POPIA for Medical Practices: What the Act Requires of Doctors

Updated 2026-07-06 ยท Written for South African healthcare practitioners by Sphygmos.

The Protection of Personal Information Act 4 of 2013 (POPIA) treats patient health information as the most protected category of personal information in South African law, and it makes the medical practice, not the software vendor and not the receptionist, answerable for it. The Act has been fully enforceable since its one-year grace period ended on 30 June 2021, with an Information Regulator that can investigate complaints, issue enforcement notices and impose administrative fines of up to R10 million. This guide sets out what the Act actually demands of a practice, where consent fits, and what non-compliance costs.

POPIA applies to every medical practice, now

Most of POPIA commenced on 1 July 2020, and section 114(1) gave responsible parties one year to bring all processing of personal information into conformity with the Act. That period ended on 30 June 2021. A practice processing patient information today is expected to comply in full, not to be working towards compliance.

In the Act's terms, the practice is the responsible party: the party that determines the purpose and means of processing. Everything held about an identifiable patient counts as personal information, from contact details and medical aid membership numbers to clinical notes, results, correspondence and accounts. The Information Regulator, established under the Act, supervises compliance and enforces it.

Patient health information is special personal information

Section 26 of POPIA prohibits the processing of personal information concerning a data subject's health unless a specific authorisation applies. Health sits in the Act's most protected category, alongside religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, sex life and biometric information.

Section 32(1)(a) lifts that prohibition for medical professionals, healthcare institutions or facilities and social services, where the processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned. Section 32(1)(b) separately authorises insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations for defined purposes such as risk assessment and the performance of a medical scheme agreement.

The authorisation comes with a string attached. Under section 32(2), health information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by written agreement between the responsible party and the data subject. For an HPCSA-registered practitioner, the professional duty of confidentiality is that qualifying obligation.

The eight conditions the Act imposes

Section 4(1) lists eight conditions for the lawful processing of personal information, and section 8 makes the responsible party, the practice, answerable for compliance with all of them:

  • Accountability (section 8): the responsible party must ensure the conditions are complied with
  • Processing limitation (sections 9 to 12): processing must be lawful, minimal and justified
  • Purpose specification (sections 13 and 14): information is collected for a specific purpose and not retained longer than necessary, subject to retention required or authorised by law
  • Further processing limitation (section 15): further processing must be compatible with the purpose of collection
  • Information quality (section 16): information must be complete, accurate and updated where necessary
  • Openness (sections 17 and 18): documentation and notification to the data subject about collection
  • Security safeguards (sections 19 to 22): integrity, confidentiality, operator controls and breach notification
  • Data subject participation (sections 23 to 25): patients may request access to and correction of their information

Consent under POPIA: narrower than practices assume

POPIA defines consent as any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information. Each of those three words does work. Under section 11(2)(a) the responsible party bears the burden of proving that consent was given, and the data subject may withdraw consent at any time.

Consent is also only one of six lawful bases in section 11(1). Processing is equally lawful where it is necessary for the conclusion or performance of a contract with the data subject, where it complies with an obligation imposed by law, where it protects a legitimate interest of the data subject, or where it is necessary for the legitimate interests of the responsible party or a third party.

For health information specifically, section 32(1)(a) authorises processing that is necessary for proper treatment and care, or for the administration of the practice, without resting on consent. Consent becomes the operative question when a practice wants to process health information beyond treatment, care and practice administration, and there the statutory definition and the burden of proof apply with full force.

Security safeguards, and the software a practice runs on

Section 19(1) requires the responsible party to secure the integrity and confidentiality of personal information in its possession or under its control, by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of it.

The Act also regulates every provider that processes patient information on the practice's behalf: practice management software, billing bureaus, transcription services. These are operators. Under section 20 an operator may process the information only with the knowledge or authorisation of the responsible party and must treat it as confidential. Under section 21(1) the practice must have a written contract with the operator ensuring the operator establishes and maintains the section 19 security measures, and under section 21(2) the operator must notify the practice immediately where there are reasonable grounds to believe patient information has been accessed by an unauthorised person.

Accountability does not move. Outsourcing the processing does not outsource the section 8 responsibility; the practice remains the responsible party for everything its operators do with patient information.

Breach notification: section 22

Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person, section 22 requires the responsible party to notify the Information Regulator and the affected data subjects, unless the identity of the data subject cannot be established.

The notification must be made as soon as reasonably possible after discovery of the compromise. The Act allows the timing to account only for the legitimate needs of law enforcement and for measures reasonably necessary to determine the scope of the compromise and restore the integrity of the practice's information system. A stolen laptop holding unencrypted patient records, or a compromised practice email account, is the kind of event section 22 contemplates.

The information officer duty

Every practice has an information officer whether it has appointed one or not: for a private body, POPIA defines the information officer as the head of the private body as contemplated in the Promotion of Access to Information Act. Section 55(1) makes that officer responsible for encouraging compliance with the conditions for lawful processing, dealing with requests made to the practice under the Act, working with the Regulator in investigations, and otherwise ensuring the practice complies.

The Information Regulator requires information officers, in terms of section 55(2), to take up their duties only after being registered with the Regulator, and registration is done through the Regulator's eServices portal. This applies to private bodies as well as public ones.

What non-compliance costs

Enforcement runs through the Information Regulator. It can receive complaints from patients, investigate, and issue an enforcement notice under section 95 directing a responsible party to take specified steps. Failing to comply with an enforcement notice is itself an offence in the Act's most serious band.

Section 107 sets the criminal penalties: for the most serious offences, including obstruction of the Regulator, breach of conditions attached to processing account numbers and non-compliance with an enforcement notice, a fine or imprisonment for up to 10 years, or both. Other offences carry a fine or imprisonment for up to 12 months. Separately, section 109 allows the Regulator to issue an infringement notice with an administrative fine, and the Act caps that fine at R10 million.

For a practitioner the exposure is layered. The same incident that draws the Regulator's attention, a confidentiality breach or lost records, can also found a professional conduct complaint to the HPCSA, whose ethical rules bind registered practitioners to confidentiality independently of POPIA.

How Sphygmos helps

Sphygmos keeps patient records in one POPIA-conscious workspace with doctor-controlled access. Clinical notes, documents and correspondence live on the patient timeline rather than scattered across inboxes, drives and paper, so the practice always knows where its patient information sits and who can see it. Every generated document is a draft the doctor reviews and confirms before anything leaves the practice; the doctor is always the final gate.

See Sphygmos, the clinical operating system for South African doctors

Frequently asked questions

Does POPIA apply to medical practices in South Africa?

Yes. A medical practice that determines why and how patient information is processed is a responsible party under the Act. Most of POPIA commenced on 1 July 2020 and section 114(1) required all processing to conform within one year, so compliance has been enforceable since 1 July 2021.

Is patient health information special personal information under POPIA?

Yes. Section 26 prohibits processing personal information concerning a data subject's health unless an authorisation applies. Section 32(1)(a) authorises medical professionals and healthcare institutions to process it where necessary for the proper treatment and care of the patient, or for the administration of the practice, subject to an obligation of confidentiality under section 32(2).

Do doctors need patient consent under POPIA to process health information?

Not for treatment itself in every case. Section 32(1)(a) authorises processing necessary for proper treatment and care or for practice administration, and consent is only one of six lawful bases in section 11. Where a practice does rely on consent, it must be a voluntary, specific and informed expression of will, the practice bears the burden of proving it, and the patient may withdraw it at any time.

What are the penalties for breaking POPIA?

Section 107 provides a fine or imprisonment of up to 10 years, or both, for the most serious offences, including failure to comply with an enforcement notice, and up to 12 months for other offences. Section 109 lets the Information Regulator impose an administrative fine through an infringement notice, capped at R10 million. Patients can also complain directly to the Regulator, which can investigate and issue enforcement notices.

Does a medical practice need to register an information officer?

Yes. In a private practice the information officer is by definition the head of the private body, and section 55(1) makes that officer responsible for ensuring the practice complies with the Act. The Information Regulator requires information officers, in terms of section 55(2), to be registered with the Regulator before taking up their duties, via its eServices portal.

What must a practice do after a patient data breach under POPIA?

Section 22 requires the responsible party to notify the Information Regulator and the affected patients where there are reasonable grounds to believe personal information was accessed or acquired by an unauthorised person. Notification must happen as soon as reasonably possible after discovery, with delay permitted only for legitimate law enforcement needs or measures needed to establish the scope of the compromise and restore the system.

Can a medical practice use cloud software under POPIA?

Yes, the Act expressly provides for operators that process information on a responsible party's behalf. Section 21(1) requires a written contract obliging the operator to establish and maintain the section 19 security measures, section 20 binds the operator to confidentiality, and section 21(2) obliges the operator to notify the practice immediately of a suspected compromise. The practice remains accountable under section 8 for what its operators do.

Sources

This guide is general information for healthcare practitioners, not legal advice. Verify current legislation and HPCSA guidance before relying on any detail.

Related guides