What is “digital health”?
Although there is no legislative definition of “digital health”, the Department of Health (DoH) has adopted the World Health Organisation’s definition as set out in the DoH’s National Digital Health Strategy document: “The field of knowledge and practice associated with any aspect of adopting digital technologies to improve health, from inception to operation”. “Digital health” is therefore understood to be an umbrella term which incorporates, amongst other things, e-health, telemedicine, and telehealth (to name a few).
Processing special personal information
By its very nature, digital health businesses will process health data which is regarded as “special personal information” in terms of POPIA. The processing of special personal information is highly regulated in POPIA.
The point of departure is that a responsible party may not process the special personal information of a data subject i.e., there is a general prohibition against such processing, unless it falls within the scope of authorisation provided under sections 26 – 33 of POPIA. Although there are other potentially relevant legal bases to process special personal information health information may be processed by a responsible party with the consent of a data subject. Consent, under POPIA, means “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. The five key elements to be addressed in obtaining consent are that consent must be:
- freely given – the data subject must not be pressured into giving consent or suffer any detriment if they refuse;
- specific – the data subject must be asked to consent to individual types of data processing with full information as to what their personal information will be used for;
- informed – the data subject must be told what they are consenting to;
- unambiguous – the language must be clear and simple; and
- clear affirmative action – the data subject must expressly consent by doing or saying something.
This consent must be obtained when the responsible party (digital health business) processes the data subject’s personal information or as soon as possible thereafter. For example, where one downloads an app such consent should be obtained upfront and prior to the collection of any special personal information.
Data security
Due to the sensitive nature of health information, digital health businesses must ensure that such information is secure.
POPIA requires that a responsible party secures the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information. In order to give effect to this, the responsible party must take reasonable measures to (a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; (b) establish and maintain appropriate safeguards against the risks identified; (c) regularly verify that the safeguards are effectively implemented; and (d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
A digital health business must also have regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of the healthcare industry or professional rules and regulations.
Data Sharing and Transferring
POPIA requires that data subjects must be made aware and should agree to their special personal information being shared with third parties. If health information is shared with a third party or hosted outside of South Africa, consideration must be given to section 72 of POPIA, which amongst other things, requires that the data subject consents to sharing their information and that the responsible parties take appropriate measures to ensure that the third party has measures in place to secure the integrity of the data. Digital health businesses must also apply for prior authorisation from the Information Regulator should the transfer of special personal information (health information) be to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.
Conclusion
Data subjects must be confident that their rights to privacy and confidentiality are respected and upheld, and that the information they share with digital health business is kept safe and secure. This is why it is crucial that providers of digital health consider privacy and data protection concerns before deploying a digital heath platform to customers. Non-compliance with the data protection obligation imposed by POPIA could attract severe liabilities including financial penalties.