Best Practice Guidelines: Healthcare Practice Management & POPIA Compliance Framework
Best Practice Guidelines: Healthcare Practice Management
POPIA Compliance Framework
Copyright © 2021 GoodX Software. All rights reserved.
GoodX online Learning Centre
3. The POPIA Compliance Framework: Implementing the POPIA Provisions
3.1. Choosing between the 6 grounds for lawful processing
All processed information should be categorised per ground for processing before processing starts. This means that the practice must review the information that is being collected and document which information falls into which ground for processing.
There are 6 lawful grounds for processing personal information:
- Is it necessary for the conclusion or performance of a contract?
- Is it necessary for compliance with legislation?
- Are you protecting a legitimate interest of the DS? (They can object.)
- Are you pursuing a legitimate interest for your practice or a third party? (They can object.)
- Do you have the consent of the DS / CP? (You should consider this as a last resort.)
- Are you a public body performing a public law duty? (They can object.)
The RP can process PI if the processing is necessary to carry out actions for the conclusion or performance of a contract to which the DS is a party.
- Processing PI of a patient who contracts the practitioner for healthcare services.
- Sharing PI of a patient with the medical aid so that the account can be settled.
- Processing PI of an employee.
- Processing PI of a parent/guardian/other party who takes responsibility for settlement of the account on behalf of a patient, be it a minor patient or not.
- Processing PI of a bureau.
The RP can process PI if the processing complies with an obligation imposed by law on the responsible party.
- Processing PI of a patient in terms of the obligations imposed by the HPCSA with regards to minimum information to be kept for medical records.
- Processing PI of employees to comply with the SARS tax provisions.
- Processing PI of patients to co-operate with Healthcare Inspectors.
3. Legitimate interests of the DS
The RP can process PI if the processing protects a legitimate interest of the data subject.
- Processing PI to save the life of the unconscious emergency patient (without the co-operation of the patient, there can be no contract).
- Obtaining next of kin information from an employee, the next of kin being another DS, in order to be able to contact the next of kin in case of an emergency.
- Sending a patient's PI to the medical aid for pre-authorisation of a procedure.
4. Legitimate interests of the RP / 3rd party
The RP can process PI if the processing is necessary for pursuing the legitimate interests of the RP or of a third party to whom the information is supplied.
Take note: A LIA must be completed if the practice is to rely on this ground for processing PI so that it is reportable.
- The practice hands the patient over to a debt collecting company. This is to pursue the interest of the practice. No patient will give consent for this! ;-)
- The practice shares information with the employer of the patient in an injury on duty claim to pursue the legitimate interest of the third party, the patient employer.
Legitimate interest is the most flexible lawful ground for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s PI in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
There are three elements to the legitimate interests ground. It helps to think of this as a three-part test. You need to:
- The purpose test (identify the legitimate interest);
- The necessity test (consider if the processing is necessary); and
- The balancing test (consider the individual’s interests).
The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
You must balance your interests against the DS. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.For more detailed information, see the chapter on the LIA in our POPIA introduction book.
The RP can process PI if the DS or a CP where the DS is a child consents to the processing.
As per the definition of consent, there are three elements of consent that need to be present in order for a RP party to rely on consent of the DS as a legal ground for processing PI:
- It must be voluntary;
- It must be specific;
- It must be informed so that a DS can truly consent to processing.
From these it is quite obvious that consent should be the last resort for processing PI, as there are numerous problems with the application of consent:
Example: A person is employed by the practice and included in the practice's employment contract is a consent form in terms whereof the employee gives consent that the practice may have access and the right to read the work emails received and sent by the employee by means of the practice's business email allocated to the employee.
Let's look at the pitfalls of consent as a lawful ground for processing:
- Voluntary: In some European countries the courts are now finding that those consents are not voluntary, as the employee is not on the same bargaining level as the employer. If any processing based on consent is found to lack the voluntary element, processing will be deemed illegal.
- Specific: Consent can never be open-ended. The processing and processing purpose must be clearly defined. General consent is not good enough to fulfil the requirement of specific consent. Consent needs to deal with the what, why, how, where and in each instance whether the information will be given to anyone else.
- Informed: The RP must be able to prove that the DS understood how his or her PI will be processed.
- The burden of proof: The RP bears the burden of proof that the DS consented to the processing of PI and if it is not in writing, it can be a serious problem.
- Withdrawal of consent: The DS can withdraw their consent at any time, whereafter the RP will not be able to process the PI anymore. This can lead to unworkable situations.
6. How to choose your lawful ground?
- This depends on your specific purposes and the context of the processing. You should think about why you want to process the PI, and consider which lawful ground best fits the circumstances.
- You might consider that more than one ground applies, in which case you should identify and document all of them from the start.
- You must not adopt a one-size-fits-all approach. No one ground should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the POPIA.
- Several of the lawful grounds relate to a particular specified purpose – a legal obligation, performing a contract with the individual or protecting someone’s legitimate interests. If you are processing for these purposes then the appropriate lawful ground may well be obvious, so it is helpful to consider these first.
- In other cases, you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:
- Who does the processing benefit?
- Would individuals expect this processing to take place?
- What is your relationship with the individual?
- Are you in a position of power over them?
- What is the impact of the processing on the individual?
- Are they vulnerable?
- Are some of the individuals concerned likely to object?
- Are you able to stop the processing at any time on request?
- You may prefer to consider legitimate interests as your lawful ground if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them.
- On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on an individual's consent.