General work environment security and employee training are two critical considerations for Protection of Personal Information (POPI) Act compliance, delegates on an Institute of Health Risk Managers (IHRM) webinar were told on Friday.
Health law consultant, Elsabe Klinck, explained to her audience that in terms of the Act – full compliance deadline being 1 July 2021 – processing of personal information is, in general, prohibited unless consent has been provided. An example would be if the data is necessary to “exercise a right or fulfil a legal obligation”, but there would still have to be sufficient guarantees for the individual.
The processing of personal information in broad terms, Klinck showed, included the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of information.
This pertained to information stored in databases, address books, payroll systems or manual filing systems, sent via email, found in word processing programmes, exchanged in contracts with the suppliers “and recorded on CCTV and in telephone records”.
Section 32 of the Act, she went on to note, excluded medical professionals and healthcare facilities, insurance companies and medical schemes/administrators who deal with authorisations relating to health. But, she added, this information can only be processed under a contractual duty of confidentiality, “unless there is a legal duty to process the information”.
An important requirement, Klinck stressed, was that, whether a scheme or medical facility, all employees must be trained on the Act. Internal awareness sessions, it was noted, must be conducted regarding the provisions of the Act, regulations made in terms of the Act, codes of conduct, or information obtained from the Regulator.
“Just like with all policies the training must be an ongoing process, not a once-off,” she said.
“Create refresher trainings, regular awareness-raising sessions. Send out fun quizzes. Make a record of all of it and make sure staff have signed to prove training!”
Also critical was the need for regular risk assessments based on the following questions and considerations: “How safe are my surroundings – physical break-ins and breaches; any changes since the last assessment?? Lock and key…
“How safe are my IT protections? Passwords, etc.? Where do files and hard-copy information move? What is the industry doing? What is acceptable?”
Concluding on this, Klinck recommended regular self-audits: “Pick out a sample of specific documents/information, contracts/clients and assess whether or not the requisite conditions are POPI compliant.”