New POPIA Regulations on Processing Sensitive Health Information

Written By Eszter Rapanos

This article will count 0.25 units (15 minutes) of unverifiable CPD. Remember to log these units under your membership profile.

The Information Regulator (South Africa) has gazetted new regulations under the Protection of Personal Information Act, 2013 (POPIA) to clarify how certain entities may process personal information relating to a data subject’s health. The regulations, published in the Government Gazette on 6 March 2026, came into effect immediately.

The regulations are intended to assist responsible parties in interpreting section 32(6) of POPIA and to provide clearer rules for processing sensitive health information in sectors such as insurance, healthcare, and employment-related administration.

Key changes include:

  • Clearer guidance on exemptions

    The regulations clarify when organisations such as insurance companies, medical schemes, administrators, employers, and pension funds may process health information where it is necessary for insurance assessments, healthcare administration, or employment-related benefits.

  • Greater transparency for data subjects

    Organisations must provide clearer information on how personal health data may be used, improving transparency and awareness for individuals.

  • Stronger safeguards for health information

    Responsible parties must implement appropriate technical and organisational measures to protect the confidentiality, integrity, and availability of health data and prevent unauthorised access or destruction.

  • Duty of confidentiality

    Processing of health information must take place subject to strict confidentiality obligations imposed by law, professional rules, or contractual arrangements.

  • Restrictions on cross-border transfers

    Health information may not be transferred outside South Africa unless the requirements of POPIA for international data transfers are satisfied.

The regulations also provide the Information Regulator with a clearer framework for monitoring and enforcing compliance where organisations process sensitive health information.

Eszter Rapanos
Previous

IESBA Launches Firm Culture and Governance Initiative
Next

High Court Clips the Finance Minister’s VAT Powers