Contact

The digitisation of healthcare: Privacy and data protection considerations

Back to top

The digitisation of healthcare: Privacy and data protection considerations

In recent years and accelerated by the COVID-19 pandemic, the number of digital health businesses or virtual health offerings has significantly increased globally and in South Africa.The digitalisation of healthcare poses interesting legal questions. Digital health businesses should consider, amongst other things, the privacy and data protection legal paradigm applicable to their businesses, including the Protection of Personal Information Act 4 of 2013 (POPIA).

23 Jun 2021 4 min read Healthcare & Pharmaceuticals Alert Article

At a glance

  • The increase in digital health businesses globally and in South Africa raises legal questions regarding privacy and data protection, particularly under the Protection of Personal Information Act (POPIA).
  • Digital health businesses process special personal information, such as health data, which is highly regulated under POPIA. Processing such information requires consent from data subjects, obtained freely, specifically, and with informed consent.
  • Data security is crucial for digital health businesses, and they must take appropriate technical and organizational measures to secure the integrity and confidentiality of personal information. They should also follow generally accepted information security practices and procedures. Data sharing and transferring must be done with the data subject's consent and appropriate measures to ensure data integrity.

What is “digital health”?

Although there is no legislative definition of “digital health”, the Department of Health (DoH) has adopted the World Health Organisation’s definition as set out in the DoH’s National Digital Health Strategy document: “The field of knowledge and practice associated with any aspect of adopting digital technologies to improve health, from inception to operation”. “Digital health” is therefore understood to be an umbrella term which incorporates, amongst other things, e-health, telemedicine, and telehealth (to name a few).

Processing special personal information

By its very nature, digital health businesses will process health data which is regarded as “special personal information” in terms of POPIA. The processing of special personal information is highly regulated in POPIA.

The point of departure is that a responsible party may not process the special personal information of a data subject i.e., there is a general prohibition against such processing, unless it falls within the scope of authorisation provided under sections 26 – 33 of POPIA. Although there are other potentially relevant legal bases to process special personal information health information may be processed by a responsible party with the consent of a data subject. Consent, under POPIA, means “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. The five key elements to be addressed in obtaining consent are that consent must be:

  • freely given – the data subject must not be pressured into giving consent or suffer any detriment if they refuse;
  • specific – the data subject must be asked to consent to individual types of data processing with full information as to what their personal information will be used for;
  • informed – the data subject must be told what they are consenting to;
  • unambiguous – the language must be clear and simple; and
  • clear affirmative action – the data subject must expressly consent by doing or saying something.

This consent must be obtained when the responsible party (digital health business) processes the data subject’s personal information or as soon as possible thereafter. For example, where one downloads an app such consent should be obtained upfront and prior to the collection of any special personal information.

Data security

Due to the sensitive nature of health information, digital health businesses must ensure that such information is secure.

POPIA requires that a responsible party secures the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information. In order to give effect to this, the responsible party must take reasonable measures to (a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; (b) establish and maintain appropriate safeguards against the risks identified; (c) regularly verify that the safeguards are effectively implemented; and (d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

A digital health business must also have regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of the healthcare industry or professional rules and regulations.

Data Sharing and Transferring

POPIA requires that data subjects must be made aware and should agree to their special personal information being shared with third parties. If health information is shared with a third party or hosted outside of South Africa, consideration must be given to section 72 of POPIA, which amongst other things, requires that the data subject consents to sharing their information and that the responsible parties take appropriate measures to ensure that the third party has measures in place to secure the integrity of the data. Digital health businesses must also apply for prior authorisation from the Information Regulator should the transfer of special personal information (health information) be to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.

Conclusion

Data subjects must be confident that their rights to privacy and confidentiality are respected and upheld, and that the information they share with digital health business is kept safe and secure. This is why it is crucial that providers of digital health consider privacy and data protection concerns before deploying a digital heath platform to customers. Non-compliance with the data protection obligation imposed by POPIA could attract severe liabilities including financial penalties.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2025 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

26 Mar 2025

by Jacquie Cassette, Brigitta Mangale, Gift Xaba and Elgene Roos

Upholding human rights all year round

At CDH, we recognise the responsibility we have to promote access to justice and safeguard basic human rights.

Pro Bono & Human Rights

1 min read

13 Aug 2024

by Samantha Kelly

What are your legal obligations for obtaining an Energy Performance Certificate in respect of your property?

In 2020, the Minister of Mineral Resources and Energy published a regulation for the mandatory display and submission of Energy Performance Certificates (EPCs) for certain buildings (Regulations). The Regulations impose obligations on owners of specific non-residential buildings to obtain an EPC.

Real Estate Law

2 min read

14 Jan 2025

by Imraan Abdullah, Charles Green and Tshephang  Kekana 

Setting aside a public procurement decision on the grounds that the award exceeded the available budget

On 27 December 2024, the Supreme Court of Appeal (SCA) delivered a judgment in Zeal Health Innovations (Pty) Ltd v Minister of Defence and Military Veterans and Another ZASCA 183, that adds to the body of public procurement law jurisprudence. This particular judgment is of interest due to the grounds of review that were raised and, to a lesser extent, the court’s treatment of the services rendered by the service provider.

Dispute Resolution

6 min read

9 Dec 2024

by Tayyibah Suliman and Izabella Gutlar-Balkovic

Guidance Note on Direct Marketing

On 3 December 2024, the Information Regulator published a Guidance Note on DirectMarketing. 

Technology & Communications

1 min read

28 May 2024

by Alex de Wet

Legalities around landlords tenants and rental agreements medium

Alex de Wet, Director in Real Estate joined Simon Brown at Moneyweb where he discussed Legalities around landlords, tenants, and rental agreements.

Real Estate Law

06:36 Minutes

3 Dec 2024

by Vincent Manko, Imraan Abdullah, Kelo Seleka and Charles Green

Liability of municipal officials for unauthorised, irregular, fruitless and wasteful expenditure

Municipalities have original constitutional powers and are directly responsible for the management of their affairs. They are required to comply with the norms and standards imposed on them by national legislation. The Municipal Finance Management Act 56 of 2003 (MFMA) was enacted to “ secure sound and sustainable management of the financial affairs of the municipalities ”, and “ to establish treasury norms and standards for the local sphere of government ”. One of the ways it does this is by recognising the possibility that expenditure may not occur in a manner that illustrates sound and sustainable management and by creating liability and recovery mechanisms around that recognition to minimise financial exposure for municipalities.

Dispute Resolution

3 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline