New draft Regulations to the Protection of Personal Information Act 4 of 2013 (“POPIA)” have been circulated for comment and relate to the processing of health and sex life data. Given the sensitive nature of such information, the fear of many data subjects has circled the unconsented sharing or processing of the data as it pertains to health and sex life. In this article, we take a brief look at the proposed new regulations.

Section 12(1) of POPIA provides that personal information must be collected directly from the data subject, except as otherwise provided for in section 12(2). However, with the new draft Regulations (“draft Regulations”) on the radar, the position may change as it relates to collecting and processing of health and sex life data of a data subject. The draft Regulations have reportedly been released for the first round of inputs, deliberation and commentary from the medical sector, whereafter it will also be released for comments from the broader stakeholders.

It must be noted that the draft Regulations are only applicable to certain responsible parties such as pension funds, employers, managed healthcare organisations, medical scheme administrators, medical schemes, insurance companies and operators of some of these parties (collectively referred to as “Responsible Parties”). 

But do the draft Regulations remove the requirement for unconsented sharing or processing of health and sex life data? It is clear that the draft Regulations still require a Responsible Party to obtain consent from the data subjects specifically as it pertains to health and sex life data, and that such consent may be withdrawn by the data subject subsequently. 

As far as it pertains to jurisdiction, section 72(1) of the POPIA is clear that a responsible party may not transfer personal information about a data subject to a third party who is in a foreign country unless the data subject in question consents to the transfer. The draft Regulations, in its current draft form, does not exempt this requirement as it relates to health and sex life data of data subjects in South Africa. 

Whilst we await the commentary review stages of the draft Regulations, it must be noted that access to health and sex life data must be carefully governed with stringent processes and consent, since failure to do so may result in constitutional issues. In considering the aforementioned caution, one can reflect back on the Satchwell v President of the Republic of South Africa and Another 2002 (6) SA 1 (CC) case where the right of equality as it pertains to unfair discrimination regarding sexual orientation was placed under a magnifying glass. In the aforementioned case, the finding of unconstitutionality was based on section 9(3) of the Constitution which prohibits unfair discrimination based on sexual orientation and marital status. The sharing and processing of sex life data must thus be carefully protected to avoid it resulting in unconstitutional conduct.

Lastly, when considering the processing of health data, we can take a leaf from the NM and Others v Smith and Others (Freedom of Expression Institute as Amicus Curiae) 2007 (5) SA 250 (CC) case, where the right to privacy as provided for in section 14 of the Constitution was placed at the forefront. In this case, the applicants, who were HIV+ alleged that the respondents violated their rights to privacy by publishing their names and HIV status in a book. The Constitutional Court order made it clear that no stone should be left unturned in the verification of information regarding the matter of consent, especially related to the processing or use of health data of a data subject. 

While the draft Regulations may expand the scope of data processing and sharing, they remain aligned with existing legislative frameworks such as the National Health Act 61 of 2003, the National Archives and Record Service of South Africa Act 43 of 1996, and the Promotion of Access to Information Act 2 of 2000. It is crucial to remember that the sensitive nature of health and sex life data requires careful governance, clear consent, and strict adherence to privacy protections to avoid any legal or constitutional risks.


Disclaimer: This article is the personal opinion/view of the author(s) and is not necessarily that of the firm. The content is provided for information only and should not be seen as an exact or complete exposition of the law. Accordingly, no reliance should be placed on the content for any reason whatsoever and no action should be taken on the basis thereof unless its application and accuracy has been confirmed by a legal advisor. The firm and author(s) cannot be held liable for any prejudice or damage resulting from action taken on the basis of this content without further written confirmation by the author(s).