POPIA and your responsibilities
POPIA came into force on 1 July 2020. Given the current situation, you can be forgiven for having missed the news, but as a business owner, this affects you directly.
The act’s reach is wide. It regulates all organisations that process personal information. This includes information about employees, patients, suppliers, and outsourced processing activities.
POPIA aims to promote the protection of privacy through providing guiding principles that are intended to be applied to the processing of personal information in a context-sensitive manner. A person’s right to privacy entails having control over his or her personal information and being able to conduct his or her affairs relatively free from unwanted intrusions.
The key question you need to ask is, “Am I processing personal information?” Processing is broadly defined as actions that can be taken in relation to personal information, including collection, receipt, storage, and usage.
Medical professionals are deemed Responsible Parties and have several obligations under POPIA in terms of processing. These include:
1. Accountability – personally responsible for POPIA compliance
2. Processing limitation – you may only process the information that you need for your practice
3. Purpose specification – you may only collect personal information for a specific purpose
4. Further processing limitation – any additional information to be processed (outside of the original scope) must be compatible with the original purpose
5. Information quality – you must keep personal information records accurate and up to date
6. Openness – you must disclose to your patients why their data is being collected and how it will be used
7. Security safeguards – you must secure the integrity and confidentiality of personal information
8. Data subject participation – you must allow patients access to their personal information.
You may only collect personal information for a specific, explicitly defined and lawful purpose and the patient must be aware of the purpose for which the information is being collected.
Once the personal information is no longer needed for the specific purpose, it must be disposed of (the patient must be de-identified) unless you need to keep it (or are allowed to keep it) by law, or you need to keep the record for your own lawful purpose or in accordance with the contract between yourself and the patient, or the patient has consented to you keeping the records.
POPIA also extends to the physical security of any data stored on servers or in your offices (such as patient files). It is imperative that these are not ignored and you as the business owner take full responsibility for securing this information.
If you are unsure of whether your current policies and process adequately cover your responsibility, please feel free to contact us. We have the expertise and resources to guide you through this business challenge.