The digitisation of healthcare: Privacy and data protection considerations

In recent years and accelerated by the COVID-19 pandemic, the number of digital health businesses or virtual health offerings has significantly increased globally and in South Africa.The digitalisation of healthcare poses interesting legal questions. Digital health businesses should consider, amongst other things, the privacy and data protection legal paradigm applicable to their businesses, including the Protection of Personal Information Act 4 of 2013 (POPIA).

23 Jun 2021 4 min read Healthcare & Pharmaceuticals Alert Article

At a glance

  • The increase in digital health businesses globally and in South Africa raises legal questions regarding privacy and data protection, particularly under the Protection of Personal Information Act (POPIA).
  • Digital health businesses process special personal information, such as health data, which is highly regulated under POPIA. Processing such information requires consent from data subjects, obtained freely, specifically, and with informed consent.
  • Data security is crucial for digital health businesses, and they must take appropriate technical and organizational measures to secure the integrity and confidentiality of personal information. They should also follow generally accepted information security practices and procedures. Data sharing and transferring must be done with the data subject's consent and appropriate measures to ensure data integrity.

What is “digital health”?

Although there is no legislative definition of “digital health”, the Department of Health (DoH) has adopted the World Health Organisation’s definition as set out in the DoH’s National Digital Health Strategy document: “The field of knowledge and practice associated with any aspect of adopting digital technologies to improve health, from inception to operation”. “Digital health” is therefore understood to be an umbrella term which incorporates, amongst other things, e-health, telemedicine, and telehealth (to name a few).

Processing special personal information

By its very nature, digital health businesses will process health data which is regarded as “special personal information” in terms of POPIA. The processing of special personal information is highly regulated in POPIA.

The point of departure is that a responsible party may not process the special personal information of a data subject i.e., there is a general prohibition against such processing, unless it falls within the scope of authorisation provided under sections 26 – 33 of POPIA. Although there are other potentially relevant legal bases to process special personal information health information may be processed by a responsible party with the consent of a data subject. Consent, under POPIA, means “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”. The five key elements to be addressed in obtaining consent are that consent must be:

  • freely given – the data subject must not be pressured into giving consent or suffer any detriment if they refuse;
  • specific – the data subject must be asked to consent to individual types of data processing with full information as to what their personal information will be used for;
  • informed – the data subject must be told what they are consenting to;
  • unambiguous – the language must be clear and simple; and
  • clear affirmative action – the data subject must expressly consent by doing or saying something.

This consent must be obtained when the responsible party (digital health business) processes the data subject’s personal information or as soon as possible thereafter. For example, where one downloads an app such consent should be obtained upfront and prior to the collection of any special personal information.

Data security

Due to the sensitive nature of health information, digital health businesses must ensure that such information is secure.

POPIA requires that a responsible party secures the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable, technical and organisational measures to prevent (a) loss of, damage to or unauthorised destruction of personal information; and (b) unlawful access to or processing of personal information. In order to give effect to this, the responsible party must take reasonable measures to (a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control; (b) establish and maintain appropriate safeguards against the risks identified; (c) regularly verify that the safeguards are effectively implemented; and (d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

A digital health business must also have regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of the healthcare industry or professional rules and regulations.

Data Sharing and Transferring

POPIA requires that data subjects must be made aware and should agree to their special personal information being shared with third parties. If health information is shared with a third party or hosted outside of South Africa, consideration must be given to section 72 of POPIA, which amongst other things, requires that the data subject consents to sharing their information and that the responsible parties take appropriate measures to ensure that the third party has measures in place to secure the integrity of the data. Digital health businesses must also apply for prior authorisation from the Information Regulator should the transfer of special personal information (health information) be to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information as referred to in section 72.

Conclusion

Data subjects must be confident that their rights to privacy and confidentiality are respected and upheld, and that the information they share with digital health business is kept safe and secure. This is why it is crucial that providers of digital health consider privacy and data protection concerns before deploying a digital heath platform to customers. Non-compliance with the data protection obligation imposed by POPIA could attract severe liabilities including financial penalties.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.