Human biological specimens and POPIA

Authors: Marco Schepers, and Koketso Molotsi

Services: Regulatory, and Data Protection


How medical institutions and research facilities should treat human biological specimens in light of POPIA: Part 2

In part 1 of this article series, we identified that human biological specimens can find application in terms of POPIA under certain circumstances. To the extent that human biological specimens do find application in terms of POPIA, it is important that medical institutions and medical research facilities who process human biological specimens do so in line with POPIA.

The definition of personal information in POPIA includes (i) information relating to the … physical or mental health, well-being, disability … of the person”, and (ii) information relating to the … medical … history of the person. POPIA then defines special personal information to include information concerning the … health … of a data subject. For purposes of the application of POPIA, there appears to be a fundamental difference between the medical history of a person and the current medical health of a person. The medical history of a person falls within the scope of personal information as defined by POPIA (thus not special personal information) and is therefore applied in accordance with the general conditions which apply to Part A of POPIA. However, a person’s current medical health status falls within the scope of special personal information which is treated slightly differently than personal information in terms of POPIA.

The question posed then is if a human biological specimen is tested/analysed and entered in a record by or for a responsible party and POPIA finds application, does Part A of POPIA apply or the provisions dealing with special personal information. The answer primarily points to provisions dealing with the processing in terms of special personal information at that juncture but could over time also apply to medical history which would attract application of Part A of POPIA.

Section 26(a) of POPIA places a general prohibition on responsible parties and states that a responsible party may, subject however to section 27, not process personal information concerning the health of a data subject.

Section 27 of POPIA then furnishes a general authorisation to process special personal information. In this regard and of relevance to medical institutions and medical research facilities is sections 27(1)(a), (b), (d) and (e). These provisions state that the prohibition on processing personal information does not apply if the processing is (i) carried out with the consent of a data subject (ii) necessary for the exercise or defence of a right or obligation in law (iii) for historical, statistical or research purposes and (iv) the provisions of section 32 are complied with.

Under section 32(1) of POPIA, the prohibition on processing special personal information does not apply to the processing by various people or institutions such as —

  • medical professionals, healthcare institutions or facilities or social services
  • insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations
  • schools
  • any public or private body managing the care of a child

Section 32(1) of POPIA cannot however be read and applied in isolation and enable such institutions and facilities to process special personal information unrestricted. Section 32(2) of POPIA states that in cases referred to under section 32(1), the information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject.

So what does this mean for medical institutions and medical healthcare facilities who test/analyse human biological specimens and have such information entered in a record, and as such have such processing activity fall within the scope of POPIA?

For medical institutions, the following position can be summarised -

  • medical institutions are permitted to process special personal information within the scope of section 27 and 32; and
  • the information may only be processed subject to confidentiality or established by a written agreement between the responsible party and the data subject.

For medical research facilities, the following position can be summarised –

  • medical research facilities are permitted to process special personal information within the scope of section 27, if the processing is for historical, statistical or research purposes; and
  • the scope of section 32 would not apply to such medical research facilities.

Having regard to the above, medical institutions and medical research facilities will have to walk a fine line in ensuring that they comply with POPIA. The onus is on them to consider their information processes and policies to ensure compliance with POPIA.

Contact Marco to discuss Data Privacy matters