Membership information 0800 225 677
Medicolegal advice 0800 014 780

Understanding POPI

Gareth Gillespie guides you through the key aspects of South Africa’s new data protection law

The universal right to privacy of personal information is soon to be enshrined in law in South Africa, bringing the country in line with existing data protection laws around the world. The Protection of Personal Information (POPI) Bill – soon to be passed as an Act – has implications for all medical practitioners, and this article looks at what the legislation explicitly means to you.

It is important to note that POPI does not replace the HPCSA’s existing guidance on safeguarding confidential patient data. The HPCSA’s Confidentiality: Protecting and Providing Information contains all the key information you need to know about ensuring confidentiality and the various guidelines surrounding disclosure of confidential information in different scenarios.

POPI affects all private and public organisations that process information such as names, addresses, email addresses, health information and employment history, and must be complied with if outsourcing data to third parties. 

Collection

The first relevant area concerns the collection of personal information. Under POPI, such information may only be collected for the specific purpose of providing services to a particular subject (ie, patient). Alternatively, you may be a specialist who has been handed over a patient’s personal information from another healthcare practitioner; again, this possession of information will only be held to be in the patient’s legitimate interests if you are providing your services to that patient.

A specific new obligation created by POPI is that once personal information has been collected from another source, the medical practitioner must take reasonable steps to inform the patient of this, together with the source of the information and the purpose for which it has been collected. This can be relayed to the patient either orally or in writing.

Preservation 

Any personal information you hold must be protected from loss, damage or unauthorised destruction, and unlawful access – you will be expected by law to implement reasonable technical and organisational measures to ensure this protection is in place.

However, POPI does make provision for the resources of your organisation, as well as the nature of the information itself, stating that this will be taken into account when deciding what technical and organisational measures are reasonable.

As a minimum, healthcare workers will be expected to identify all reasonably forseeable internal and external risks, establish appropriate safeguards, and regularly review these safeguards and update when new risks emerge. MPS recommends you carry out a risk assessment and draw up a protocol that sets out this information. 

Healthcare workers will be expected to identify all reasonably forseeable internal and external risks, establish appropriate safeguards, and regularly review these safeguards and update when new risks emerge

Examples of forseeable risks are:

  • Access to information
    • Any employee requiring access to patient information should be identified, and their employment agreements checked to ensure they have agreed in writing to treat all such information as strictly confidential.
    • Individual passwords to access the information should be given, which should be updated from time to time. A generic password for all staff is not effective in preventing breaches in confidentiality.
  • Accidental destruction
    • ‘Crashing’ of hard drives or servers can lead to the destruction of personal information. Suitable back-up should be in place to either limit or prevent this.
  • Theft
    • Ensure hard copies of patient information are stored securely in locked filing cabinets or rooms. Patient files should never be left unattended on the reception counter of a busy waiting room. 

Third party access

Under the terms of POPI, the arrangements around third party access to patient information broadly match the guidelines set out by the HPCSA. This means that patient consent is needed in most situations but is not necessary in others – see the Casebook article, “Disclosing patient records” (Vol 20 No 3, September 2012), for a comprehensive summary of such circumstances.

Another example of third party access is where an IT service provider has been tasked with installing new software in your practice or hospital. According to the rules of POPI, the service provider may only process personal information if the responsible party is aware of it, and as long as the operator has agreed to treat all personal information they encounter as confidential. The operator must also notify the responsible party if any information is leaked to an unauthorised party – it is recommended that all this is agreed in writing. 

Information leak

Any suspicion, on reasonable grounds, that personal information has been accessed or acquired by an unauthorised person must be reported to both the patient and the Information Regulator. This notification must be in writing, and must provide sufficient information to allow the patient to take protective measures. This should include:

  • The possible consequences of the disclosure
  • A description of the measures that you intend to take
  • Disclosure of the identity of the individual who made the unauthorised access. 

Failing to comply with POPI

Failure to observe and comply with the provisions of POPI can lead to a variety of implications for healthcare practitioners – some of which are potentially very serious. These are:

  • A complaint lodged with the Information Regulator
  • Receiving a civil claim for payment of any damages
  • Criminal prosecution – if convicted there could be a fine up to R10 million or a prison sentence up to ten years, or even both. 

Ask MPS

POPI places an extra responsibility on practitioners to monitor and self-report their own flow of personal information. MPS is on hand to provide advice and guidance with these new obligations, particularly if you are preparing to report a possible breach of personal information to the Information Regulator and a patient.

With thanks to Gerhardt van der Merwe of MacRobert Attorneys for his assistance with this article.

Download a PDF of this edition