Contact

The digitisation of healthcare: Privacy and data protection considerations

Back to top

The digitisation of healthcare: Privacy and data protection considerations

In recent years and accelerated by the COVID-19 pandemic, the number of digital health businesses or virtual health offerings has significantly increased globally and in South Africa.The digitalisation of healthcare poses interesting legal questions. Digital health businesses should consider, amongst other things, the privacy and data protection legal paradigm applicable to their businesses, including the Protection of Personal Information Act 4 of 2013 (POPIA).

23 Jun 2021 4 min read Healthcare & Pharmaceuticals Alert Article

At a glance

  • The increase in digital health businesses globally and in South Africa raises legal questions regarding privacy and data protection, particularly under the Protection of Personal Information Act (POPIA).
  • Digital health businesses process special personal information, such as health data, which is highly regulated under POPIA. Processing such information requires consent from data subjects, obtained freely, specifically, and with informed consent.
  • Data security is crucial for digital health businesses, and they must take appropriate technical and organizational measures to secure the integrity and confidentiality of personal information. They should also follow generally accepted information security practices and procedures. Data sharing and transferring must be done with the data subject's consent and appropriate measures to ensure data integrity.

What is “digital health”?

Although there is no legislative definition of “digital health”, the Department of Health (DoH) has adopted the World Health Organisation’s definition as set out in the DoH’s National Digital Health Strategy document: “The field of knowledge and practice associated with any aspect of adopting digital technologies to improve health, from inception to operation”. “Digital health” is therefore understood to be an umbrella term which incorporates, amongst other things, e-health, telemedicine, and telehealth (to name a few).

Processing special personal information

By its very nature, digital health businesses will process health data which is regarded as “special personal information” in terms of POPIA. The processing of special personal information is highly regulated in POPIA.

The point of departure is that a responsible party may not process the special personal information of a data subject i.e., there is a general prohibition against such processing, unless it falls within the scope of authorisation provided under sections 26 – 33 of POPIA. Although there are other potentially relevant legal bases to process special personal information health information may be processed by a responsible party with the consent of a data subject. Consent, under POPIA, means “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. The five key elements to be addressed in obtaining consent are that consent must be:

  • freely given – the data subject must not be pressured into giving consent or suffer any detriment if they refuse;
  • specific – the data subject must be asked to consent to individual types of data processing with full information as to what their personal information will be used for;
  • informed – the data subject must be told what they are consenting to;
  • unambiguous – the language must be clear and simple; and
  • clear affirmative action – the data subject must expressly consent by doing or saying something.

This consent must be obtained when the responsible party (digital health business) processes the data subject’s personal information or as soon as possible thereafter. For example, where one downloads an app such consent should be obtained upfront and prior to the collection of any special personal information.

Data security

Due to the sensitive nature of health information, digital health businesses must ensure that such information is secure.

POPIA requires that a responsible party secures the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information. In order to give effect to this, the responsible party must take reasonable measures to (a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; (b) establish and maintain appropriate safeguards against the risks identified; (c) regularly verify that the safeguards are effectively implemented; and (d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

A digital health business must also have regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of the healthcare industry or professional rules and regulations.

Data Sharing and Transferring

POPIA requires that data subjects must be made aware and should agree to their special personal information being shared with third parties. If health information is shared with a third party or hosted outside of South Africa, consideration must be given to section 72 of POPIA, which amongst other things, requires that the data subject consents to sharing their information and that the responsible parties take appropriate measures to ensure that the third party has measures in place to secure the integrity of the data. Digital health businesses must also apply for prior authorisation from the Information Regulator should the transfer of special personal information (health information) be to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.

Conclusion

Data subjects must be confident that their rights to privacy and confidentiality are respected and upheld, and that the information they share with digital health business is kept safe and secure. This is why it is crucial that providers of digital health consider privacy and data protection concerns before deploying a digital heath platform to customers. Non-compliance with the data protection obligation imposed by POPIA could attract severe liabilities including financial penalties.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

9 Nov 2023

by Alex Kanyi, Brian Muchiri, Kevin Kipchirchir and Billy Oloo

Salient features of the Kenya-Singapore bilateral investment treaty

The Kenya-Singapore Bilateral Investment Treaty (BIT” came into force on 20 August 2023, five years after it was signed in 2018.

Tax & Exchange Control

9 min read

27 Jun 2023

by Bridget Witts-Hewinson

Navigating the compliance and regulatory requirements of going solar: Have you got it all covered?

As the frustration of loadshedding grows, so does the interest in alternate means of keeping the lights on. From convenience and lower long-term costs to tax incentives, there are a multitude of factors encouraging South Africans to consider alternative means of keeping the lights on.

Real Estate Law

4 min read

4 Jul 2023

by Liëtte van Schalkwyk, Anja Hofmeyr and Alex de Wet

Overview of the (r)evolution of legislation governing the use of cannabis: Where to from here?

Cannabis has been a hot topic in the media and bold statements have been made by the Government regarding the economic potential that the cannabis sector can unlock in the country. President Cyril Ramaphosa has referred to the potential revenue that could be created in the sector on two separate occasions during his annual State of the Nation Address. It has also been highlighted that industrial hemp and cannabis will create a pathway to industrialisation by having a ripple effect through to various other sectors such as foreign investment, agriculture, employment and construction. Although the Government’s stated intention to relax and review policies that hinder the growth of the industry is appreciated, South Africa is at a crossroads when it comes to competing with international cannabis industries developed within a regulatory framework.

Dispute Resolution

6 min read

25 Mar 2024

by Hugo Pienaar and Leila Moosa

Understanding Strikes in South Africa: Insights for Employers

As South Africa grapples with a surge in industrial action and violent strikes, it is imperative for employers to stay abreast of South Africa's labour laws to mitigate risks effectively and to safeguard their interests.

Employment Law

18:31 Minutes

31 Oct 2023

What is the status of parental leave?

The parental leave provisions of the Basic Conditions of Employment Act 75 of 1997 were declared invalid because of inconsistency with the Constitution. The declaration of invalidity is suspended for two years to allow Parliament to remedy the defect. The Court has provided interim relief by amending the legislation to provide all parents 4 consecutive months' parental leave collectively. However, the Constitutional Court has to make the final decision on whether the order of invalidity is confirmed before it has any force. Watch our webinar discussion on the impact of this judgment and the way forward.

Employment Law

35:08 Minutes

31 May 2023

by Susan Meyer and Ntobeko Rapuleng

”Yes, I can tell you watt to do”: Competition Tribunal confirms jurisdiction over electricity supply excessive pricing complaints

Cape Gate (Pty) (Ltd) (Cape Gate) lodged a complaint with the Competition Commission of South Africa (Commission) against the Emfuleni Local Municipality (ELM), the National Energy Regulator of South Africa (NERSA) and the Gauteng Provincial Government.

Competition Law

3 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline