Health Data Under The Microscope: New POPIA Regulations

Protecting Health Information: Strengthening Safeguards Under the POPIA Health Regulations, 2026

The Protection of Personal Information Act, 2013 (“POPIA”), in regulating an additional and more protected category of personal information, generally prohibits the processing of special personal information, namely information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject.¹ However, POPIA also provides for a range of exceptions to this prohibition.

Pertinent to the topic at hand, on 6 March 2026, the Information Regulator published specific regulations,² under POPIA, relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026 (the “Regulations”) in Government Gazette No. 54268. This took effect from the date it was published, 6 March 2026.

Section 32(6) of POPIA states that “more detailed rules may be prescribed concerning the application of subsection (1)(b) and (f).” This particular section of POPIA indeed relates to health and related information and that contemplated stage has of course now arrived.

These Regulations impose specific and enforceable obligations on a defined class of responsible parties in respect of the way in which health information may be processed, safeguarded and transferred across borders.

Accordingly, this bulletin highlights the purpose, scope, and key obligations under the Regulations, with particular focus on the critical requirements relating to appropriate safeguards and cross‑border data transfers.

The Primary purpose of the Regulations are to assist responsible parties to interpret section 32(6) of POPIA correctly; to provide better transparency to data subjects on the manner in which their health information may be used; and to provide a framework to the Information Regulator regarding the enforcement mechanism for the processing of health information of data subjects.

These Regulations apply to the following class of responsible parties and applicable operators:

• Insurance Companies;
• Medical Schemes;
• Medical Scheme Administrators;
• Managed Healthcare Organisations;
• Administrative Bodies;
• Pension Funds;
• Employers; and
• Institutions working for employers, administrative bodies, or pension funds.

What are the obligations for responsible parties/applicable operators on health information?

Health information is inherently sensitive and when inadequately protected, may expose data subjects to serious harm. The Regulations of course establish proactive safeguards⁶ designed to ensure that health information is afforded the level of protection it so warrants. To this end, the Regulations require that:

a) Responsible Parties who process health information shall be responsible for maintaining the confidentiality, integrity and availability of such information in its possession or under its control by taking appropriate, reasonable technical and organisational measures in accordance with POPIA to prevent:

• loss of damage to or unauthorised destruction of health information; and
• unlawful access to or processing of health information.⁷

b) The safeguards to be maintained as mentioned above, must include appropriate measures for:

• the security and confidentiality of records, which measures must address the risks associated with physical or electronic health records; and
• the proper disposal of health records to prevent any reasonably anticipated unauthorised use or disclosure of the health information or unauthorised access to the health information following its disposal.⁸

c) Processing of health information must be undertaken subject to a duty of confidentiality imposed by law, office, employment, profession, or written agreement.⁹

d) The Responsible Party must implement and maintain appropriate and technical measures. This is to ensure the integrity and confidentiality of health information, in line with generally accepted information security practices applicable to a sector or industry.¹⁰

What about cross-border transfer of data-subject health information?

In an increasingly interconnected technological landscape, responsible parties may find it necessary to transfer health information to third parties outside of South Africa, whether for processing, storage, or other purposes. The Regulations prohibit such transfers unless one or more of the prescribed requirements under POPIA are satisfied.¹¹ These requirements include, amongst others, that the data subject consents to the transfer, or that the transfer is in the best interests of the data subject.

The potential consequences in failing to adhere to these obligations?

Responsible parties who are alleged to have breached the confidentiality obligations imposed under POPIA, can be found guilty of an offence and if convicted of such offence, may be liable to a fine or to imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment.¹²

The Information Regulator also has jurisdiction to impose an administrative fine. Where a responsible party is alleged to have committed an offence under POPIA, the Information Regulator may issue that party with an infringement notice specifying the administrative fine payable, which may not exceed R10 million, subject to the provisions of POPIA.¹³

Conclusion

These Regulations attempt to strengthen South Africa’s data protection framework by prescribing clear, enforceable standards for the processing of health information. Regulations 5 and 6 underscore the importance of security safeguards and strict controls on cross‑border data transfers, ensuring that the rights of data subjects are not compromised and remain protected.

To find the regulations referenced in this bulletin you can access them publicly online. It is available as a PDF on Government Gazettes - GPW, from page 104-110.

This bulletin was authored by Partner Venolan Naidoo, Associate Designate Ferdinand Pike and Candidate Attorney Sive Ntanjana.

Foonotes

1 Section 26(1)(a) of the Protection of Personal Information Act, 2013.

2 The Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

3 Section 32(1)(a) of the Protection of Personal Information Act, 2013.

4 Section 32(1)(b) of the Protection of Personal Information Act, 2013.

5 Section 32(1)(f) of the Protection of Personal Information Act, 2013.

6 Regulation 5 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

7 Regulation 5(1) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

8 Regulation 5(2) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

9 Regulation 5.3 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013)

10 Regulation 5.4 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

11 Regulation 6 of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013): Regulations under Section 112(2)(c) of the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

12 Section 101 read with Section 107(1)(b) of the Protection of Personal Information Act, 2013.

13 Section 109(1) – 2(c) of the Protection of Personal Information Act, 2013.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.