New regulations under the Protection of Personal Information Act (POPIA) set out how certain organisations must process personal information relating to individuals’ health.
The Regulations Relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026 were published by the Information Regulator in Government Gazette No. 54268 on 6 March 2026 and came into effect on the same day.
The regulations were issued under section 112(2)(c) of POPIA and are intended to assist organisations in interpreting section 32(6) of the Act, improve transparency for data subjects, and provide a framework for enforcement by the Information Regulator.
The regulations apply to the processing of health information by specific categories of responsible parties. These include:
- insurance companies,
- medical schemes,
- medical scheme administrators,
- managed healthcare organisations,
- administrative bodies,
- pension funds,
- employers, and
- institutions acting on behalf of employers, administrative bodies, or pension funds.
Within the regulations, references to “responsible parties” are confined to these listed entities.
Definition of health information
The regulations define health information as personal information relating to a data subject’s physical or mental health. This includes information arising from the provision of healthcare services, as well as testing, treatment, or diagnosis that reveals a person’s health status.
Processing of special personal information
The regulations reiterate that responsible parties may not process special personal information – including health information – unless the processing is permitted under section 27 of POPIA.
Section 27 generally prohibits the processing of special personal information, subject to certain exceptions set out in the Act.
Safeguards and security measures
Responsible parties that process health information must implement appropriate technical and organisational safeguards to protect the information in their possession or under their control.
These safeguards must prevent:
- loss or damage to health information,
- unauthorised destruction of the information, and
- unlawful access to or processing of the information.
The regulations also require measures to ensure the security and confidentiality of both physical and electronic health records, as well as procedures for the proper disposal of records to prevent unauthorised access or disclosure after disposal.
Processing must also be subject to a duty of confidentiality imposed by law, employment, profession, office, or written agreement.
These measures must align with generally accepted information security practices relevant to the responsible party’s sector or industry.
Cross-border transfers
Health information may not be transferred to a third party in a foreign country unless the requirements set out in section 72(1) of POPIA are satisfied.
Section 72 regulates the transfer of personal information outside South Africa and sets conditions for when such transfers may occur.
