The Information Regulator has published the final Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties under the Protection of Personal Information Act, 2013 (POPIA). This follows the publication of the draft Regulations for public comment in September 2025.
Nadine Mather, partner and Chloë Loubser, knowledge and learning lawyer at Bowmans, unpack the Regulations.
It is apparent from the final text of the Regulations that the Regulator duly considered the submissions received during the public comment period. Several provisions contained in the draft Regulations which were subject to scrutiny do not appear in the final Regulations.
Key changes to scope and purpose
One of the key changes in the final Regulations is the removal of references to sex life information. The Regulations now apply exclusively to the processing of health information.
The purpose of the Regulations has also been clarified. The final Regulations now explicitly reference section 32(6) of POPIA, which permits more detailed rules to be prescribed concerning the application of sections 36(1)(b) and (f). The Regulations are intended to be these ‘more detailed rules’.
Sections 36(1)(b) and (f) authorise certain bodies to process personal information concerning a data subject’s health and sex life for certain specific purposes. These bodies are insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations, administrative bodies, pension funds, employers and institutions working for them. The Regulations contain definitions for each of these terms and apply only to those responsible parties and operators who fall within these definitions.
There is a welcome change in the reference to, and definition of, employer. The final Regulations no longer limit the concept of an employer to those ‘working for administrative bodies or pension funds’, and the definition is no longer linked to the definition contained in the Occupational Health and Safety Act, 1993.
Instead, an ‘employer’ is defined more broadly as ‘a person, company or organisation that pays others to work for them, often under their direction, in exchange for wages or a salary, forming a contractual relationship for work’.
Removal of certain provisions contained in the draft Regulations
Several provisions included in the draft Regulations and which were subject to scrutiny have not been retained in the final Regulations. In particular:
- Dual-authorisation requirements and Legitimate Interests Assessments –The draft regulations contained provisions that appeared to require both a specific authorisation for processing health and sex life information under section 32 of POPIA and a lawful basis for processing under section 11(1) of POPIA. In addition, where a responsible party relied on the lawful basis of legitimate interests (either that of the responsible party or the data subject), the draft regulations introduced the requirement of a ‘Legitimate Interest Assessment’ (LIA) to be conducted prior to the processing. This represented a departure from how POPIA structures the lawful grounds for processing special personal information. These provisions have not been retained in the final Regulations.
- Requirement for a written agreement with the data subject – The draft Regulations included a provision suggesting that any processing of health or sex life information could only take place if there was an agreement between the responsible party and the data subject. This appeared to be based on a misinterpretation of section 32(2) of POPIA, which provides that health and sex life information may only be processed subject to an obligation of confidentiality by virtue of office, employment, profession, or a legal provision, or established by a written agreement between the responsible party and the data subject. The final Regulations now refer directly to section 32(2), recognising that a written agreement is one of several ways in which a duty of confidentiality may arise.
- Cross-border transfer notification requirements – The draft Regulations contained detailed provisions requiring responsible parties to notify data subjects of cross-border transfers of their health information, unless the data subject had consented or the transfer was in the legitimate interests of the data subject. These provisions, which raised several practical questions and appeared to go beyond what POPIA contemplates, have not been included in the final Regulations. While this is a helpful clarification, the Regulations do not address the prior authorisation requirement in section 57(1)(d) of POPIA which may apply in certain circumstances where special personal information is transferred outside of South Africa.
In addition, certain provisions included in the draft Regulations relating to appropriate safeguards, including references to governance structures, ISO standards, and specific measures recommended by the Health Professions Council of South Africa, have not been retained.
The final Regulations also no longer contain provisions dealing with the retention of records, destruction or de-identification of information, or public interest authorisation.
What remains?
In their final form, the Regulations largely reflect the existing POPIA framework governing the processing of health information without introducing extensive additional obligations for responsible parties.
Organisations falling within the scope of the Regulations, including insurance companies, medical schemes, pension funds, administrators, employers and institutions working for them, should nevertheless familiarise themselves with the Regulations and ensure that their processing of health information remains aligned with the requirements of POPIA.