The POPI Bill and medical schemes

01 November 2013 Heidi Kruger, Board of Health Care Funders

The final version of the Protection of Personal Information Bill (POPI) was adopted by the National Assembly during August of this year. Once the President has signed it, and accompanying regulations have been drafted, it will be implemented.

Since compliance with this Act will be onerous for many, it is envisaged that a one to three year period will be allowed for full compliance.

Impacting the medical industry

The POPI Act, which will apply to both the public and the private sector, will give effect to the constitutional right to privacy and will regulate the processing, collection, storage and disclosure of personal information. It applies to all information with the exception of that which is truly anonymous.

Within the medical schemes context, the collection of information revolves around three main parties: the data subject, which would mean the member or beneficiary; the responsible party, which would invariably be the medical scheme; and the operator, which would pertain to an administrator or managed care company.

Eight conditions for compliance

The Bill contains eight conditions for processing of personal information. All eight of these will have a bearing on the way in which medical schemes collect, store and disseminate information on their members.

A brief summary of these eight conditions are:

Accountability - this requires that the responsible party complies with the conditions for lawful processing of personal information.
Processing limitation - while special limitations apply to the collecting of health information and information pertaining to children, this condition essentially requires that the information must be collected in a reasonable manner and must not infringe privacy. The information pertaining to children and health falls into the category of special information for which special permissions are required.
Purpose specification - this condition states that personal information may only be collected for specific, explicitly defined and lawful purposes related to the functions or activities of the responsible party, in this case the medical scheme. This condition includes aspects of record-keeping and the amount of time that data may be retained.
Further processing limitation - this condition revolves around the provision that any further processing of personal information must be compatible with the original purpose of collection.
Information quality - the medical scheme is required to take all reasonable and practicable steps to ensure that the personal information is up to date, complete, accurate, and not misleading.
Openness - medical schemes are required to maintain the information prescribed in all processing operations. In addition, the medical scheme has a duty to ensure that the member is aware that personal information is being collected, the source and purpose of collection and, the recipients of the personal information.
Security safeguards - medical schemes are required to secure the integrity and confidentiality of the information and to take appropriate measures to prevent loss, unlawful access and unauthorised destruction of the data. In addition, medical schemes may be expected to perform risk assessments relating to the security of the data and implement safeguards against these risks.
Data subject participation - although the Bill contains some grounds for refusal, medical scheme members may, under this condition, request confirmation from the medical scheme as to the description of the personal information held and to whom the personal information has been disclosed. Members may also request corrections or deletions of personal information which is inaccurate or irrelevant, in which case medical schemes would be obliged to act upon these requests.

The Bill does provide for exemption from the regulator in certain circumstances, and also bestows powers upon the regulator to step in where, for instance, data is in the public interest or where there is a clear benefit to the data subject.

While most medical schemes would generally be compliant with the provisions in this Act, once promulgated, it will almost certainly require a review of the way in which the collection, dissemination and storage of personal information is handled.

Quick Polls


How confident are you that insurers treat policyholders fairly, according to the Treating Customers Fairly (TCF) principles?


Very confident, insurers prioritise fair treatment
Somewhat confident, but improvements are needed
Not confident, there are significant issues with fair treatment
fanews magazine
FAnews June 2024 Get the latest issue of FAnews

This month's headlines

Understanding prescription in claims for professional negligence
Climate change… the single biggest risk facing insurers
Insuring the unpredictable: 2024 global election risks
Financial advice crucial as clients’ Life policy premiums rise sharply
Guiding clients through the Two-Pot Retirement System
There is diversification, and true diversification – choose wisely
Decoding the shift in investment patterns
Subscribe now