Information Regulator invites comments on use of personal health information

On 8 September 2017, the Information Regulator – an independent body tasked with enforcing, among other things, the Protection of Personal Information Act, 2013 (POPI) – published draft regulations for comment.

The notice also invites interested parties to make submissions on whether the Information Regulator should introduce rules regulating the use of personal information on a person’s health and sex life.

POPI has implemented a number of restrictions on how personal information may be collect and used. In particular, collection and use of certain kinds of information, such as a person’s religious beliefs, political persuasion or health may only be collected and used by specific kinds of entities in a limited range of circumstances.

Under POPI, no one may process (a legal term which includes collecting, recording and disseminating) personal information unless the person has consented or the information is necessary to establish or exercise a right or obligation in law, is for research purposes in the public interest, or has deliberately been made public.

When it comes to information about a person’s health or sex life POPI allows insurance companies, medical schemes and managed care organisations to use the information to assess the risk attached to an individual provided that the individual hasn’t objected to this use. In addition, personal health information may be used if it is necessary for the enforcement of medical scheme or insurance contracts and agreements.

Administrative bodies, employers and person funds may process personal health information if it is necessary for the implementation of laws or pension regulations. In addition, the information may be used to support or reintegrate workers who have been sick or incapacitated.

As a result, when and how companies are permitted to use personal health information can have significant impact on a person’s medical aid, insurance and pension fund benefits. However, whether the Information Regulator decides to create more stringent rules on the use of personal health information will depend on the comments from industry and other interested parties.

For the time being, the draft regulations do provide a procedure for objecting the processing of personal information which consumers can use to prevent insurers and medical aids from utilising personal health information to determine the risk associated with them.

The draft regulations also introduce procedures for requesting that personal information be corrected, destroyed or deleted.  Notably, the draft regulations also contain provisions relating to unsolicited direct marketing. Under POPI, companies may only use personal information for unsolicited direct marketing if they have obtained the consumer’s consent or the consumer is a customer of the company. The draft regulations require that companies obtain written consent from consumers before using their personal information for unsolicited direct marketing.

Comments on both the Draft Regulations and whether Rules for the processing of personal health information can be sent to by 7 November 2017.