Protection of Personal Information Act and its impact on the healthcare industry
As you might know, the Protection of Personal Information Act (POPIA) is a reality and compliance by stakeholders in the healthcare industry, as in every industry, is required once the final Regulations containing the commencement date is published.
Your Scheme, the Administrator, managed care organisations and other third-party providers all need to reconsider how to process your personal information and personal health data.
Many Acts already guide us on how to protect, collect, use, store and process this sensitive data and POPIA needs to be aligned to all of these. Some shared questions across all existing Acts are:
- How is personal data defined?
- Who is accountable for the protection of your data?
- Why and how do we need to share your health data?
- What consent is required and how do we get it?
- What are we allowed to use your data for?
- Who fulfils which role and responsibilities when sharing your data?
Where do we stand?
Together with our partners and stakeholders, we have been identifying whether we are compliant in all areas. We investigated, for example:
- How we collect data and documents from you and / or your healthcare providers
- How we share information, for example with pharmacies, doctors' rooms, hospitals, call centres and managed care organisations
- How we keep your information secure and protected.
Some additional changes might be necessary in the handling and safeguarding of your information, although some were already implemented in anticipation of POPIA when we changed administrator.
The Chairperson, Adv. Pansy Tlakula, and the members of the Information Regulator, have been appointed with effect from 1 December 2016 for a period of five years.
The commencement date for the operative provisions of POPIA has yet to be announced, and thereafter stakeholders in the industry will be granted a year to ensure compliance. The Scheme and Administrator, however, have started a journey towards implementing the requirements of POPIA, including requirements as set out in the equivalent European Union Act called GDPR (General Data Protection Regulation). We aim to have these changes implemented by the end of 2019, meaning that you may see additional communication about this from us in the coming months.