New regulations under the Protection of Personal Information Act (POPIA) set out how certain organisations must process personal information relating to individuals’ health.
The Regulations Relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026 were published by the Information Regulator in Government Gazette No. 54268 on 6 March 2026 and came into effect on the same day.
The regulations were issued under section 112(2)(c) of POPIA and are intended to assist organisations in interpreting section 32(6) of the Act, improve transparency for data subjects, and provide a framework for enforcement by the Information Regulator.
The final regulations follow the publication of draft regulations for public comment in September 2025.
Changes from the draft regulations
According to law firm Bowmans, several provisions that appeared in the draft regulations were removed from the final version following the public comment process.
One notable change is that the final regulations apply exclusively to the processing of health information. Earlier draft regulations also referred to sex life information, but these references were removed in the final text.
Bowmans notes that the purpose of the regulations has also been clarified. The final version now explicitly references section 32(6) of POPIA, which allows the Information Regulator to prescribe more detailed rules regarding the application of sections 36(1)(b) and (f) of the Act.
These provisions authorise certain bodies to process personal information relating to a data subject’s health and sex life for specific purposes.
The regulations apply to the processing of health information by specific categories of responsible parties. These include:
- insurance companies,
- medical schemes,
- medical scheme administrators,
- managed healthcare organisations,
- administrative bodies,
- pension funds,
- employers, and
- institutions acting on behalf of employers, administrative bodies, or pension funds.
The regulations contain definitions for these categories and apply only to responsible parties and operators that fall within them.
Bowmans notes that the definition of employer has also been broadened in the final regulations. Unlike the draft version, it is no longer limited to employers working for administrative bodies or pension funds, and it is no longer linked to the definition of employer in the Occupational Health and Safety Act.
Instead, the regulations define an employer more broadly as a person, company or organisation that pays others to work for them in exchange for wages or a salary, creating a contractual relationship for work.
Definition of health information
The regulations define health information as personal information relating to a data subject’s physical or mental health. This includes information arising from the provision of healthcare services, as well as testing, treatment, or diagnosis that reveals a person’s health status.
Processing of special personal information
The regulations reiterate that responsible parties may not process special personal information – including health information – unless the processing is permitted under section 27 of POPIA.
Section 27 generally prohibits the processing of special personal information, subject to certain exceptions set out in the Act.
Safeguards and security measures
Responsible parties that process health information must implement appropriate technical and organisational safeguards to protect the information in their possession or under their control.
These safeguards must prevent:
- loss or damage to health information,
- unauthorised destruction of the information, and
- unlawful access to or processing of the information.
The regulations also require measures to ensure the security and confidentiality of both physical and electronic health records, as well as procedures for the proper disposal of records to prevent unauthorised access or disclosure after disposal.
Processing must also be subject to a duty of confidentiality imposed by law, employment, profession, office, or written agreement.
These measures must align with generally accepted information security practices relevant to the responsible party’s sector or industry.
Cross-border transfers
Health information may not be transferred to a third party in a foreign country unless the requirements set out in section 72(1) of POPIA are satisfied.
Section 72 regulates the transfer of personal information outside South Africa and sets conditions for when such transfers may occur.
