The inconsiderate use and misuse of persons’ personal information has come under the spotlight in recent years. Not only are individuals continually ‘harassed’ by indiscriminate marketing efforts through the use of mechanisms such as calling machines, junk mail and spam, but inexperienced consumers are also induced to enter into transactions that are not in their best interests and consumers’ contact information is often obtained through unlawful or unethical practices (unscrupulous sale of information, phishing bots, hacking).
In addition, the inter-connected world we live in with the increased use of digital technology, the Internet and more recently the Internet of Things, has enhanced the risk to the safety of personal information. This is true not only on a personal but also on a professional level. We have business apps, rely more heavily on emails and host electronic databases often filled with large amounts of personal information. It has become clear that personal information, and more specifically financial and health information, are valuable and as such at higher risk of being sought out and abused by unauthorised persons.
Information in transit is particularly vulnerable and at risk of being intercepted by perpetrators with malicious intentions. Because of this, the need has arisen to regulate the protection of personal information globally. South Africa has followed suit and the long-awaited Protection of Personal Information Act (Act 4 of 2013) (“POPIA”) was finally implemented by the legislature on 1 July 2020. POPIA will become legally enforceable on 1 July 2021. As such all businesses, including medical technology (“MedTech”) companies, have 12 months to become compliant with POPIA.
The South African Medical Technology Industry Association (“SAMED”) supports the principles underpinning the protection of personal information. We encourage our members to play a leadership role in the protection of personal information and to embrace these principles and to become compliant with the legislation.
Non-compliance with POPIA has inherent risks and the adverse consequences for a company could be significant. A company could suffer significant reputational damage or even face significant penalties and claims for damages and aggravated damages should it fails to implement compliance measures. In addition, the heads of entities and information officers could incur criminal liability in certain circumstances. We encourage our members to, therefore, take compliance with POPIA seriously.
DO NOT
- assume that your company is compliant with POPIA, because you do not obtain personal information ‘unlawfully’.
- assume that POPIA only affects customers’ (i.e. health care practitioners’) information (MedTech companies are often custodians of unsolicited patient information and personal information of employees, directors and even other companies are also protected).
- assume that customers are satisfied with the handling of their information because your company is a multi-national company or because you provide a valuable product or service.
- underestimate internal weaknesses that could compromise personal information security.
- collect and store more personal information than what is needed for lawful business purposes.
- continue with current marketing practices and transferring of personal information to third parties in foreign countries, including storing such information in ‘clouds’, without ensuring that your practices are lawful and compliant with POPIA.
- underestimate the Information Regulator’s powers in assessing and enforcing compliance with POPIA.
- underestimate persons’ potential actions to obtain compensation for the alleged misuse of their personal information.
- underestimate what it entails to become compliant with POPIA.
- postpone implementation of POPIA, but start today.
DO
- create an organisational culture of treating personal information as valuable and with sensitivity.
- understand which personal information is in your possession and under your control, and collected and used by you and for which purposes.
- protect personal information and process it lawfully.
- remember that personal information of all persons and entities are at stake, such as directors of the company, employees, health care practitioners, patients, hospitals and funders.
- ensure that the necessary justification exists, as set out in POPIA, for each instance of processing of personal information. Personal information may only be processed on the grounds stipulated in POPIA to be lawful. The justification grounds differ depending on the type of information. For example, the justification grounds for the processing of health information are different from those related to the contact details of adult persons. Generally, personal information may be processed for all types of personal information to comply with legislation or with data subject consent. It should be borne in mind that consent can at any time be withdrawn by the data subject in which case the information may no longer be processed unless one of the other grounds for processing as set out in POPIA applies.
- obtain pre-authorisation for the defined processing activities (such as when health information is sent to a third party in another country where there is insufficient protection of personal information or when credit reporting is performed) from the Information Regulator.
- ensure that all processing activities are reasonable through, amongst others, appropriate and responsible communication and disclosures to all persons and entities of which information is processed.
- enhance documentation such as consent forms and agreements.
- collect only the personal information that is required for lawful business purposes.
- keep proper records of personal information.
- appoint or designate a suitable and knowledgeable person as Information Officer and register such a person with the Information Regulator before the deadline.
- prepare a Manual in terms of the Promotion of Access to Information Act as well as policies and procedures to create a framework for the lawful and sensitive handling of personal information.
- upscale security practices to prevent unauthorised access to personal information or any other security compromise.
- train all employees and agents and ensure that they know how to handle personal information, with whom it may be shared and for how long it must be stored.
- monitor and enforce proper management of personal information.
- consider cyber insurance, if necessary.