POPIA: New health information regulations – what every employer must know

Cliff MacGregor, Managing Director and founding member, Inlexso.

---

Employers must conduct an immediate audit of all the employee health information they process, store or transfer, and should also review and update employment contracts, HR policies and data processing agreements to be compliant with new regulations in the Government Gazette.

Failing to do so could result in a fine and/or imprisonment of up to 10 years for serious offences, administrative fines of up to R10 million, or civil liability.

This is the warning from Cliff MacGregor, Managing Director and founding member of Inlexso, an alternative legal services provider.

He notes that the Information Regulator published new Regulations on 6 March this year relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties (the Regulations) in Notice No 7198 of Government Gazette 54268.

These Regulations are made under section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No 4 of 2013) (POPIA) and came into immediate effect on the date of publication.

Employers are explicitly named as responsible parties (ie, persons or entities that determine the purpose of and means for processing, eg, collecting, using, retaining, etc, personal information) to whom these Regulations apply and must act without delay to ensure compliance.

The definition of “employer” includes not only a company or an organisation, but also refers to an individual that pays others to work for them, often under their direction, in exchange for wages or a salary, and thereby forming a contractual relationship for work.

MacGregor says the Regulations serve three primary objectives: to assist responsible parties, including employers, to correctly interpret their obligations under POPIA; to provide greater transparency to data subjects about the manner in which their health information may be collected, used and shared; and to give the Information Regulator a clear and enforceable framework for monitoring and enforcing compliance with the rules.

Health information is considered special personal information and carries the strongest legal protection available. The Regulations introduce a defined scope of health information that extends beyond what employers may typically consider, and include physical and mental health of an employee; information relating to the provision of healthcare services to an employee; testing, treatment and diagnosis records; and health status disclosures.

MacGregor notes: “An employer may not collect, store, use or share an employee's health information unless at least one of the following justifications applies:

1. The employee has given their permission. The employee has been clearly informed about what information will be used and why and has voluntarily agreed to it. Example: an employee signs a consent form allowing their employer to share their medical records with the company's occupational health provider.
2. It is necessary to fulfil or protect a legal right or obligation. The processing is required to comply with a law, enforce a contract or defend a legal claim. Example: an employer processes an employee's injury records to comply with a claim under the Compensation for Occupational Injuries and Diseases Act (COIDA).
3. It is required under international law. A binding international agreement or treaty obliges the processing. Example: a multinational employer is required to share employee health data under a bilateral social security agreement between South Africa and another country.
4. It is for legitimate research or public interest purposes. The information is used for medical research, statistics or historical records that benefit the public, and asking for individual consent is not feasible, provided the employee's privacy is adequately protected. Example: an anonymised workplace health study conducted to track occupational disease trends across an industry.
5. The employee made the information public themselves. The employee has voluntarily disclosed their own health information publicly. Example: an employee publicly announces their chronic illness on the company intranet to raise awareness and request reasonable accommodation.
6. A specific legal authorisation applies. Certain laws specifically permit named organisations, such as insurers, medical schemes or employers to process health information for defined purposes, such as administering employee benefits or assessing fitness for work. Example: an employer processes a return-to-work medical assessment to determine whether an employee recovering from surgery is fit to resume their duties.
7. The Information Regulator has granted special permission. Where none of the above grounds apply, an employer may apply to the Information Regulator for authorisation to process health information in the public interest, subject to conditions. Example: an employer requests authorisation to process employee health data as part of a government-approved workplace pandemic monitoring programme.

“For most employers, the grounds most likely to apply in practice are employee consent, legal obligations (such as labour or compensation laws) and administering employment-related health benefits” he says.

“Employers must not assume that routine employment records, including sick notes, medical certificates, disability records or wellness programme participation data, fall outside the definition of special personal information.”

MacGregor says employers must be cognisant of a number of key obligations:

Employers may not process an employee's health information unless one of the justifications listed above applies. Any processing of health information must be carried out under a recognised duty of confidentiality, such as a legal or statutory obligation; the nature of their role or office; the employment relationship itself, for example, an HR manager; or a written confidentiality agreement formally concluded between the employer and the relevant individual.

“It is not sufficient for confidentiality to be assumed or implied. Employers should review employment contracts, HR policies and any agreements with third-party service providers to ensure that a formal, enforceable duty of confidentiality is explicitly documented and in place before any health information is processed,” he says.

Employers must maintain the confidentiality, integrity and availability of all health information in their possession or under their control. In practice, this requires reasonable and appropriate technical and organisational measures in line with generally accepted information security practices.

Employers are prohibited from transferring employee health information to any person or organisation outside of South Africa unless the receiving country has adequate legal protection; the employee has consented to the transfer; the transfer is necessary to perform a contract with the employee; the transfer is necessary to perform a contract in the employee's interest; or the transfer is in the employee's interest and consent is not reasonably obtainable.

MacGregor says the Regulations prescribe specific controls that employers must put in place. These are not optional and should be embedded in internal policy and operational practices:

1. Access controls. Limit access to employee health information strictly to persons operating under a formal duty of confidentiality. Implement role-based access controls on HR and health systems.
2. Record security. Implement appropriate measures to protect both physical and electronic health records against loss, damage, unauthorised destruction and unlawful access.
3. Secure disposal. Establish a documented process for the proper disposal of health records that prevents unauthorised use, disclosure or access to information after disposal.
4. Written agreements. Ensure all employees and third-party operators who handle health information are bound by written confidentiality agreements or have a recognised legal duty of confidentiality.
5. Technical measures. Implement information security practices consistent with generally accepted standards applicable to your sector, as required by section 19 of POPIA.
6. Cross-border transfers. Conduct an audit of all international data transfers involving employee health information and confirm compliance with section 72(1) of POPIA before any such transfer occurs.
7. Policy review. Review HR policies, employment contracts and processing agreements to embed the obligations imposed by these Regulations.

MacGregor says employers should immediately conduct audits of health information they process, store or transfer, and review and update employment contracts, HR policies and data processing agreements. They should strengthen technical and organisational security measures for health records and train staff on the handling of health information under these regulations.

“Ideally, organisations should also consult with a qualified legal professional to assess their organisation’s specific exposure and compliance requirements. Inlexso assists organisations with audits and recommendations that allow them to remain compliant, using technology to speed up turnaround times and reduce costs to the company,” he says.