Legal experts flag concerns with draft POPIA regulations on health data

Posted on by

Interested parties have until tomorrow (10 October) to submit comments on the Information Regulator’s proposed regulations that will affect how certain organisations may process personal information about a data subject’s health or sex life.

The Protection of Personal Information Act (POPIA) establishes a framework for the handling of personal data, with particular protections for sensitive categories such as information related to a data subject’s health or sex life.

On 26 September, the Information Regulator published draft regulations on the processing of health and sex life data, which seek to provide additional guidance and requirements for certain responsible parties. The draft regulations build on POPIA’s general prohibition under section 26(1) against processing such special personal information, while incorporating the exemptions outlined in section 32(1) for specific entities and purposes.

The regulations apply only to certain responsible parties for certain activities:

  • insurance companies;
  • medical schemes;
  • medical scheme administrators;
  • managed healthcare organisations;
  • administrative bodies;
  • pension funds (a pension fund organisation, as referred to in section 1 of the Pension Funds Act);
  • employers working for administrative bodies or pension funds (“employer” as defined in section 1 of the Occupational Health and Safety Act); and
  • institutions working for administrative bodies or pension funds.

In the case of insurance companies, medical schemes, medical scheme administrators, and managed healthcare organisations, the regulations apply if the processing of a subject’s health and sex life data is necessary for:

  • assessing the risk to be insured by the insurance company or covered by the medical scheme, and the data subject has not objected to the processing;
  • the performance of an insurance or medical scheme agreement; or
  • the enforcement of any contractual rights and obligations.

The regulations apply to administrative bodies, pension funds, employers working for administrative bodies or pension funds, or institutions working for administrative bodies or pension funds where processing health and sex life data is necessary for:

  • the implementation of the provisions of laws, pension regulations, or collective agreements that create rights dependent on the health or sex life of the data subject; or
  • the reintegration of or support for workers or persons entitled to a benefit in connection with sickness or work incapacity.

In a commentary on the draft regulations, Bowmans says the limitation on the scope of the regulations to employers who are “working for administrative bodies or pension funds” is a departure from the previous draft – released about a year ago – that applied to “employers” in the wide sense.

Nadine Mather, a partner, and Chloё Loubser, a knowledge and learning lawyer at the law firm, questioned the rationale behind this narrow scope, suggesting that limiting the application to employers working for administrative bodies or pension funds only does not align with the provisions of POPIA and leaves a considerable gap in the regulation of many employers who routinely process health data.

They observed that the recognition of employers as an independent category of responsible party is reflected in Regulation 5, suggesting that the reference in Regulation 3 might be a drafting error.

Authorisations for processing and consent requirements

The draft regulations provide that where a responsible party has determined that it is necessary to process a data subject’s health or sex life information to implement a law, regulation, or collective agreement, and where the responsible party seeks to rely on section 11(1)(f) of POPIA because consent cannot be obtained, that party must first conduct a Legitimate Interest Assessment (LIA). The draft regulations further provide that responsible parties or third parties processing such information for the purpose of protecting a data subject’s legitimate interests, or pursuing their own legitimate interests, must conduct an LIA.

Lucinda Botes, a senior associate at PPM Attorneys, said this approach confuses and collapses distinct authorisations for the processing of special personal information under POPIA. For example, section 32(1)(f)(i) authorises a retirement fund to process a data subject’s health information if such processing is necessary for the implementation of laws, regulations, or collective agreements that create rights dependent on the data subject’s health. The authorisation is already expressly provided in section 32(1)(f)(i). Therefore, there is no need to consider legitimate interest or consent as an authorisation to process the information. Requiring the retirement fund to seek consent first, and, if it fails, to justify the processing through legitimate interest is redundant.

“By introducing ‘consent’ into this context, the draft regulations risk creating the impression that consent must always be sought first, and that if it is not obtainable, a responsible party may then consider ‘legitimate interest’. In our view, this misrepresents POPIA’s framework because section 32(1)(f)(i) is the correct and only sufficient authorisation required,” Botes said.

Concerns regarding the Legitimate Interest Assessment

The inclusion of “legitimate interest” in the draft regulations is also problematic, Botes said, because POPIA does not recognise “legitimate interest” as an authorisation to process special personal information.

Section 26 of POPIA prohibits processing special personal information, which includes health and sex life information. Section 27 provides for general authorisations to process special personal information, which are limited to:

  • consent;
  • processing necessary for the establishment, exercise, or defence of a right or obligation in law;
  • processing necessary to comply with an obligation of international public law;
  • processing for historical, statistical, or research purposes to the extent that it serves a public interest and subject to certain safeguards;
  • information deliberately made public by the data subject; or
  • compliance with the specific provisions of sections 28 to 33.

For example, section 32 of POPIA sets out a list of specific authorisations that apply to health or sex life information in particular circumstances, such as an insurance company processing medical information for assessing insurable risk.

Botes said “legitimate interest” in section 11(1)(f) applies only to ordinary personal information and is not extended to special personal information. By introducing legitimate interest as a lawful basis for processing health or sex life information, the draft regulations expand the list of authorisations beyond what is enacted in POPIA. This has several implications in that:

  • it creates a new ground for lawful processing of special personal information that is not authorised by POPIA;
  • it dilutes the higher standard of protection that POPIA purposefully affords to special personal information, undermining POPIA’s careful distinction between ordinary and special categories of personal information; and
  • it risks creating regulatory uncertainty.

In summary, Botes said, the regulations create uncertainty by collapsing legal obligation, consent, and legitimate interest into a single blended framework and by introducing “legitimate interest” as an authorisation for processing health and sex life information, a ground POPIA does not contemplate.

Cross-border transfers of data

The draft regulations address the transfer of health or sex life information beyond South Africa’s borders.

Bowmans said the draft regulations suggest that responsible parties may rely on any of the grounds listed in section 72(1) of POPIA to transfer health or sex life information outside of South Africa – for example, adequate level of protection by way of law, binding corporate rules or a data transfer agreement, consent, or necessity for the performance of a contract.

However, Mather and Loubser said the draft appears to overlook section 57(1)(d), which requires prior authorisation from the Regulator before transferring special personal information to a country that does not provide an adequate level of protection. Practically, section 57(1)(d), read together with section 72, means that unless the responsible party relies on the existence of an adequate level of protection to enable the cross-border transfer of health or sex life information, it must still obtain prior authorisation from the Regulator to effect such transfer.

Instead, they said, the regulations appear to focus on data subject notification in the event of a cross-border transfer. In this regard, responsible parties must notify data subjects of intended transfers and the level of protection afforded to their information, unless (i) the data subject has consented, or (ii) the transfer is in their legitimate interests.

Both carve-outs raise questions, according to Mather and Loubser. For consent, notification to the data subject would ordinarily be a precondition to obtaining valid consent, creating a circular requirement. For legitimate interests, the wording departs from section 18(4)(b) of POPIA, which allows for the notification to be dispensed with if it would not prejudice the legitimate interests of the data subject. The proposed wording instead frames it as sufficient that the transfer is in the data subject’s legitimate interests.

They said these provisions also arguably go beyond what is contemplated by the POPIA provisions, which are intended to clarify the grounds for processing as applicable to certain categories of persons, not to introduce (or dispense with) notification requirements for cross-border transfers.

Retention and destruction of records

Regarding the management of records, the draft regulations stipulate that subjects’ health and sex life data must be managed and retained in line with the provisions of POPIA, the National Health Act, Protection of Personal Information Act, and National Archives of South Africa Act.

If a policy, employment contract, or other relevant agreement is rejected or terminated, a responsible party is mandated to destroy the data subject’s health or sex life information as soon as practicably possible.

The draft regulations restate the requirements of section 14 of POPIA when it comes to the retention of records.

Health or sex life information must not be retained for any longer than necessary to achieve the purpose for which it was collected, unless:

  • a retention period is required by a law or contract;
  • the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
  • the data subject or a competent person has consented to storage for a defined period; or
  • where the information is processed for historical, statistical, or research purposes, subject to safeguards preventing further use.

Once retention is no longer justified, records must be destroyed, deleted, or de-identified in a manner that prevents reconstruction in intelligible form.

Bowmans advises that responsible parties should ensure that policies and processes are in place not only to manage retention periods but also to evidence secure and timely disposal of health or sex life information.

Comments on the draft regulations must be submitted to the Regulator’s chief legal officer, Jaco Jansen, at JJJansen@infoRegulator.org.za.

Disclaimer: The information in this article is a general guide and is not intended as a substitute for professional legal advice.