Contact

Regulations relating to the processing of data subjects’ health information by certain parties

Back to top

Regulations relating to the processing of data subjects’ health information by certain parties

The Regulations are published under the Protection of Personal Information Act 4 of 2013 (the Act) and focus on the processing, security, and transfer of health information by responsible parties. The purpose of these Regulations is to assist with the interpretation of section 32(6) of the Act, enhance transparency, and provide a framework for the information regulator on enforcement mechanism for the processing of health information of data subjects as provided in section 32(6) of the Act.

9 Mar 2026 1 min read Employment Law Alert Article

At a glance

  • On 6 March 2026, the Chairperson of the Information Regulator published Regulations under section 112(2)(c) of the Protection of Personal Information Act.
  • The Regulations relate to the processing of data subjects' health information by certain responsible parties.
  • Chapters 1 to 4 are covered by the Regulations, dealing with the definitions, scope, purpose, processing of personal information by certain responsible parties, appropriate safeguards, transfer of personal information and commencement.

Responsible party

A responsible party includes insurance companies, medical schemes, medical scheme administrators, pension funds, administrative bodies, employers, managed healthcare organisations, and institutions working for employers.

Processing of data subject’s health information

Processing of health information is permitted only under specific legal authorisations. A responsible person may, subject to section 27 of the Act, not process personal information concerning the religious beliefs, race or ethnic origin, trade union membership, health or sex life, or biometric information of a data subject.

Safeguards

Responsible parties must implement appropriate technical and organisational measures to ensure confidentiality, integrity, and the restricted availability of information in their possession or under their control. These measures are aimed at preventing loss or damage to or unauthorised destruction of health information, as well as unlawful access to or processing of health information.

Safeguards include measures to secure record management and the proper disposal of that information to prevent unauthorised access or unlawful disclosure.

Transfer of personal information 

The Regulations prohibit the transfer of health information of a data subject to a third party in a foreign country unless one or more of the requirements set out in section 72(1) of the Act are met. 

Commencement

The Regulations commenced on date of publication, 6 March 2026. 

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2026 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

2 Feb 2026

by Anli Bezuidenhout and Leila Moosa

Certificates of Compliance and Harassment Awards

In this episode of the CDH Conversations podcasts, Anli Bezuidenhout and Leila Moosa in the Employment Law practice unpack the growing importance of Certificates of Compliance under the Employment Equity Act, 55 of 1998 (EEA).

Employment Law

10:58 Minutes

5 Mar 2026

by Leila Moosa, Imraan Mahomed, Fiona Leppan and Jean Ewang

Webinar Recording | Labour Law Amendments 2025: Potential changes and what to do next

Watch this webinar where our Employment Law experts unpack the Labour Law Amendment Bill (2025).

Employment Law

51:32 Minutes

12 Feb 2026

by Clarice Wambua and Lauriene Maingi

Sustainability insights from Kenya’s National Artificial Intelligence Strategy (2025–2030)

Kenya is a leader in technology and innovation in Africa. Often referred to as the “ Silicon Savannah ”, the country’s private sector and its vibrant startup ecosystem already integrate artificial intelligence (AI) into a variety ofsectors. Global tech giants have also established local research labs.

Environmental Law

4 min read

17 Sep 2025

by Sammy Ndolo

Regulation of competition in East Africa by the East African Community Competition Authority

In a notice dated 1 July 2025, the East African Community Competition Authority (EACCA) announced that it will start receiving applications for approval of cross-border mergers and acquisitions from 1 November 2025. The requirement for approval of cross-border mergers by the EACCA is an additional regulatory layer that businesses will have to factor in as they plan for mergers and acquisitions. In this alert, we outline the background to the EACCA competition regime, the notification thresholds and possible effects on businesses seeking to explore cross-border mergers and acquisitions within the East African Community (EAC).

Competition Law

4 min read

31 Mar 2025

by Fiona Leppan, Kgodisho Phashe and Sinead McElligott

Navigating occupational health and safety in the digital economy

The digitalisation of labour has become increasingly prevalent, necessitating a review of occupational health and safety (OHS) protocols and standards. Employers and employees face unprecedented challenges as well as opportunities in the digital workplace. On 25 March 2025, the Department of Employment and Labour released a guide titled “ What Every Employer and Employee Should Know for the Digital Economy ”, (Guide) which addresses the risks associated with digital labour, highlights key precautionary measures and emphasises the importance of risk management by outlining a step-by-step approach to identify and minimise workplace risks.

Employment Law

4 min read

21 Aug 2025

by Mohammed Saib, Michael Bailey and Thobeka Dhlamini

Out with the old, in with the new: transitioning from JIBAR to ZARONIA

The Johannesburg Interbank Average Rate (JIBAR) will be replaced by a new benchmark rate, the South African Rand Overnight Index Average (ZARONIA). While no formal announcement has been made to the discontinuation of JIBAR, the proposed transition timeline indicates such announcement for the cessation of JIBAR will be made this year, and its complete discontinuation by the end of2026. 

Banking, Finance & Projects

3 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline