The Information Regulator has published final draft regulations under Section 112(2)(c) of the Protection of Personal Information Act, No. 4 of 2013 ("POPIA") outlining the conditions under which certain responsible parties may process personal information concerning the health or sex life of data subjects (the "Regulations").
Interested parties are invited to attend a consultative session on 26 September 2024 at 10:00 via MS Teams (link still to be provided) to share their inputs.
Application
The Regulations apply to the processing of health or sex life information by the following responsible parties:
2.1.1 Insurance Companies;
2.1.2 Medical Schemes;
2.1.3 Medical Scheme Administrators;
2.1.4 Managed Healthcare Organisations;
2.1.5 Administrative Bodies;
2.1.6 Pension Funds;
2.1.7 Employers;
2.1.8 Operators of responsible parties mentioned in paragraphs 2.1.5, 2.1.6, and 2.1.7
The Regulations, amongst others, deals with the following:
Consent
The Regulations provide, amongst others, that responsible parties mentioned above may not process health or sex life information unless consent has been obtained from the data subject. Consent must be in writing and where such consent is obtained telephonically, it must be recorded and must include a statement that consent may be withdrawn at any time by the data subject or by the competent person or next of kin.
LIA's
The Regulations also state that where responsible parties process health or sex life information relying on legitimate interest, it must conduct a Legitimate Interest Assessment ("LIA") prior to processing and must retain a record of the LIA. The Regulations requires a three-staged assessment to be followed.
Regulator's Authorisation
Processing of health or sex life information by responsible parties in the public interest must be authorised by the Information Regulator and application for approval must be submitted on Form A, attached to the Regulations.
Cross border transfers
Should a responsible party wish to transfer health or sex life information outside of South Africa, they must comply with requirements of section 72(1) of POPIA and must notify the data subject before deciding to transfer the information (complying with the requirements of sections 18(1)(g) and (h) of POPIA.
Record retention
Health and sex life information must be retained in accordance with the National Health Act, the National Archives of South Africa Act, PAIA and POPIA.
Destruction
A data subject's information must be destroyed or de-identified as soon as reasonably practicable after rejection or termination of any policy, employment, or contract.
The Regulations relating to the processing of health or sex life data under POPIA are essential for protecting sensitive personal information and ensuring that responsible parties manage such data with the utmost care. It is crucial for the relevant entities involved in the processing of such data to stay informed about these regulations and implement measures to ensure full compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
