Recently, the Information Regulator circulated draft Regulations on Processing Health and Sex Life Data under the Protection of Personal Information Act (‘POPIA’). Applicable to listed responsible parties processing personal information regarding data subjects’ health or sex life for circumscribed activities, the proposed Regulations govern, inter alia, the provision of consent, cross-border transfers of information, retention of records, and destruction of information.
Section 26(1) of POPIA imposes a general prohibition on processing personal information regarding a data subject’s health and sex life. Section 32(1), however, creates an exemption for various responsible parties, including medical professionals, schools, and managed healthcare companies, for defined purposes. In this instance, the proposed Regulations are intended to apply to insurance companies, medical schemes, and scheme administrators, if the processing of a subject’s health and sex life data is necessary to assess risk, ensure the performance of an agreement, or enable the enforcement of a subject’s contractual rights and obligations. In practice, the Regulations would apply to an insurance company conducting medical tests on an insured individual to ascertain whether they are entitled to be paid out.
Similarly, the draft Regulations apply to employers, pension funds, and administrative bodies, among other entities, in instances where processing health and sex life data is necessary to implement various laws or collective agreements establishing rights dependent on this information, or to reintegrate individuals entitled to receive benefits flowing from work incapacity or illness.
To operationalise this objective, the proposed Regulations require the abovementioned entities to provide informed consent in writing. If the data subject’s consent is obtained telephonically, this must be recorded – along with the proviso that consent may be withdrawn at any time. Moreover, the Information Regulator is required to authorise the processing of health and sex life data by responsible parties in the public interest. Requests for approval must be submitted by completing Form A, which is attached to the Regulations.
According to the draft Regulations, if a responsible party wishes to transfer a data subject’s health or sex life information beyond the borders of South Africa, said party must adhere to the requirements articulated under section 72(1) of POPIA and notify the data subject before electing to transfer their data.
Importantly, the proposed Regulations stipulate that subjects’ health and sex life data must be managed and retained in line with the provisions of POPIA, the National Health Act, Protection of Personal Information Act, and National Archives of South Africa Act. In the event that a policy, employment contract or other relevant agreement is rejected or terminated, a responsible party is mandated to destroy the data subject’s health or sex life information as soon as practicably possible.
In summation, the draft Regulations purport to expand the regulatory framework governing the processing of personal information. In the context of the management of health and sex life data, the proposed Regulations are vital to ensure that responsible parties comply with POPIA and handle sensitive information with the utmost care. Accordingly, it is imperative for entities involved in the collection and processing of this information to remain informed and adopt measures to facilitate compliance, if and when the Regulations are finalised.
For compliance-related legal advice or assistance, contact compliance@stbb.co.za.