By Wendy Tembedza, Partner at Webber Wentzel
Health data is one of the most valuable assets in modern healthcare, and the Protection of Personal Information Act, 2013 (POPIA) places strict requirements on its use.
Stakeholders in the healthcare sector understand the value of data in ensuring appropriate treatment for patients. With the proliferation of technologies such as artificial intelligence, which enable healthcare practitioners to derive valuable insights from the data they hold, the importance of managing data in a manner that ensures compliance with data protection laws must remain front of mind in all data processing activities.
This obligation is particularly acute given the volumes of data that evolving technologies allow healthcare institutions to collect and utilise. Importantly, when these larger datasets include special personal information, the obligation to process such information lawfully becomes even more significant. This is because POPIA regulates the processing of special personal information (which includes health and sex life information) more closely than it does other forms of personal information.
The implications of POPIA’s strict regulation of processing health and sex life information means that, where a responsible party is considering collecting such data, an assessment must be made before collection to ensure that the intended processing activities will be lawful under POPIA. Conducting such an assessment prior to collection is integral to establishing a lawful basis for processing from the outset, as all handling of health and sex life information must remain lawful throughout the processing lifecycle, from collection and use to deletion and destruction.
POPIA establishes, as a starting point, a prohibition on processing health and sex life information unless a justification exists. One general exception is where the data subject has granted consent for such processing. It is important to note that consent is specifically defined under POPIA as an informed, voluntary expression of will. Importantly, consent must be specific and cannot be overly generalised. Any reliance on consent must therefore meet these definitional requirements. Ensuring compliance with these requirements is increasingly pertinent where data is used for purposes that differ from the reason for which it was initially collected.
POPIA provides additional exemptions for processing special personal information. For health information, POPIA permits processing by medical professionals, healthcare institutions or facilities, or social services, where such role players are providing healthcare services. POPIA also provides an exemption that applies to insurance companies, medical schemes, medical scheme administrators, and managed healthcare organisations in certain circumstances.
While POPIA creates these categories of exemptions, it is important to note that even where a role player falls within an exemption, this does not eliminate the obligation on a responsible party to comply with POPIA’s eight conditions for lawful processing. Any responsible party relying on an exemption must still ensure that processing activities are ultimately lawful and consistent with the standards of care contemplated under POPIA.
The use of automated means to make decisions about data subjects using their health and sex life information must also be carried out lawfully and in compliance with POPIA. A data subject cannot be subject to a decision that has legal consequences for them, or that otherwise affects them to a substantial degree, where such a decision is based solely on automated decision-making using their personal information, except in limited instances.
Notably, POPIA specifically identifies health as an example of a decision that could have legal consequences or otherwise affect a data subject substantially. This highlights the importance of assessing all data processing activities, especially in sectors like healthcare, where there is growing reliance on technology to make diagnostic or treatment-related decisions.
The Information Regulator has recognised the importance of properly regulating the processing of health and sex life information in recently published Draft Regulations relating to the processing of such data by certain responsible parties. The Information Regulator notes that the primary purpose of these Draft Regulations is to assist responsible parties in implementing POPIA correctly and to provide better transparency to data subjects regarding their information.
The scope of application of the Draft Regulations includes insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations and pension funds.
The Information Regulator’s move to regulate the processing of health and sex life information more closely underscores the importance of ensuring that all such processing activities are undertaken with an increased measure of care. Organisations must therefore assess their processing activities routinely to ensure ongoing compliance with POPIA. This is particularly important as healthcare-related technologies continue to advance, creating new and innovative ways to use data in patient treatment.
Healthcare stakeholders must ensure that use of such technologies comply with POPIA’s requirements and meet the standards established under the Act.
