New PoPIA regulations on health data protection: What you need to know

Image source: feverpitched – 123RF.com

It is apparent from the final text of the Regulations that the Regulator duly considered the submissions received during the public comment period. Several provisions contained in the draft Regulations that were subject to scrutiny do not appear in the final Regulations.

Key changes to scope and purpose

One of the key changes in the final Regulations is the removal of references to sex life information. The Regulations now apply exclusively to the processing of health information.

The purpose of the Regulations has also been clarified. The final Regulations now explicitly reference section 32(6) of PoPIA, which permits more detailed rules to be prescribed concerning the application of sections 36(1)(b) and (f). The Regulations are intended to be these ‘more detailed rules’.

Sections 36(1)(b) and (f) authorise certain bodies to process personal information concerning a data subject’s health and sex life for certain specific purposes. These bodies are insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations, administrative bodies, pension funds, employers and institutions working for them.

The Regulations contain definitions for each of these terms and apply only to those responsible parties and operators who fall within these definitions.

There is a welcome change in the reference to, and definition of, employer. The final Regulations no longer limit the concept of an employer to those ‘working for administrative bodies or pension funds’, and the definition is no longer linked to the definition contained in the Occupational Health and Safety Act, 1993.

Instead, an ‘employer’ is defined more broadly as ‘a person, company or organisation that pays others to work for them, often under their direction, in exchange for wages or a salary, forming a contractual relationship for work’.

IP Law

How PoPIA's protection extends to Pty Ltds

Ahmore Burger-Smidt and Dale Adams  22 Aug 2024

Removal of certain provisions contained in the draft Regulations

Several provisions included in the draft Regulations and which were subject to scrutiny have not been retained in the final Regulations. In particular:

• Dual-authorisation requirements and legitimate interests assessments

  The draft Regulations contained provisions that appeared to require both a specific authorisation for processing health and sex life information under section 32 of PoPIA and a lawful basis for processing under section 11(1) of PoPIA.

  In addition, where a responsible party relied on the lawful basis of legitimate interests (either that of the responsible party or the data subject), the draft Regulations introduced the requirement of a ‘legitimate interest assessment’ (LIA) to be conducted prior to the processing.

  This represented a departure from how PoPIA structures the lawful grounds for processing special personal information. These provisions have not been retained in the final Regulations.

• Requirement for a written agreement with the data subject

  The draft Regulations included a provision suggesting that any processing of health or sex life information could only take place if there was an agreement between the responsible party and the data subject.

  This appeared to be based on a misinterpretation of section 32(2) of PoPIA, which provides that health and sex life information may only be processed subject to an obligation of confidentiality by virtue of office, employment, profession, or a legal provision, or established by a written agreement between the responsible party and the data subject.

  The final Regulations now refer directly to section 32(2), recognising that a written agreement is one of several ways in which a duty of confidentiality may arise.

Law Practice

5 questions every in-house counsel should ask before implementing AI

Melissa Steele  27 Aug 2025

• Cross-border transfer notification requirements

  The draft Regulations contained detailed provisions requiring responsible parties to notify data subjects of cross-border transfers of their health information, unless the data subject had consented or the transfer was in the legitimate interests of the data subject.

  These provisions, which raised several practical questions and appeared to go beyond what PoPIA contemplates, have not been included in the final Regulations. While this is a helpful clarification, the Regulations do not address the prior authorisation requirement in section 57(1)(d) of PoPIA, which may apply in certain circumstances where special personal information is transferred outside of South Africa.

  In addition, certain provisions included in the draft Regulations relating to appropriate safeguards, including references to governance structures, ISO standards, and specific measures recommended by the Health Professions Council of South Africa, have not been retained.

  The final Regulations also no longer contain provisions dealing with the retention of records, destruction or de-identification of information, or public interest authorisation.

What remains?

In their final form, the Regulations largely reflect the existing PoPIA framework governing the processing of health information without introducing extensive additional obligations for responsible parties.

Organisations falling within the scope of the Regulations, including insurance companies, medical schemes, pension funds, administrators, employers and institutions working for them, should nevertheless familiarise themselves with the Regulations and ensure that their processing of health information remains aligned with the requirements of PoPIA.