPIA provisions, are implemented in all areas of the practice and its critical business processes. If policies and documents are added to this document, they could be used as a compliance framework for your practice.
Implementation of the POPIA & Action Maps
The act does not follow an order that aids the healthcare practice to implement the provisions of the POPIA systematically. Therefore, we have developed this diagram below to help the practice systematically implement the requirements by stage.
This diagram is the basis of our action maps that will guide the implementation of the POPIA provisions per logical stage:
The four implementation stages are:
- Establishing Compliance - the first step toward compliance - getting new policies and procedures in place.
- The Collection Stage - making sure the collection process complies with the law.
- Compliance Continuity - making sure compliance is maintained as an ongoing process.
- The Post-use Stage - what happens after PI is no longer in active use.
Each of these stages consists of two or eight collections of requirements. We have grouped the provisions and practicalities to make it easier to follow a logical system to implement the POPIA provisions.
The action maps:Example:
- The first row in all the action maps is the four stages of compliance, as seen on the diagram. The active stage is highlighted so that it is easy to see the stage within the big picture.
- The second (and third) row(s) in the action maps are systematic collections of requirements. The active collection is highlighted.
- The icon indicates which requirements are expanded into a checklist.
- The checkboxes provide an easy way to make sure all items/requirements are checked.
Information & ChecklistsThe sub-chapters of this book contain the following information:
- An overview of the roles involved in the processing of personal information;
- POPIA relationships in the practice (for a detailed discussion, see the introduction book on the POPIA);
- Action maps for each stage that expand into the requirements of the POPIA - it will make checking the boxes easier;
- A summary checklist for information necessary in the policy document of the practice;
- A summary checklist for documents to be attached to the compliance framework.
POPIA indicators in the Critical Business Processes chapters
In the chapters on the critical business processes, we will use the following icon so that you will immediately see which information is relevant to POPIA compliance: