While personal information has become more accessible, especially via social media platforms, the protection thereof against unauthorised dissemination has become increasingly more important. The Protection of Personal Information Act 4 of 2013 (POPI) was introduced to oversee the processing and transmission of personal information by all private and public entities which may, for whatever reason, possess the personal information of an individual. The application of the Act becomes extremely relevant in industries which handle sensitive personal information, such as in healthcare. The following discussion considers the legal duties imposed on medical practitioners when processing the personal information of patients, both within their practice and between practitioners.
Section 19 of the Act provides that:
(1) “A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
(2) In order to give effect to subsection (1), the responsible party must take reasonable measures to—
(a) identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
(b) establish and maintain appropriate safeguards against the risks identified;
(c) regularly verify that the safeguards are effectively implemented; and
(d) ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
(3) The responsible party must have due regard to generally accepted information security practices and procedures which may apply to it generally or be required in terms of specific industry or professional rules and regulations.”
The Act does not provide any specificity on the exact technical and organisational measures that medical practitioners are expected to implement within their practices. Essentially, what would be deemed “appropriate” and “reasonable” will presumably depend on the circumstances and the underlying intention of Section 19. Ultimately, a medical practitioner will need to engage in a risk-based approach where they should consider the associated risks when processing the relevant personal information, the nature of the personal information as well as the cost of implementing the envisioned measures.
A medical practitioner can implement various security measures within their practice to safeguard the personal information of patients. These include, but are not limited to:
1) Physical measures, such as securing filing cabinets and access control at offices;
2) Operational measures, such as ensuring that staff sign confidentiality agreements, training staff on the importance of protecting personal information and introducing multilevel authorisation protocols;
3) Technological measures, for example installing firewalls and anti-virus programmes, using passwords and encrypting removable devices; and
4) The development of an information security policy for privacy, to be implemented in the practice, which addresses all the above.
The main benefit of incorporating the abovementioned security measures into an information security policy is that it standardises processes and provides clear direction on the procedures
and rules that need to be followed within the practice to protect it against threats to data confidentiality and integrity.
Irrespective of the combination of measures that a medical practitioner may decide to implement in their practice, they should ensure that all the parties involved in the chain of processing the personal information are always in a position to provide tangible evidence of the reasonable steps they have taken to safeguard and safely transmit a patient’s personal information.
The Act also places a duty on any employee/agent processing personal information on behalf of a medical practitioner, to ensure that they process the information only with the knowledge or authorisation of said medical practitioner. Such an employee/agent is also required to treat all personal information which comes to their knowledge by way of their employment and/or mandate as confidential and not to disclose it, unless they are required to do so by law or in the course of the proper performance of their duties. The employee/agent is further required to notify the medical practitioner immediately where there are reasonable grounds to believe that the personal information of a patient has been accessed or acquired by an unauthorised person.
From the above, it appears evident that the Act expects medical practitioners to monitor, control and regulate all aspects and parties involved in the chain of processing the inward and outward flow of the personal information of patients in their respective practices.
The transmission of personal information to another practitioner raises different security concerns. From a practical perspective, there are different ways in which a medical practitioner can transmit a patient’s personal information to another medical practitioner during the referral process, all of which pose their own unique risks. Transmitting a patient’s personal information to another medical practitioner via email poses less of a risk than if it were to be hand delivered by a third-party agent or via post. Provided the patient’s personal information is processed in a reasonable manner that does not infringe on their privacy rights and the medical practitioner has taken reasonable steps to ensure that the patient is aware of the purpose for which their personal information is being collected (and the possibility of it being processed further), transmitting a patient’s personal information to another medical practitioner by way of email will not be deemed to be contrary to the provisions of the Act. This of course is based on a more progressive interpretation of the Act in the light of continuous technological advancements.
The preventative security measures which a medical practitioner may want to implement in their practice in order to prevent a data leak when transmitting a patient’s personal information are vast and diverse, and whichever of these they ultimately decide to use will depend on various considerations, most of which are IT related. It is therefore advisable for medical practitioners to consult the appropriately qualified IT personnel when they intend to or do regularly transmit the personal information of their patients to their colleagues via electronic means, since the appropriate software and hardware will need to be in place in order to ensure compliance with Section 19 of the Act.
The Act essentially provides an extra layer of protection for patients, as medical practitioners are obliged to keep their personal information confidential not only in terms of the regulatory guidelines of the profession but now also in terms of POPI. This dual obligation serves to regulate the internal and external processing of a patient’s personal information as well as potential breaches by unauthorised third parties. It is worth noting that the Act does not aim to replace or amend any of the regulations or guidelines set by the HPCSA, but requires medical practitioners to process the personal information of patients in a manner that satisfies the requirements of the Act as well as those of the HPCSA guidelines and regulations.
Unlike the regulatory guidelines of the medical profession which are more concerned with the professional conduct of medical practitioners, a breach of confidentiality by any person in terms of the Act is considered to be a criminal offence. On conviction, said person will be liable to a fine or imprisonment for a period not exceeding 10 years, or to both a fine and such imprisonment.
Written by Thabiso Mthiyane, assisted by Jayashree Naidoo.
Read the article published in the Juta Medical Brief here.
