New POPIA Regulations: Processing of Health Information

On 6 March 2026, the Information Regulator published Regulations on the processing of health information by certain responsible parties. These Regulations, which were issued under section 112(2)(c) of the Protection of Personal Information Act, 4 of 2013 (POPIA), aim to: (i) assist responsible parties to interpret section 32(6) of POPIA correctly; (ii) provide better transparency to data subjects on the manner in which their health information may be used; and (iii) provide an enforcement framework to the Information Regulator regarding the processing of health information. The Regulations commenced on the date of their publication in the Government Gazette, meaning they are already in force.

As a starting position, POPIA prohibits the processing of health information, which is classified as special personal information and includes personal information relating to the physical and/or mental health of a data subject, including the provision of healthcare services and/or any testing, treatment, and diagnosis which reveals information about the data subject's health status. However, this prohibition is subject to certain exceptions, such as processing by medical professionals for the purposes of the proper treatment of data subjects. POPIA imposes additional obligations on the processing of this information, and enables the Information Regulator to publish regulations, such as these Regulations, setting out “more detailed rules” to govern such processing by certain bodies (section 32(6)).

The Regulations also reiterate the general prohibition on processing special personal information, including health information, subject to section 27 of POPIA (Regulation 4). They apply to the responsible parties listed in section 32(1)(b) and (f), including insurance companies, medical schemes, medical scheme administrators, and managed healthcare organisations, as well as administrative bodies, pension funds, employers, and institutions working for them, together with applicable operators processing health information on their behalf.

A key focus area of the Regulations is security safeguards. These responsible parties must maintain the confidentiality, integrity and availability of health information in line with section 19(1). In particular, appropriate measures must be implemented for the security and confidentiality of records, including both physical and electronic records, and the proper disposal of health records. Responsible parties must also implement and maintain technical and organisational measures in line with generally accepted information security practices applicable to their sector or industry (Regulation 5.4).

Practically, this requires responsible parties to assess whether their existing security measures adequately mitigate the risks associated with storing, handling and disposing of this sensitive information. Examples may include:

• Storing physical health records, such as sick notes of employees, in restricted, controlled areas rather than in general filing spaces.
• Using secure internal systems or encryption when transmitting health records electronically.
• Implementing secure destruction methods, such as certified shredding or secure digital deletion, to prevent unauthorised access to discarded records.

The Regulations also emphasise that health information may be processed only by responsible parties who are subject to a duty of confidentiality, whether by law, office, employment, profession, or written agreement (as contemplated in section 32(2)). Practically, this means ensuring that staff who handle health information are bound by confidentiality undertakings and receive appropriate training on their obligations, and that third-party operator contracts contain appropriate confidentiality obligations.

In addition, the Regulations reiterate that health information may not be transferred outside South Africa unless the requirements of section 72 are met. Responsible parties should therefore ensure that there is a lawful basis for the transfer of information, and evaluate whether foreign service providers operate in jurisdictions with adequate protections or ensure that POPIA-aligned contractual obligations are in place.

The coming into force of these Regulations offers organisations a valuable opportunity to reassess how they collect, use, safeguard and destroy health information. By taking proactive steps to align internal processes with these requirements, responsible parties can strengthen compliance, reduce risk and build greater trust with data subjects.

An important aspect of POPIA and these Regulations, which is often overlooked, is that, while they apply to responsible parties that operate within the medical and insurance sectors or industries, they also apply to every employer that processes the health information of their employees, including sick notes, medical records, and medical certificates, that they may receive from their employees.

Should you require assistance with POPIA compliance, data governance and regulatory risk, our TMT team is available to assist you.