The complexity of personal information in the healthcare sector is actually staggering,” said Rosalind Lake (Norton Rose Fulbright director). “The consequences are also far more serious. “On the dark web you can buy someone’s credit card details for about $15. Medical records go for about $800, upwards to $3 000. Why? When your credit card gets stolen you know pretty quickly.

In a world where data is currency, you have to show people that you care about it.

“You phone your bank and tell them to stop the card. So, the criminals don’t get very far with your credit card. With your healthcare information it can be years before you know they’ve got it. They could be putting in fraudulent claims to your insurance; they have detailed history of your entire life, where you’ve lived, your health claims, and various other things. But think about the harm in the world of genomes and smart medical devices. If my medical file is leaked and I’ve got a smart pacemaker, a smart cochlear devise, a smart insulin pump, someone can remotely kill me.

“So, if you think you’ve heard about the Protection of Personal Information (PoPI) Act before, you need to think about it differently,” warned Lake. “People don’t think about personal information as what it actually is, it’s an asset, it’s your asset, and you need to trust someone with that. If you change your mind set about it and you start thinking about personal information and data as an asset that belongs to your patient, you might think a little differently about the obligations you have under data privacy laws.

“The other misconception [many people] have is that medical records are just wanted by hackers,” said Lake. “And while they certainly are, in the majority of situations where medical records are leaked or incorrectly disposed of it’s because you don’t have protocols in place, it’s because people aren’t trained properly, it’s because someone leaves a file on a train, or talks about someone in a lift – those are the circumstances that get people in trouble the world over.”


  • It has been partially in force since 2014
  • There is an Information Regulator (chairperson: Pansy Tlakula) established as of December 2016
  • Regulations published in December 2018
  • The effective date is still to be determined by the President
  • Will have one year from the effective date to comply.

“What’s important to know is that GDPR (General Data Protection Regulation) came into effect last year,” warned Lake. “This is a European directive and it affects any European citizen no matter where they are in the world. So, you may think that you don’t have current data privacy obligations, but you may be dealing with someone who is already protected. And the penalties under GDPR, for organisations all over the world, have been far more significant than penalties we’ve seen under previous legislation. So not only is it good business, it’s also compulsory in some circumstances.”


“When PoPI comes into force, when it comes to non-compliance, you’re going to have your standard situation as you do when dealing with any regulator investigating. You’re going to have infringement notices, enforcement notices and investigations,” said Lake. “You also have the possibility of criminal prosecution. PoPI says up to 10 years imprisonment as a maximum. It’s pretty serious. Luckily, they’ve capped the administrative fine at R10m, so it’s not a percentage of turnover, which can be far more significant.

“When it comes to civil liability, unlike other regulators like the consumer commission and competition commission, what PoPI does is it says you can as an individual who has been harmed go directly to court, you don’t have to wait for the information regulator to investigate your complaint (that’s what’s held up things in the consumer commission). There is strict liability for certain contraventions and there is also specific provision made for aggravated damages in PoPI. It recognises that breach of privacy is often not quantifiable. It’s very difficult to quantify the harm that will result. PoPI specifically mentions hurt feelings and sadness.

“But the biggest consequence of non-compliance is reputation, or rather reputational damage. Once you’ve lost trust, there’s just no coming back from that. In a world where data is currency, you have to show people that you care about it.”


“Firstly, it’s far broader than you think it is,” said Lake. “Personal information goes beyond identifying details. It includes opinions and views of or about a person. Under PoPI it can identify a living natural person or a juristic person. You need to think about that. Have you considered your suppliers and service providers as people who have personal information? And, remembering that personal information is an asset and a currency do you trust your staff with that information?


The purpose of PoPI is to regulate the processing of personal information by public and private bodies. Processing refers to the collecting of it, the storing, using, retrieving, retaining, and destroying of it. “What PoPI says is generally we have to respect the right to privacy,” explained Lake. “You have to regulate how you process and how you look after information.” In order to do so PoPI sets out eight conditions for lawful processing:

1. The responsible party is accountable
2. Processing must be lawful, reasonable and justified
3. Processing must have a specific purpose
4. Further processing must be compatible with the original purpose
5. Information must be accurate and up to date
6. The data subject must be aware of the processing
7. Appropriate and reasonable security safeguards must be in place
8. Data subjects may request access, correction and deletion.


“Health information and personal information of children is considered special personal information and a higher standard applies,” said Lake. PoPI specifically allows processing of health information by medical professionals, healthcare institutions, or facilities, or social services, if necessary, for:

  • The proper treatment and care of the data subject.
  • Administration of the institution or professional practice concerned.


“If you haven’t already, it’s time for you to think about what personal information you hold,” said Lake recommending you ask yourself the following questions:

  • Why do you have the information?
  • What else do you use the information for?
  • How do you secure the information?
  • How do you dispose of the information?
  • Do data subjects know what you do with their personal information?
  • Do you transfer personal information to third parties? If so, are they our operators, are they in SA?
  • Consent clauses: Are you asking for consent where you don’t need it? Where you do need consent, is it valid under PoPI? “As much as some people complain about PoPI, it is a rational piece of legislation,” said Lake.

“It’s a risk-based analysis. It’s reasonable and practical measures. It’s sensible and takes a pragmatic approach. You don’t need to be afraid of PoPI but you do need to know what information you have and what you’re doing with it.”