ARTICLE
17 September 2024

Draft Regulations On Processing Health And Sex Life Data Under POPIA

E
ENS

Contributor

ENS is an independent law firm with over 200 years of experience. The firm has over 600 practitioners in 14 offices on the continent, in Ghana, Mauritius, Namibia, Rwanda, South Africa, Tanzania and Uganda.
The Information Regulator has published final draft regulations under Section 112(2)(c) of the Protection of Personal Information Act, No. 4 of 2013 ("POPIA")...
South Africa Food, Drugs, Healthcare, Life Sciences

The Information Regulator has published final draft regulations under Section 112(2)(c) of the Protection of Personal Information Act, No. 4 of 2013 ("POPIA") outlining the conditions under which certain responsible parties may process personal information concerning the health or sex life of data subjects (the "Regulations").

Interested parties are invited to attend a consultative session on 26 September 2024 at 10:00 via MS Teams (link still to be provided) to share their inputs.

Application

The Regulations apply to the processing of health or sex life information by the following responsible parties:

2.1.1 Insurance Companies;

2.1.2 Medical Schemes;

2.1.3 Medical Scheme Administrators;

2.1.4 Managed Healthcare Organisations;

2.1.5 Administrative Bodies;

2.1.6 Pension Funds;

2.1.7 Employers;

2.1.8 Operators of responsible parties mentioned in paragraphs 2.1.5, 2.1.6, and 2.1.7

The Regulations, amongst others, deals with the following:

Consent

The Regulations provide, amongst others, that responsible parties mentioned above may not process health or sex life information unless consent has been obtained from the data subject. Consent must be in writing and where such consent is obtained telephonically, it must be recorded and must include a statement that consent may be withdrawn at any time by the data subject or by the competent person or next of kin.

LIA's

The Regulations also state that where responsible parties process health or sex life information relying on legitimate interest, it must conduct a Legitimate Interest Assessment ("LIA") prior to processing and must retain a record of the LIA. The Regulations requires a three-staged assessment to be followed.

Regulator's Authorisation

Processing of health or sex life information by responsible parties in the public interest must be authorised by the Information Regulator and application for approval must be submitted on Form A, attached to the Regulations.

Cross border transfers

Should a responsible party wish to transfer health or sex life information outside of South Africa, they must comply with requirements of section 72(1) of POPIA and must notify the data subject before deciding to transfer the information (complying with the requirements of sections 18(1)(g) and (h) of POPIA.

Record retention

Health and sex life information must be retained in accordance with the National Health Act, the National Archives of South Africa Act, PAIA and POPIA.

Destruction

A data subject's information must be destroyed or de-identified as soon as reasonably practicable after rejection or termination of any policy, employment, or contract.

The Regulations relating to the processing of health or sex life data under POPIA are essential for protecting sensitive personal information and ensuring that responsible parties manage such data with the utmost care. It is crucial for the relevant entities involved in the processing of such data to stay informed about these regulations and implement measures to ensure full compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More