INSIGHTS

New Publications

HANDLING DATA BREACHES UNDER POPIA: A GUIDE FOR HEALTHCARE PROFESSIONALS

Posted 16 October 2024

Hanneke Verwey (Senior Associate)

In today's digital age, the protection of personal information is of paramount importance, especially for professionals handling sensitive data, such as healthcare providers. The Protection of Personal Information Act 4 of 2013 (POPIA) in South Africa sets the framework for the lawful processing of personal information, including requirements for notifying affected parties in the event of a data breach. This guide focuses on practical steps doctors can take to manage data breaches under POPIA.

Understanding Your Responsibilities

Healthcare providers qualify as so-called “responsible persons” in terms of POPIA in respect of their patients’ personal information, because it is in their possession and under their control.  This means that healthcare providers have a duty, amongst others, to comply with the conditions of lawful processing of personal information in terms of POPIA.

These conditions include compliance with security safeguards to protect personal information. Should these measures be breached, data subjects have the right to be informed if their personal information has been accessed or obtained by an unauthorized individual. As applied to healthcare providers, POPIA requires them to notify affected patients and the Information Regulator if there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorized person.

There are various situations where there is sufficient evidence or suspicion that a patient’s personal data has been viewed, obtained, or otherwise handled by someone who does not have the legal right to do so. They can arise from direct evidence, such as logs showing unauthorized access to data systems, the theft of physical patient files, etc.  They may also include indirect indicators, such as unusual activity patterns that suggest data has been compromised. For instance, if a healthcare provider notices unusual login attempts, unexplained data export activities, or receives alerts from their security systems indicating that sensitive patient information might have been accessed without proper authorization, these could constitute reasonable grounds. The key here is that there is a rational basis for the suspicion, based on observable facts or credible information, rather than mere speculation.

POPIA makes any unauthorized access to personal information, regardless of its perceived insignificance, a data breach. This includes all situations where a third-party processes (for example, by gaining access to or viewing) someone else's health information in circumstances that are not authorised under either section 27 (general authorisation concerning special personal information) or section 32 (authorisation concerning data subject’s health or sex life) of POPIA. This strict interpretation differs from practices in the European Union and the United Kingdom, where notification of a breach to the regulator is only required if the breach poses a risk to the rights and freedoms of the affected individual. POPIA requires all data breaches to be reported to the Information Regulator, irrespective of the severity or potential consequences of the breach. This ensures that data subjects are always aware of any compromise of their personal information.

Responding to Data Breaches

Notification Requirements

Notifications should be made as soon as reasonably possible after the breach is discovered. The notification must provide sufficient information to allow patients to take protective measures against the potential consequences of the breach. The notification must include:

  1. A description of the possible consequences: Healthcare providers must detail the potential impacts of the security breach on patients.
  2. Measures taken to address the security compromise: They must explain the steps taken to mitigate the breach and prevent future occurrences.
  3. Recommended actions for data subjects: They should provide recommendations on what patients can do to protect themselves from potential harm and to mitigate the adverse effects of the security compromise.
  4. Identity of the unauthorized party: If known, they should provide information about the unauthorized party who accessed the personal information.

Communication Methods

Notifications can be communicated through various means:

  1. Email: Send detailed notifications to the affected patients via their last known email addresses.
  2. Postal Mail: Use traditional mail to reach patients if email is not feasible.
  3. Website Notice: Post the notification prominently on the practice website.
  4. Media: If necessary, use media channels to inform a broader audience.
  5. Regulator's directions: Follow any specific instructions provided by the Information Regulator.

Immediate actions following a data breach which a healthcare provider should implement

  1. Immediate Response: Upon discovering a data breach, take immediate steps to contain and assess the scope of the breach. This may involve shutting down affected systems, securing backups, and preserving evidence for investigation.
  2. Assessment and Investigation: Conduct a thorough investigation to understand the extent of the breach, the type of information compromised, and the potential impact on patients. Identify all affected individuals and the nature of the compromised data.
  3. Notification: Prepare and send notifications to the affected patients and the Information Regulator, as outlined above.
  4. Mitigation: Implement measures to mitigate the impact of the breach on affected individuals. This may include offering advice on how to protect personal information and implementing additional security measures.
  5. Review and Improvement: After addressing the immediate consequences of the breach, review the security practices and procedures to identify any weaknesses. Implement improvements to prevent future breaches.

Preventative Measures and Best Practices

To prevent data breaches and ensure compliance with POPIA, healthcare professionals should focus on several best practices:

  1. Regular training is essential to ensure that all staff members understand data protection principles and the importance of adhering to POPIA.
  2. Implementation of robust security protocols, such as strong encryption, access controls, and frequent updates to software and systems, is crucial to prevent unauthorized access.
  3. Regular internal audits help identify and address vulnerabilities in data handling processes.
  4. Additionally, consulting with legal experts who specialize in healthcare can keep practitioners informed about compliance requirements and best practices​.

Conclusion

Dealing with a data breach effectively requires prompt action, thorough investigation, and transparent communication. By following these guidelines, healthcare professionals can ensure they meet their obligations under POPIA, protect their patients' information, and maintain trust.

For further assistance or specific legal advice regarding data breaches and compliance with POPIA, healthcare providers should consider consulting legal experts who specialize in healthcare data protection.