Nadine Mather, Partner, and Chloë Loubser, Knowledge and Learning Lawyer, Bowmans
The Information Regulator (Regulator) has released draft regulations under the Protection of Personal Information Act, 2013 (POPIA) that directly affect how certain organisations may process personal information about a data subject’s health or sex life.
The regulations have been published for public comment and interested stakeholders have until 10 October 2025 to submit written comments to the Regulator.
Once finalised, these regulations will reshape compliance obligations for insurance companies, medical schemes, pension funds, administrators, employers and related entities that handle health or sex life information.
Whilst regulations relating to processing of health and sex life information are a welcome development, there are some unexpected provisions in the draft regulations that raise questions and suggest departures from certain established data protection principles.
Who is affected?
The draft regulations only apply to insurance companies, medical schemes and their administrators, managed healthcare organisations, pension funds and institutions or employers working for administrative bodies or pension funds.
Curiously, when referencing ‘employers’, Regulation 3 limits the scope of the Regulations to those employers who are ‘working for administrative bodies or pension funds’. This is a departure from the previous draft – released about a year ago – which applied to ‘employers’ in the wide sense.
The rationale behind the narrow scope is unclear and, in our view, limiting the application to employers working for administrative bodies or pension funds only does not align with the provisions of POPIA and leaves a considerable gap in the regulation of many employers who routinely process health data. The recognition of employers as an independent category of responsible party is however reflected in Regulation 5, suggesting that the reference in Regulation 3 may be a drafting error.
Lawful grounds for processing and authorisation
Under POPIA, and as reinforced in the draft regulations, the processing of health or sex life information – classified as special personal information – is generally prohibited unless certain general or specified authorisations apply.
The general authorisations for processing special personal information are set out in section 27 of POPIA and include:
• the explicit consent of the data subject;
• necessity for the establishment, exercise, or defence of a legal right or obligation;
• compliance with obligations of international public law;
• processing for historical, statistical, or research purposes;
• information deliberately made public by the data subject; or
• reliance on sections 28 to 33 of POPIA, which provide specified authorisations for particular bodies.
Section 32 of POPIA provides such specified authorisations for the processing of health or sex life information by certain bodies. For example, section 32(f) permits administrative bodies, pension funds, employers and institutions working for them to process this information where it is necessary for:
• the implementation of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or
• the reintegration of, or support for, workers or persons entitled to benefit in connection with sickness or work incapacity.
Whilst not entirely clear, the draft regulations, however, appear to go further. In addition to requiring a specific authorisation for processing, they also appear to require that one of the lawful bases for processing in section 11(1) of POPIA applies. Where a responsible party relies on the lawful basis of legitimate interests (either that of the responsible party or the data subject), the regulations introduce the requirement of a ‘Legitimate Interest Assessment’ (LIA) to be conducted prior to the processing.
The LIA must:
• set out the purpose and necessity for processing;
• assess the balance of interests between the responsible party and the rights of the data subject; and
• be recorded and retained to demonstrate compliance.
This represents a novel approach by the Regulator, considering the position in many other jurisdictions which require a higher standard than ‘legitimate interests’ when dealing with special personal information. This development, in our view, misconstrues how POPIA approaches the lawful grounds for processing special personal information.
Safeguards and security measures
The draft regulations reinforce and expand upon the requirement in section 19 of POPIA to implement appropriate security safeguards to maintain the confidentiality and integrity of health and sex life information and spell out specific measures, including:
• protection against reasonably anticipated threats such as loss, unauthorised use, disclosure, or unlawful access;
• management of the risks associated with electronic health or sex life records;
• secure disposal of records to prevent unauthorised access after destruction;
• regular information security risk assessments and evaluation and updates to mitigation measures;
• Adoption of industry standards and generally accepted information security practices, including applicable ISO standards as recommended by the Health Practitioners Council of South Africa; and
• appropriate organisational governance structures to oversee compliance with these standards.
However, the draft goes further to suggest that processing health or sex life information may only take place if there is an agreement between the responsible party and the data subject.
The inclusion of this wording appears to be based on a misinterpretation of section 32(2) which provides that health and sex life information may only be processed subject to an obligation of confidentiality on the responsible party, whether such obligation arises by virtue of office, employment, profession or legal provision, or by written agreement between the responsible party and the data subject.
In our view, the draft regulations erroneously assume that a written agreement must always be in place, which is simply not contemplated by POPIA.
Cross-border transfers
The draft regulations suggest that responsible parties may rely on any of the grounds listed in section 72(1) of POPIA to transfer health or sex life information outside of South Africa, for example, adequate level of protection by way of law, binding corporate rules or a data transfer agreement, consent, or necessity for the performance of a contract.
However, the regulations appear to overlook section 57(1)(d) of POPIA, which requires prior authorisation from the Regulator before transferring special personal information to a country that does not provide an adequate level of protection.
Practically, section 57(1)(d), read together with section 72, means that unless the responsible party relies on the existence of an adequate level of protection to enable the cross-border transfer of health and sex life information, it must still obtain prior authorisation from the Regulator to effect such transfer. The draft regulations do not address this prior authorisation requirement.
Instead, the regulations appear to focus on data subject notification in the event of a cross-border transfer. In this regard, responsible parties must notify data subjects of intended transfers and the level of protection afforded to their information, unless (i) the data subject has consented, or (ii) the transfer is in their legitimate interests.
Both carve-outs raise questions. For consent, notification to the data subject would ordinarily be a precondition to obtaining valid consent – creating a circular requirement. For legitimate interests, the wording departs from section 18(4)(b) of POPIA, which allows for the notification to be dispensed with if it would not prejudice the legitimate interests of the data subject. The proposed wording instead frames it as sufficient that the transfer is in the data subject’s legitimate interests.
These provisions also arguably go beyond what is contemplated by the POPIA provisions, which are intended to clarify the grounds for processing as applicable to certain categories of persons, not to introduce (or dispense with) notification requirements for cross-border transfers.
Retention and destruction of records
The draft regulations restate the requirements of section 14 of POPIA when it comes to retention of records. Health or sex life information must not be retained for any longer than necessary to achieve the purpose for which it was collected, unless:
• a retention period is required by a law or contract;
• the responsible party reasonably requires the record for lawful purposes related to its functions or activities;
• the data subject or a competent person has consented to storage for a defined period; or
• where the information is processed for historical, statistical, or research purposes, subject to safeguards preventing further use.
Once retention is no longer justified, records must be destroyed, deleted, or de-identified in a manner that prevents reconstruction in intelligible form. Responsible parties should thus ensure that policies and processes are in place not only to manage retention periods but also to evidence secure and timely disposal of health or sex life information.
Conclusion
While the draft regulations represent a step forward in clarifying the treatment of health and sex life information under POPIA, several provisions raise questions that require clarification before they are finalised.
Stakeholders should carefully review the draft, assess the practical and legal implications for their organisations, and make use of the public comment period to advocate for clear, workable and legally sound regulations ahead of the deadline.
ENDS
