Overview of SECTION 112(2)(C) POPIA Health Regulations

The Information Regulator (“IO”) has published a draft set of guidelines established under the Protection of Personal Information Act 4 of 2013, aimed at regulating the processing of health or sex life information by certain responsible parties. Interested parties were requested to take part in the consultative process including attending a session with the Regulator and submitting written comments. These draft regulations are crucial for ensuring the protection of sensitive personal data while balancing the needs of public health and safety.

?

Purpose and Scope

The primary purpose of these draft regulations is to provide a framework for the lawful processing of health and sex life information by responsible parties, which include entities such as insurance companies, retirement funds, employers and medical scheme administrators.

?The draft regulations emphasize the importance of obtaining authorisation from the IO before processing such sensitive information, ensuring that the rights of data subjects are upheld.

?

Key Provisions

?Consent Requirements

One of the fundamental aspects of these draft regulations is the requirement for consent. According to the draft regulations, consent must be provided in writing, and if obtained through telephonic communication, it must be recorded. The consent must also include a statement indicating that it can be withdrawn at any time by the data subject or their competent person or next of kin. If a data subject or their representative wishes to withdraw consent, this must also be done in writing or telephonically, with the responsible party taking reasonable security measures to verify the identity of the individual making the withdrawal.

Categories of Special Personal Information

The draft regulations specify that responsible parties must select a category of special personal information they intend to process, which includes health information and sex life information.

?

Prohibition on Disclosure

It is prohibited to disclose a data subject's health or sex life records to a third party without their consent, unless it is reasonably necessary for a lawful purpose. This provision emphasizes the importance of maintaining confidentiality and protecting the rights of data subjects.

?

Application for Authorisation

Responsible parties must apply for authorisation to process health or sex life information using a designated form (Form A) attached to the draft regulations. This application must be lodged in writing with the IO.

?

Public Interest Considerations

The draft regulations highlight that the public interest must be a key consideration in the processing of health information. Specifically, it includes processing that is necessary for maintaining public health and safety, particularly in response to humanitarian crises such as epidemics. This provision highlights the need for a balance between individual privacy rights and the collective needs of society.

?

Security Measures

To protect sensitive health information, the draft regulations mandate responsible parties to implement appropriate security measures. These measures should address risks associated with electronic health records and ensure the proper disposal of such records to prevent unauthorised access or disclosure. Additionally, responsible parties are required to adopt technical security policies based on applicable standards to safeguard this information.

?

Rights of Data Subjects

The draft regulations affirm the rights of data subjects, including the right to lodge complaints with the IO if their health or sex life information is processed in violation of the draft regulations. Data subjects must also provide consent for their information to be disclosed to third parties, except in cases where such disclosure is necessary for lawful purposes.

?

Conclusion

The Section 112(2)(C) Health Regulations represent a significant step towards protecting sensitive personal information in the health sector. By establishing clear guidelines for the processing of health and sex life information, these draft regulations aim to safeguard individual privacy while addressing public health needs. Responsible parties must adhere to these draft regulations to ensure compliance and protect the rights of data subjects in an increasingly data-driven world.

?