Healthcare practices are responsible parties in terms of the Protection of Personal Information Act 4 of 2013 (POPIA) because they process the personal information of patients, medical debtors and employees, who are data subjects in terms of the act.
There are five lawful grounds for the processing of personal information that is relevant for healthcare practices, namely:
1. Is the processing necessary for the conclusion or performance of a contract? The practice can process personal information if the processing is required to conclude and perform a contract to which the data subject is a party.
2. Is the processing necessary for compliance with legislation? The responsible person can process personal information if the processing complies with an obligation imposed by law on the responsible party. There is a lot of healthcare legislation, so the practice must process information to comply with these acts or ethical rules of the HPCSA.
3. Are you protecting the legitimate interest of the data subject? The practice can process personal information if the processing protects a legitimate interest of the data subject.
4. Are you pursuing a legitimate interest of your practice or a third party? The practice can process personal information if the processing is necessary for pursuing the legitimate interests of the practice or of a third party to whom the information is supplied.
5. Do you have the consent of the data subject? The practice can process personal information if the data subject or a competent person, where the data subject is a child, consents to the processing.
The requirements of consent
The definition of consent in the POPIA requires three elements that need to be present for the practice to rely on the consent of the data subject as a legal ground for processing personal information:
- It must be voluntary
- It must be specific
- It must be informed.
The pitfalls of consent as a lawful ground for the processing
There is a real risk for the healthcare practice that these three elements that establish legal consent can be lacking. The practise needs to consider the following facts before choosing to rely on consent as a legal ground for processing information:
1. Voluntary: In some European countries, the courts are now finding that for example, employee consents are not voluntary, as employees are not on the same bargaining level as the employer. If any processing based on consent lacks the voluntary element, processing will be deemed illegal
2. Specific: Consent can never be open-ended. The processing and processing purpose must be clearly defined. General consent is not good enough to fulfil the requirement of specific consent. Consent needs to deal with the ‘what, why, how, where’ and in each instance, whether the information will be given to anyone else
3. Informed: The practice must be able to prove that the data subject understood how his or her personal information would be processed.
4. The burden of proof: The practice bears the burden of proof that the data subject gave voluntary, specific and informed consent to processing personal information
5. Withdrawal of consent: The data subject can withdraw their consent at any time, whereafter the practice may not process the information anymore. This can lead to unworkable situations.
Due to these pitfalls of consent, consent should be the last resort for processing personal information. The best solution is to assess which information is processed, choose one of the other grounds for the processing, and then communicate to data subjects what the basis for processing is. Communication can be through a website, your patient and employee forms or policy documents in your practice.
Kobus Wolvaardt, CEO and development strategist of GoodX Sagteware