The Protection of Personal Information Act, 2013 (POPIA) is there to protect our constitutional right to privacy by introducing measures to regulate the processing of personal information. It ensures that South Africa is brought in line with international legislation and that we conduct ourselves in a responsible manner when dealing with all personal information, including personal information about clients, patients, employees, service providers, etc.

Why should your practice comply with POPIA?

  • In terms of section 19 of the POPIA Act you must secure the integrity and confidentiality of personal information in your possession or under your control by taking appropriate, reasonable technical and organisational measures to prevent—

(a)  loss of, damage to or unauthorised destruction of personal information; and

(b)  unlawful access to or processing of personal information.

  • The National Health Act (Section 17) also stipulates that you must set up control measures to prevent unauthorized access to health records and to the storage facility in which, or system by which, records are kept.
  • Non-compliance carries serious consequences – with fines and penalties (POPIA), criminal offence (National Health Act and the new Cyber Security Act).

Why is it important starting your compliance efforts as soon as possible?

POPIA is principled based. That means organisations must each create their own effective and appropriate privacy policies and practices in order to protect personal information of data subjects at all times. Organisations must also provide evidence of their efforts. Organisations is accountable.

Controls and notifications

Organisations will need to:

• Protect personal information using appropriate security
• Notify authorities of personal information breaches
• Obtain appropriate consents for processing information
• Keep records detailing information processing

Personal privacy and protection

Individuals have the right to:

• Access their personal data
• Correct errors in their personal data
• Erase their personal data
• Object to processing of their personal information

Transparent policies and procedures

Organisations are required to:

• Provide clear notice of information collection
• Outline processing purposes and use cases
• Define information retention and deletion policies

Information technology and training

Organisations will need to:

• Train privacy personnel and employees
• Audit and update information policies
• Appoint an Information Officer
• Create and manage compliant vendor (3rd party) contracts

What do you need to do?
1. Look at the way you process personal information, for example only collect information that you need for a specific purpose.
2. Apple reasonable security measures to protect the information.
3. Ensure that the information is relevant and up to date.
4. Only hold as much as you need, and only for as long as you need it.
5. Be transparent.
6. Implement relevant policies and procedures.
7. Train your staff.

What can we do to help?

  • Option 1: You can do it yourself by buying our Privacy Management Program Toolkit – Module 5, consisting of 2 files and a memory stick with all the forms and documents you need to implement your Privacy Management Program and comply with the Act – Price R 1,650.00
  • Option 2: Buy above package and combine it with a training session for 1 of your employees – Price R 2,950.00

By using our reference guide you will:

  1. demonstrate the application of the POPI Act in your practice – In terms of sect 19(1) of the POPI Act you must: – secure the integrity and confidentiality of personal information in your possession or under your control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.
  2. be able to show that you set up control measures to prevent unauthorized access to patient records and to the storage facility in which, or system by which, records are kept – Sect 17(1) of the National Health Act, 2003
  3. implement current best practice
  4. avoid legal problems – sect 17(2) make it a criminal offence and liability on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment to perform a duty imposed on you in terms of subsection (1).

We continually update Module 5. Laws and risks change and therefore the framework needs to be updated often.

You will receive a document on CD, with the forms set out hereunder in an editable format.

If you are interested, please complete our order form now.

Contents of Module 5: Privacy Management Program for the Practice of [Practice Name]

Folder 00: Documentation_Management

00.0_Procedure_for_Document_and_Record_Control – MSW

00.0_Procedure_for_Document_and_Record_Control – PDF


Folder 02: Implement_&_Maintain_Governanc_&_Leadership_Structure

02.1_Personal_Information_Protection_Policy – MSW

02.1_Personal_Information_Protection_Policy – PDF

02.2_Employee_Personal_Information_Protection_Policy – MSW

02.2_Employee_Personal_Information_Protection_Policy – PDF

02.3_Privacy_Notification to data subject when collecting personal information – MSW

02.3_Privacy_Notification to data subject when collecting personal information – PDF

02.4_Document_Retention_and_Destruction_Policy – MSW

02.4_Document_Retention_and_Destruction_Policy – PDF

02.5_Appointment_Letter_Information_Officer – MSW

02.5_Appointment_Letter_Information_Officer – PDF

02.6_Access_and_Confidentiality_Agreement_with_Employees – MSW

02.6_Access_and_Confidentiality_Agreement_with_Employees – PDF

02.7_Privacy_Management_Accountability_Framework – MSW

02.7_Privacy_Management_Accountability_Framework – PDF


Folder: 03_Implement_and_Maintain_Training_and_Awareness_Program

03.1_Employee_Training_Log – MSW

03.1_Employee_Training_Log – PDF

Presentation 1.1_Training_Information Security Essentials – Powerpoint

Presentation 1.2_Training_Physical Security Essentials – Powerpoint

Presentation 1.2_USB Device Safety – Powerpoint

Presentation 1.2_What is Personal Information – Powerpoint


Folder 04: Implement_and_Maintain_Personal_Information_Inventory

04.1_Personal_Information_Flowchart – MSW

04.1_Personal_Information_Flowchart – PDF

04.2_Personal_Information_Assets_Information_Classification_Matrix_and_Handling_Guide – MSW

04.2_Personal_Information_Assets_Information_Classification_Matrix_and_Handling_Guide – PDF

04.3_Inventory_of_Records_and_Personal_Information_Bank – MSW

04.3_Inventory_of_Records_and_Personal_Information_Bank – PDF

04.4_Personal_Information_Assets_Personal_Information_Bank – MSExel

04.4_Personal_Information_Assets_Personal_Information_Bank – PDF

04.5_Personal_Information_Assets_Hardware – MSW

04.5_Personal_Information_Assets_Hardware – PDF

04.6_Personal_Information_Assets_Shared_Databases – MSW

04.6_Personal_Information_Assets_Shared_Databases – PDF

04.7_Personal_Information_Assets_Operating_Systems_and_Software – MSW 04.7_Personal_Information_Assets_Operating_Systems_and_Software – PDF


Folder: 05_Create & Maintain Policies & Procedures

05.1_Policy_Statement_and_Manual_for_the_POPI_Act – MSW

05.1_Policy_Statement_and_Manual_for_the_POPI_Act – PDF

05.2_Collection_and_Use_of_Personal_and_Special_Personal_Information_Policy – MSW

05.2_Collection_and_Use_of_Personal_and_Special_Personal_Information_Policy – PDF 05.3_Collection_and_Use_of_Children_and_Minors’_Personal_Information – MSW

05.3_Collection_and_Use_of_Children_and_Minors’_Personal_Information – PDF

05.4_Information_Quality_Policy – MSW

05.4_Information_Quality_Policy – PDF

05.5_Social_Media_Policy – MSW

05.5_Social_Media_Policy – PDF

05.6_Bring_your_Own_Device_Policy.docx – MSW

05.6_Bring_your_Own_Device_Policy.docx – PDF

05.7_Clear_Screen_and_Desktop_Policy.docx – MSW

05.7_Clear_Screen_and_Desktop_Policy.docx – PDF

05.8_Password_Management_Policy_and_Guidelines – MSW

05.8_Password_Management_Policy_and_Guidelines – PDF

05.9_Shred_it_all_Policy – MSW

05.9_Shred_it_all_Policy – PDF

05.10_Use_of_Transportable_Media_Policy – MSW

05.10_Use_of_Transportable_Media_Policy – PDF


Folder 6: Managing Data Subject Rights

06.1_Consent_to_use_Patient_Personal_Information_Policy – MSW

06.1_Consent_to_use_Patient_Personal_Information_Policy – PDF

06.2_Authorisation_for_Release_of_Personal_Information_Third_Parties – MSW

06.2_Authorisation_for_Release_of_Personal_Information_Third_Parties – PDF

06.3_Practice_Payment_Policy – MSW

06.3_Practice_Payment_Policy – PDF

06.4_Practice_Privacy_Notification_Patient_Handout – MSW

06.4_Practice_Privacy_Notification_Patient_Handout – PDF

06.5_Patient_Identification_Policy – MSW

06.5_Patient_Identification_Policy – PDF


Folder 7: Manage Information Security Risk during Communication and Transmission

07.1_Guidelines_for_Use_of_Email_by_Employees – MSW

07.1_Guidelines_for_Use_of_Email_by_Employees – PDF

07.2_Instant_Messaging_Security_and_Usage_Guidelines – MSW

07.2_Instant_Messaging_Security_and_Usage_Guidelines – PDF

07.3_Guidelines_for_Use_of_Faxes_by_Employees – MSW

07.3_Guidelines_for_Use_of_Faxes_by_Employees – PDF

07.4_Patient_Consent_for_Electronic_Communication – MSW

07.4_Patient_Consent_for_Electronic_Communication – PDF

07.5_Fax_Cover_Letter_Confidentiality_Notice_and_Disclaimer – MSW

07.5_Fax_Cover_Letter_Confidentiality_Notice_and_Disclaimer – PDF


Folder 08_Managing Third Party Compliance

08.1_Personal Information Handling Questionnaire for Suppliers and their Contractors – MSW

08.1_Personal Information Handling Questionnaire for Suppliers and their Contractors – PDF

08.2_Confidentiality_Provisions_for_Supplier_Agreements – MSW 08.2_Confidentiality_Provisions_for_Supplier_Agreements – PDF

08.3_ Approved Vendors – MSW

08.3_ Approved Vendors – PDF


Folder 09_Security of Personal Information

09.1_Information_Security_Policy – MSW

09.1_Information_Security_Policy – PDF


Folder 10_Respond to Requests and Complaints from Individuals

10.5. Form 1_Objection_Processing_Personal_Information_Terms_Section_11_3_POPI – MSW

10.5. Form 1_Objection_Processing_Personal_Information_Terms_Section_11_3_POPI – PDF

10.6. Form 2_Request_Correction_Deletion_Personal_Information_Section 24_1 – MSW

10.6. Form 2_Request_Correction_Deletion_Personal_Information_Section 24_1 – PDF


Folder 11_Legislation_Regulations_Ethical Guidelines

11.1_Protection_of_Personal_InformationI_Act__2013-004 – MSW

11.1_Protection_of_Personal_InformationI_Act__2013-004 – PDF

11.2_Regulations Relating to the Protection of Personal Information – MSW

11.2_Regulations Relating to the Protection of Personal Information – PDF

11.3_National_Health_Act_2003-61 – MSW

11.3_National_Health_Act_2003-61 – PDF

11.4_Promotion_of_Access_to_Information_Act_2000-2 – MSW

11.4_Promotion_of_Access_to_Information_Act_2000-2 – PDF

11.5_HPCSA_Booklet 3_National Patients’ Rights Charter – PDF

11.6_HPCSA_Booklet 5_Confidentiality Protecting_and_Providing_Information – PDF

11.7_HPCSA_Booklet 9_Guidelines_on_Keeping_of_Patient_Records – PDF

11.8_Booklet 10_Telemedicine.pdf – PDF

11.9_Booklet 16_Ethical_Guidelines_on_Social_Media – PDF