POPIA and the Healthcare Practice

  1. The personal information of a client/patient is her property. Every piece of data of, relating to, about or touching on a client / patient is potentially personal information in terms of POPIA;

  2. Section 12 of POPIA determines that data must be collected from the client/ patient herself, unless she gives consent that it may be collected from another source. Collection of the information from another source is acceptable if
  • it would not prejudice a legitimate interest of the data subject;
  • compliance would prejudice a lawful purpose of the collection; or if
  • compliance is not reasonably practicable in the circumstances of the particular case.
  1. She must give informed consent for you to collect and process the information. Best to get consent in writing and making it clear that she has rights in terms of POPIA, and have client sign this consent. Discuss this as part of the 1st consultation, and note the discussion;

  1. You are made the responsible party by POPIA for adherence to POPIA and lawful processing and keeping secure of personal information.You must register as an information officer or appoint the head of your practice as information officer, and register this person. This must be done before 30 June 2020 and can be done online with which seems to be a relatively easy process by following the “portal” link top-right in the menu at:

  1. You may only collect information which are strictly necessary for the specific purpose of the visit of the client or patient.

  1. You may only use the information collected for that specific purpose and nothing else.

  1. The client / patient may request to see the information, have the information amended, and have it deleted (forgotten).

  1. The information collected must be accurate and relevant/essential with regard to the specific purpose for which it was collected. If that relevance changes over time, information becomes inaccurate and must be deleted. Publication of client information should be done after de-identification of that client and with written consent. De-identification must leave the information totally anonymous.

  1. You must be transparent in all of these, and also about the length of time the information will be kept. HPSCA requires that records be kept for a miminum of 6 years, after which records should be destroyed, except if the records have relevance, for example if they have historic, or academic value.

  1. You must take reasonable steps to make information processed secure against data loss or theft. This is a POPIA requirement but has always been required by the HPCSA guidelines.

  1. Data loss, breach of security/ theft must be reported and may be investigated as part of the obligation of transparency.

  1. Build and execute a POPIA policy. This is a minimum requirement in terms of POPIA. Inform and instruct everyone in the practice regarding the policy and execution thereof. Prepare a privacy policy and review and implement contracts with third party suppliers of services.