Are you really POPI compliant? The healthcare sector deals with particularly sensitive personal information, and there are stringent requirements which must be followed. MedSecure has a range of tools to support and empower your organisation on its POPI journey.  

As with all our Compliance Domains, MedSecure promotes a systematic approach which is both comprehensive and flexible – comprehensive because it addresses all relevant compliance aspects, and flexible because it meets the specific needs of your organisation.

Set out below is a step by step strategy for POPI compliance. Regardless of where you are on your POPI journey, or the size of your organisation, the steps below are designed to give you quick wins in key areas in the short term, evolve a comprehensive plan in the medium term, and enjoy all the benefits of having maximised your POPI compliance in the long term.

Sounds good? Then let’s begin your POPI journey … to your surprise, you may actually enjoy the experience!

POPI steps

Step 1: Have a plan


In order to achieve your long-term goal of maximum POPI compliance, you need to begin with a plan. Compliance cannot be achieved overnight, or bought “out the box” (although assessment tools can be a useful aid to achieving your goals), and POPI compliance is no exception. All organisations are different, and have different POPI needs. And compliance is a process. So you’ll need a short, medium and long term plan to match your organisation’s situation to the specific regulatory requirements which apply.

We recommend that you begin with conducting a gap analysis to determine where best to allocate your resources to take you from where you are at present to where you’d like to be.

Step 2: Appoint an Information Officer


Besides being a regulatory requirement, appointing an information officer is a great idea anyway: it is the first step in establishing a winning compliance team, regardless of the size of your organisation.

By allowing one particular person (together with any Deputy Information Officers) to focus on developing technical knowledge and skills and the resultant confidence and ability, your organisation will develop the internal capacity to manage most compliance issues.

At MedSecure, we recommend the appointment of a Compliance Officer who will be responsible for all Compliance Domains, with the Compliance Officer also being the Information Officer in regard to POPI.

Step 3: Develop a compliance framework


Your compliance framework must include the eight conditions for the lawful processing of personal information (don’t panic if you don’t understand these terms right now, they can be understood later – they are all actually sensible and helpful):

1. Accountability

2. Processing limitation

3. Purpose specification

4. Further processing limitation

5. Information quality

6. Openness

7. Security safeguards

8. Data subject participation

Once you have your overall framework in place, you will have an idea of the “bigger picture”, and you can begin strategising for the most effective short, medium and long term steps to be taken to achieve your goals.

Step 4: Conduct a Personal Information Impact Assessment


In this step, your Information Officer will really drill down into the details of the personal information which your organisation processes.

In essence, in this phase, your Personal Information Officer will list all sources of personal information, classify the information and measure the relevant security safeguards against the classification.

We have prepared a sample template to assist in this process. However, it is important when using the template to understand and apply the underlying principles. The template should therefore be seen as a useful guide, rather an injunction which should be slavishly followed.

Step 5: Develop a PAIA Manual


Your organisation should, by now, have a PAIA Manual – and, if not, then you need one (regard this as is the perfect opportunity to develop a PAIA Manual).

One of the obligations of the Information Officer is to develop, monitor, maintain and make available a PAIA Manual.

The PAIA Manual for each organisation will differ, depending on the nature of the services offered, the size of the organisation and the information which is processed. However, there are a number of key components to the PAIA Manual which must be complied with. To get you started, we have prepared a template of a PAIA Manual which can be adapted to your organisation’s requirements.

Step 6: Implement information request systems


Your Information Officer needs to develop internal measures with adequate systems to process requests for information or access to information from patients or other interested parties.

We have prepared a template of a data request form for access to personal information. 

A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3, including the right-
   (a)   to be notified that-
     (i)   personal information about him, her or it is being collected as provided for in terms of section 18; or
    (ii)   his, her or its personal information has been accessed or acquired by an unauthorised person as provided for in terms of section 22;
   (b)   to establish whether a responsible party holds personal information of that data subject and to request access to his, her or its personal information as provided for in terms of section 23;

Step 7: Encourage team compliance


As part of their duties, your Information Officer needs to conduct internal awareness sessions regarding the provisions of POPI, regulations made in terms of the Act, codes of conduct, and information obtained from the Regulator.

However, simply conducting such sessions is not enough to maximise POPI compliance. Compliance in general is a team effort, and this applies to POPI as well. The Information Officer cannot ever ensure POPI compliance on their own, and it is important that all practitioners and staff share a common goal of POPI compliance, as well as having beinig clear what is required from them in practice to contribute to compliance.

Step 8: Follow and develop your plan


Your POPI plan should address key needs first based on the particular requirements of your organisation. If you have applied the steps recommended in this topic, you will have made a lot of progress towards POPI compliance.

Once your plan has been implemented, the needs of your organisation will have to be reassessed in order to evalute where future development should occur.

Step 9: Review, assess and improve


It is important to realise that POPI compliance is not a one-off event, but a dynamic process that ultimately forms part of the practitioner-patient relationship.

For this reason, your organisation should conduct regular reviews of your POPI compliance – both from the point of view of keeping up to date with latest regulatory developments, as well as learning from the practical implementation of the POPI provisions in your organisation.

Over time, your knowledge and understanding of what is required from your organisation, and how your organisation is actually performing, will improve, and the gap between the two will narrow.