POPIA and the Healthcare Practice

  1. The personal information of a client/patient is her property. Every piece of data of, relating to, about or touching on a client / patient is potentially personal information in terms of POPIA;

  2. Section 12 of POPIA determines that data must be collected from the client/ patient herself, unless she gives consent that it may be collected from another source. Collection of the information from another source is acceptable if
  • it would not prejudice a legitimate interest of the data subject;
  • compliance would prejudice a lawful purpose of the collection; or if
  • compliance is not reasonably practicable in the circumstances of the particular case.
  1. She must give informed consent for you to collect and process the information. Best to get consent in writing and making it clear that she has rights in terms of POPIA, and have client sign this consent. Discuss this as part of the 1st consultation, and note the discussion;

  1. You are made the responsible party by POPIA for adherence to POPIA and lawful processing and keeping secure of personal information.You must register as an information officer or appoint the head of your practice as information officer, and register this person. This must be done before 30 June 2020 and can be done online with which seems to be a relatively easy process by following the “portal” link top-right in the menu at:

  1. You may only collect information which are strictly necessary for the specific purpose of the visit of the client or patient.

  1. You may only use the information collected for that specific purpose and nothing else.

  1. The client / patient may request to see the information, have the information amended, and have it deleted (forgotten).

  1. The information collected must be accurate and relevant/essential with regard to the specific purpose for which it was collected. If that relevance changes over time, information becomes inaccurate and must be deleted. Publication of client information should be done after de-identification of that client and with written consent. De-identification must leave the information totally anonymous.

  1. You must be transparent in all of these, and also about the length of time the information will be kept. HPSCA requires that records be kept for a miminum of 6 years, after which records should be destroyed, except if the records have relevance, for example if they have historic, or academic value.

  1. You must take reasonable steps to make information processed secure against data loss or theft. This is a POPIA requirement but has always been required by the HPCSA guidelines.

  1. Data loss, breach of security/ theft must be reported and may be investigated as part of the obligation of transparency.

  1. Build and execute a POPIA policy. This is a minimum requirement in terms of POPIA. Inform and instruct everyone in the practice regarding the policy and execution thereof. Prepare a privacy policy and review and implement contracts with third party suppliers of services.

POPIA and Community Schemes

POPIA and Community Schemes

POPIA sets out principles or conditions, and therefore a framework for lawful processing of personal information. It applies to any person or organisation who processes personal information. Its purpose is to protect personal information by ensuring transparent processing thereof.

Application to and by every community scheme within this framework will be unique. However certain matters will be the same for all schemes.

It protects certain basic human rights enshrined in our Constitution, such as a right to privacy, and it brings the South African statutory framework in line with a major piece of regulation in the European Union, namely the General Data Protection Regulation (GDPR).

Underlying Principle 1: The fundamental building block, purpose and point of departure of POPIA is to safeguard personal information against misuse when processed “by parties given this responsibility in the act (designated the responsible party) to “give effect to (our) constitutional right to privacy, and to ensure transparency when dealing with personal information.

POPIA limits and balances this fundamental purpose by recognising and allowing for other constitutional rights, such as the right to access of information, and interests such as the free flow of information.

You can learn more HERE