Draft Regulations relating to the processing of data subjects' health or sex life by certain responsible parties in terms of Section 112(2)(c) of the Protection of Personal Information Act published on 26 September

The Draft Regulations seeks to regulate the processing of health and sex life information by certain responsible parties, such as insurers, medical schemes, pension funds and employers.  It introduces, for the first time, an explicit requirement for a Legitimate Interest Assessment ("LIA") for processing such data.

Regulation 6 requires an LIA when the responsible party has confirmed that it is necessary for it to process the health and sex life information of a data subject to implement a law, regulation or collective agreement, and where the responsible party relies on section 11(1)(f) of POPIA, and consent of the data subject cannot be obtained.

Commentary

Under section 11(1)(f) of POPIA, legitimate interest is a lawful basis for processing personal information, but not for special personal information like health data.  Processing special personal information requires additional authorisation under sections 27–33.  Therefore, while an LIA may support general processing, it cannot by itself authorise processing of health data unless another condition (e.g. section 32) applies.

The regulations appear to conflate the general lawful basis (section 11) with special authorisations under section 32 of POPIA.  By requiring an LIA as a standalone justification for processing health data, the Draft Regulations risks exceeding POPIA’s statutory scheme, which does not permit “legitimate interest” alone to legitimise processing of health or sex life information.  Furthermore, special authorisations are already granted under section 32 and the further requirement of an LIA or consent is not coherent.

The Draft Regulations correctly cites section 32(1)(f)(i)–(ii), but it extends this to include an LIA requirement, suggesting that the responsible party can rely on legitimate interest alone, which POPIA does not envisage.

POPIA does not condition section 32 processing on conducting an LIA. The Information Regulator may add procedural guidance but it cannot create a new statutory requirement not contemplated by POPIA.

We are of the view that the Draft Regulations' reliance on section 11(1)(f) for health data is misplaced and potentially ultra vires.  The LIA process (purpose, necessity, balance) is complex and more akin to the European Union's General Data Protection Regulation under Article 6(1)(f) framework, however, POPIA has never adopted a similar balancing test.

The mandate to conduct LIAs “prior to implementation” for every instance where consent is unavailable could create an onerous compliance burden on insurers, schemes, and employers.

Conclusion

Whilst the Draft Regulations is a positive step towards obtaining clarity on the processing of health data, it seems to blur the boundary between general and special personal information processing.  The Information Regulator, in our view, has exceeded its regulation-making powers by effectively creating new conditions for lawful processing.  Organisations may face conflicting interpretations of the Draft Regulations. The introduction of a mandatory LIA as a lawful condition for processing health or sex life data (absent consent) is not supported by POPIA and risks confusing responsible parties about the true bases for lawful processing, and the processing of special personal information.  We encourage organisations to submit comments to the Information Regulator on the Draft Regulations.