GUEST EDITORIAL

 

The Protection of Personal Information Act: Its effect on Clinical Practice and Health Research

 

 

Healthcare is a highly regulated field of human activity and with good reason. Its structure and delivery relies heavily on information and processes that are highly complex and often of a technical, scientific nature. These present risks that are unique to the healthcare sector. To ensure the safety and quality of treatment interventions that directly affect the lives and wellbeing of patients and communities, specific laws and regulations are required.

However, one must never lose sight of the fact that healthcare is, first and foremost, personal. As such, regard must be had to its effect on the individual, particularly where personal rights and freedoms intersect with collective interests. Our Constitutionally enshrined right to privacy is such a right.

In recognition of the importance of upholding and enforcing this right in practical ways, the Protection of Personal Information Act, 2013 (POPIA) was introduced in South African law.¹ Originally enacted in 2013 (following lengthy drafting and public participation), POPIA has recently been placed in full operation as SAs flagship data privacy legislation. With effect from I July 2021², virtually all remaining sections of this data privacy law have been brought into operation, causing all stakeholders and the public at large to pause and reflect on what this means for them, personally, and for their businesses.

The general point of departure under POPIA is that 'personal information' - that is, information relating to identifiable, living, natural persons and certain juristic persons (called data subjects) -has value and is worthy of protection. The way in which personal information is processed (referring to the complete operational lifecycle of activities performed in connection with personal information) is now subject to eight conditions for lawful processing³, fleshed out in detail in Chapter 3 of POPIA. A primary statutory requirement is that information processing must be done lawfully, reasonably and justifiably, having regard to its purpose⁴.

On first inspection and from a healthcare perspective, POPIA reaffirms existing legislative provisions dealing with confidentiality and disclosure of health information. Where existing laws provide greater protection for personal information, these will prevail over POPIA in cases of conflict⁵. Therefore, the current regime governing access to health information remains relevant.

For at least 16 years, the National Health Act, 2003 (NHA)⁶ has been the primary statute dealing with issues pertaining to access to and disclosure of personal health information and related privacy aspects. Chapter 2 of the NHA canonises the rights and duties of health users and healthcare personnel and has specific provisions dealing with confidentiality of patient health information, access to health records and consent to disclosure of health information pertaining to patients⁷.

These provisions are echoed in other relevant legislation such as the Health Professions Act, 1974. For registered health practitioners, further interpretive guidance is to be found in the Health Professions Council of South Africa's Guidelines for Good Practice series (in particular, Booklets 5 and 9 dealing with confidentiality and patient records respectively).

It goes without saying that, just as the NHA recognises confidentiality as fundamental to the practitioner-patient relationship, so does POPIA. Express recognition is given in POPIA to the sensitive nature of personal information pertaining to one's health or sex life.⁸Additional safeguards are introduced to ensure that all processing of personal health information is done in accordance with a legally enforceable obligation towards confidentiality, irrespective of one's employment, status, or profession⁹.

Two aspects require further clarification in the healthcare context.

First, POPIA only applies to information that is 'personal information' as defined. If the information does not relate to living, identifiable persons or has been de-identified in a manner that precludes identification of the underlying data subjects, then POPIA does not apply. There is scope within the data processing activities of health practitioners - be they with a view to treatment of patients or in conducting clinical research - to limit the amount of identifiers used so as to remove the information from the purview of POPIA.

Even where that is not the case, processing of personal information will be regarded as lawful where, for example, consent to that processing has been obtained from the data subject or where it is reasonably required to give effect to a contract between the parties. Both of these elements routinely form part of healthcare delivery. Informed consent as a process, envisaged by the NHA and other health laws, already requires that practitioners and their patients engage with one another regarding the informational aspects of treatment. Part of that discussion (and the documentation which records it) could accommodate consent to processing of health information¹¹.

A second consideration directly related to the above is whether, in fact, consent or contract fulfilment should serve as the lawful basis for information processing in certain settings. While inherently desirable as a means of establishing the lawfulness of certain processing, it is significant that consent in terms of POPIA may be withdrawn at any time. This presents challenges in a healthcare environment which is fast-paced and often involves decisions and communications that are time-sensitive. It is far better for healthcare service delivery if the processing of personal information did not need to rely on consent as its lawful basis but rather, on another recognised ground set out in POPIA¹².

To illustrate: where personal health information is processed as part of clinical research and reporting thereon (including publication), this is permissible and indeed provided for under Section 27 of POPIA. Consent of the data subject is not required, provided that processing is done solely for historical, statistical or research purposes and serves the public interest¹³. A practitioner who processes personal health information on this basis would, however, bear the responsibility of proving that fact, and that there are nevertheless sufficient Guarantees in place to ensure that the rights of the data subjects have not been disproportionately affected by processing on this basis.

For situations where personal health information is initially collected and used for one purpose (such as treatment) but later re-purposed and processed for another (for example, as part of research), ordinarily one would require a data subject's additional consent to such further processing. However, POPIA does provide that in instances where this is done for historical, statistical or research purposes, the further processing of that information is deemed to be compatible with its original purpose of processing - provided that the sole purpose is research (or historical or statistical) and any publication of the information is done in an unidentifiable form¹⁴.

What these provisions of our new data privacy law demonstrate is that, despite the pre-existing awareness among health practitioners of the important ethical imperative to safeguard confidential health information which comes into their possession by virtue of their professional role and activities, what the law now requires is a renewed mindfulness towards privacy, and a recognition of the inherent value of one's personal information. That value, which each one of us possesses, is deserving of protection.

Future developments with regards to the implementation of POPIA's standards in practice, including in the healthcare sector, should serve not only to underline the right to privacy enjoyed by all healthcare users, but should also be aimed at bolstering patient autonomy as an expression of the equally relevant right to bodily integrity. Deciding what happens to information about one's personal health and how it may be processed by others is an integral part of that right.

Webber Wentzel^*

Justin.Malherbe@webberwentzel.com

 

SOURCES

1. South Africa. Constitution of the Republic of South Africa 108 of 1996. Available from https://www.gov.za/sites/default/files/images/a108-96.pdf        [ Links ]

2. South Africa. Protection of Personal Information Act No 4 of 2013. Available from https://www.gov.za/sites/default/files/gcis_document/201409/3706726-11act4of2013protectionofper-sonalinforcorrect.pdf        [ Links ]

3. South Africa. National Health Act No 61 of 2003. Available from https://www.gov.za/sites/default/files/gcis_document/201409/a61-03.pdf        [ Links ]

4. South Africa. Health Professions Act 56 of 1974. Available from https://www.hpcsa.co.za/Uploads/Legal/legislation/health_professions_ct_56_1974.pdf        [ Links ]

5. Health Professions Council of South Africa HPCSA Guidelines for Good Practice https://www.hpcsa.co.za/Uploads/Professional_Practice/Ethics_Booklet.pdf        [ Links ]

6. Health Professions Council of South Africa. Confidentiality: Protecting and Providing information, Booklet 5. 2016. Available from https://www.hpcsa.co.za/Uploads/Professional_Practice/Ethics_Booklet.pdf        [ Links ]

7. Health Professions Council of South Africa. Guidelines on the Keeping of Patient Records, Booklet 9. 2016. Available from https://www.hpcsa.co.za/Uploads/Professional_Practice/Ethics_Booklet.pdf        [ Links ]

 

 

* Corresponding Author: Justin Malherbe - Senior Associate attorney
1 Act 4 of 2013.
2 Per the commencement notice (Government Gazette Proclamation No R.21 of 2020) read together with section 114(1), all processing of personal information must confirm to POPIA within one year of commencement, which was on 1 July 2020.
3 See Section 4.
4 See Sections 9 and 11.
5 Section 3(2).
6 Act 61 of 2003.
7 See Sections 14to 17 of the NHA.
8 Section 26 of POPIA.
9 See Section 32.
10 Per Sections 3 and 6.
11 With reference to obtaining informed consent for research with human participants, the applicable regulations already provide that this must include a discussion and disclosure of-the extent to which confidentiality and privacy of information gathered in that process will be maintained.
12 See Sections 11 and 27.
13 POPIA does not define public interest. In a recent Guidance Note published by the Information Regulator, public interest is described as a wide and diverse concept that varies across jurisdictions and should be assessed on a case-by- case basis. It encapsulates the notion that an action, process or outcome should widely and generally benefit the public at large, as opposed to a few or a single entity or person.
14 See Section 15.