HIPAA South Africa: The Protection of Personal Information Act
“HIPAA South Africa” is formally known as the Protection of Personal Information Act No. 4 of 2013 (“POPI”). This Act is essentially South Africa’s equivalent of the European Union’s General Data Protection Regulation (GDPR). Differences between HIPAA South Africa and HIPAA are discussed below.
“HIPAA South Africa”: What is the Protection of Personal Information Act?
In 2013, South Africa passed the Protection of Personal Information Act (POPI). Although POPI predates the GDPR, POPI is often referred to as South Africa’s GDPR equivalent. The goal of the POPI Act is to protect data subjects from security breaches, theft, and discrimination. Under POPI, processing of personal data of South Africans is subject to regulation. Specifically, South African data processors must follow eight principles, which are intended to bolster the security of personal data.
Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.
Whom Does POPI Regulate?
POPI regulates data processors and responsible parties who are either:
◈ Domiciled (reside in) the Republic of South Africa; or
◈ Domiciled elsewhere, but who make use of “automated or non-automated means” in South African.
◆ “Automated” refers to the use of equipment that processes information automatically, according to a data processor’s instructions.
What Does POPI Regulate?
POPI regulates the use of personal information by a business. POPI defines “personal information” as:
◈ Information relating to an identifiable, living, natural person, and
◈ Where applicable, an identifiable, existing juristic person.
◆ A juristic person is a non-human entity – in other words, an organization that is not a single, natural person, but rather, is authorized by law with duties and rights, and is recognized as a legal person and having a distinct identity.
Who is Exempt from POPI?
POPI exempts certain data from its regulation. This data includes:
◈ Data that is processed for personal reasons
◈ Data that is de-identified and cannot be reinstated
◈ Data processing by or for a public body relating to:
◆ National security;
◆ Law enforcement; or
◆ The justice system.
◈ Data processed by a province’s Cabinet and committees or Executive Council
What are POPI’s Eight Conditions for Lawful Processing?
The eight conditions for lawful processing under POPI include:
- Accountability
- Processing limitation
- Purpose specification
- Further processing limitation
- Information quality
- Openness
- Security safeguards
- Data subject participation
Condition 1: Accountability
Condition 1, “Accountability,” requires data processors to be held accountable for violations of the law as a result of improper data processing.
Condition 2: Processing Limitation
This condition places strict controls on what it means to “lawfully process data.” Under this condition, data processors are required to:
◈ Process data in a way that doesn’t risk the data subject’s privacy
◈ Process only relevant data with a given purpose
◈ Obtain consent from the data subject before processing (and keep proof of consent)
◈ Protect the legitimate interest of the data subject
◈ Allow data subjects to object to processing and/or withdraw consent at any time
◈ Stop processing data after an objection or withdrawal of consent
Condition 3: Purpose Specification
This condition requires that a data processor detail its reasons for data collection. Data collection must be for a specific, explicitly defined, and lawful purpose. Data processors must be aware of this purpose. In addition, this condition requires that once data processors no longer need records for processing, processors no longer have the right to keep those records, unless required to do so by law. Records which data processors no longer have a right to keep, must be destroyed, deleted, or de-identified, rendering the data irretrievable.
Condition 4: Further Processing Limitation
This condition specifies how a data processor can and cannot process data. Data may only be processed in a manner that is compatible with the stated purpose of the data collection.
Further processing – beyond the stated purpose – is permitted when:
◈ The data subject consents
◈ The information comes from public records
◈ The law requires further processing
◈ The processing is related to national security
Condition 5: Information Quality
This condition requires data processors to take measures to ensure the data they collect and then process, is accurate and complete.
Condition 6: Openness
Under this condition, data processors must maintain detailed documentation of all processing activities. In addition, data processors must let data subjects know when processors collect information. Processors should inform subjects about the following:
◈ Where the processor collects information
◈ The source of the processor’s information
◈ The processor’s name and address
◈ Why the processor is collecting the data
◈ Whether the collection is voluntary or mandatory
◈ What happens if the data subject doesn’t provide their data
◈ Which laws allow for data to be collected
Under this condition, data processors must establish privacy policies that share their data processing practices, in detail. Condition 6 bears a resemblance to the HIPAA Privacy Rule’s requirements to implement Notices of Privacy Practices; to make an accounting of disclosures; and to obtain, when required, written authorization.
Condition 7: Security Safeguards
Condition 7 requires data processors to employ “appropriate, reasonable technical and organizational measures” designed to prevent both unlawful access and the loss or damage of the personal information. Condition 7 is the South African equivalent of the HIPAA Security Rule. Condition 7 requires performing of a risk assessment test; ensuring safeguards are maintained; verifying the effectiveness of the safeguards; and ensuring new updates are provided to prevent new deficiencies or risks.
Condition 8: Data Subject Participation
Condition 8 spells out the rights of data subjects. Data subjects have the right to:
◈ Access to their personal information (this is equivalent to the HIPAA Privacy Rule right of access); and
◈ Request corrections to their record when the data is out of date, incomplete, inaccurate, excessive, or obtained unlawfully. Upon receiving the request, the processor must complete the request within a reasonable timeframe.