In the recent judgment of Divine Inspiration Trading 205 (Pty) Limited and another v Katherine Gordon and 2 others, the Western Cape High Court found, in essence, that the rules of court override the interests protected under the Protection of Personal Information Act, 2013 ("POPIA") and ordered that personal information be disclosed.
In this matter, the applicants sought an order for the disclosure of Ms Gordon's medical records from her medical practitioners. The medical records were required for the determination of an action wherein Ms Gordon was suing the applicants for damages of ZAR7-million (as a result of injuries she sustained in an accident when she visited the applicants' premises).
Ms Gordon's medical practitioners refused to make the medical records available to the applicants, despite having received a subpoena, on the basis that the National Health Act, 2003 directs that records cannot be disclosed without Ms Gordon's consent.
Prior to the launching of the application, the applicants delivered a notice in terms of rule 35(3) requesting Ms Gordon to make the medical records available but the request was refused on the grounds that they are not in her possession. Ms Gordon opposed the application for the disclosure of the records on the grounds that the discovery thereof would infringe on her right to dignity and privacy and that the disclosure of these documents would impinge on her rights under POPIA.
Section 11 of POPIA came into consideration by the parties and the court. This section provides that personal information may only be processed if:
"(c) processing complies with an obligation imposed by law on the responsible party;
(f) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied"
The court rejected Ms Gordon's argument that the disclosure of her medical records would unjustifiably trample on her rights. In rejecting this, the court highlighted that section 11(3) provides that a data subject (Ms Gordon) may object to the processing of personal information in limited circumstances. In carving out this exception, the legislature specifically excluded the processing of information where it is required to comply with an obligation imposed by law. The legislature had therefore made provision for the processing of information irrespective of an objection received from a data subject.
The court found that Ms Gordon's medical practitioners are responsible parties (as defined by POPIA) and an obligation to deliver the medical records had been imposed on them by law by virtue of them having received the subpoenas. The court did, however, accept that Ms Gordon could, in terms of section 11(3) of POPIA, object to the processing of her information and consequently, that the responsible party would no longer be in a position to process her personal information.
In balancing these sections, the court had regard to section 12(2)(d)(iii) of POPIA which permits the collection of data from a source other than the data subject when it is required for the conduct of proceedings in any court or tribunal. This is further supported by section 15(3)(c)(iii) of POPIA which provides that the further processing of personal information once it has been collected is allowed if it is necessary for the conduct of proceedings in any court.
Rather surprisingly, the court did not consider the fact that POPIA will only become fully effective on 1 July 2021 and that health information constitutes "special personal information".
After 1 July 2021, when POPIA is fully in effect, it is likely that there will be a spike in data subjects relying on the rights afforded by POPIA during the course of litigation proceedings (for instance in utilising data subject access requests as alternative mechanisms to obtain disclosure of documents or in objecting to arbitration proceedings on the basis of data protection concerns). Undoubtedly, there are many unknowns in respect of POPIA litigation. However, one thing is certain: litigation involving of POPIA is inevitable.
ENSafrica provides comprehensive and full-service data privacy and data-breach advice and assistance, including:
- pre-breach services to assist with the protection of data privacy, the preparation of data-management and security policies, incident response plans and coaching, contracts and procedures for businesses, information officer training services and advice on all aspects of POPIA, including trans-border transfers of personal information; and
- post-breach services to assist with breach-response and mitigation of liability, breach notifications and regulatory investigations, and complex litigation matters involving data-breaches.
We also provide comprehensive coverage advice to clients in relation to cyber insurance policies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.