Why should your practice comply with POPIA?
- In terms of section 19 of the POPIA Act you must secure the integrity and confidentiality of personal information in your possession or under your control by taking appropriate, reasonable technical and organisational measures to prevent—
(a) loss of, damage to or unauthorised destruction of personal information; and
(b) unlawful access to or processing of personal information.
- The National Health Act (Section 17) also stipulates that you must set up control measures to prevent unauthorized access to health records and to the storage facility in which, or system by which, records are kept.
- Non-compliance carries serious consequences – with fines and penalties (POPIA), criminal offence (National Health Act and the new Cyber Security Act).
Why is it important starting your compliance efforts as soon as possible?
POPIA is principled based. That means organisations must each create their own effective and appropriate privacy policies and practices in order to protect personal information of data subjects at all times. Organisations must also provide evidence of their efforts. Organisations is accountable.
Controls and notifications
Organisations will need to:
• Protect personal information using appropriate security
• Notify authorities of personal information breaches
• Obtain appropriate consents for processing information
• Keep records detailing information processing
Personal privacy and protection
Individuals have the right to:
• Access their personal data
• Correct errors in their personal data
• Erase their personal data
• Object to processing of their personal information
Transparent policies and procedures
Organisations are required to:
• Provide clear notice of information collection
• Outline processing purposes and use cases
• Define information retention and deletion policies
Information technology and training
Organisations will need to:
• Train privacy personnel and employees
• Audit and update information policies
• Appoint an Information Officer
• Create and manage compliant vendor (3rd party) contracts
What do you need to do?
1. Look at the way you process personal information, for example only collect information that you need for a specific purpose.
2. Apple reasonable security measures to protect the information.
3. Ensure that the information is relevant and up to date.
4. Only hold as much as you need, and only for as long as you need it.
5. Be transparent.
6. Implement relevant policies and procedures.
7. Train your staff.
What can we do to help?
- Option 1: You can do it yourself by buying our Privacy Management Program Toolkit – Module 5, consisting of 2 files and a memory stick with all the forms and documents you need to implement your Privacy Management Program and comply with the Act – Price R 1,650.00
- Option 2: Buy above package and combine it with a training session for 1 of your employees – Price R 2,950.00
By using our reference guide you will:
- demonstrate the application of the POPI Act in your practice – In terms of sect 19(1) of the POPI Act you must: – secure the integrity and confidentiality of personal information in your possession or under your control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information; and unlawful access to or processing of personal information.
- be able to show that you set up control measures to prevent unauthorized access to patient records and to the storage facility in which, or system by which, records are kept – Sect 17(1) of the National Health Act, 2003
- implement current best practice
- avoid legal problems – sect 17(2) make it a criminal offence and liability on conviction to a fine or to imprisonment for a period not exceeding one year or to both a fine and such imprisonment to perform a duty imposed on you in terms of subsection (1).
We continually update Module 5. Laws and risks change and therefore the framework needs to be updated often.
You will receive a document on CD, with the forms set out hereunder in an editable format.
If you are interested, please complete our order form now.
Contents of Module 5: Privacy Management Program for the Practice of [Practice Name]
Folder 00: Documentation_Management
00.0_Procedure_for_Document_and_Record_Control – MSW
00.0_Procedure_for_Document_and_Record_Control – PDF
Folder 02: Implement_&_Maintain_Governanc_&_Leadership_Structure
02.1_Personal_Information_Protection_Policy – MSW
02.1_Personal_Information_Protection_Policy – PDF
02.2_Employee_Personal_Information_Protection_Policy – MSW
02.2_Employee_Personal_Information_Protection_Policy – PDF
02.3_Privacy_Notification to data subject when collecting personal information – MSW
02.3_Privacy_Notification to data subject when collecting personal information – PDF
02.4_Document_Retention_and_Destruction_Policy – MSW
02.4_Document_Retention_and_Destruction_Policy – PDF
02.5_Appointment_Letter_Information_Officer – MSW
02.5_Appointment_Letter_Information_Officer – PDF
02.6_Access_and_Confidentiality_Agreement_with_Employees – MSW
02.6_Access_and_Confidentiality_Agreement_with_Employees – PDF
02.7_Privacy_Management_Accountability_Framework – MSW
02.7_Privacy_Management_Accountability_Framework – PDF
Folder: 03_Implement_and_Maintain_Training_and_Awareness_Program
03.1_Employee_Training_Log – MSW
03.1_Employee_Training_Log – PDF
Presentation 1.1_Training_Information Security Essentials – Powerpoint
Presentation 1.2_Training_Physical Security Essentials – Powerpoint
Presentation 1.2_USB Device Safety – Powerpoint
Presentation 1.2_What is Personal Information – Powerpoint
Folder 04: Implement_and_Maintain_Personal_Information_Inventory
04.1_Personal_Information_Flowchart – MSW
04.1_Personal_Information_Flowchart – PDF
04.2_Personal_Information_Assets_Information_Classification_Matrix_and_Handling_Guide – MSW
04.2_Personal_Information_Assets_Information_Classification_Matrix_and_Handling_Guide – PDF
04.3_Inventory_of_Records_and_Personal_Information_Bank – MSW
04.3_Inventory_of_Records_and_Personal_Information_Bank – PDF
04.4_Personal_Information_Assets_Personal_Information_Bank – MSExel
04.4_Personal_Information_Assets_Personal_Information_Bank – PDF
04.5_Personal_Information_Assets_Hardware – MSW
04.5_Personal_Information_Assets_Hardware – PDF
04.6_Personal_Information_Assets_Shared_Databases – MSW
04.6_Personal_Information_Assets_Shared_Databases – PDF
04.7_Personal_Information_Assets_Operating_Systems_and_Software – MSW 04.7_Personal_Information_Assets_Operating_Systems_and_Software – PDF
Folder: 05_Create & Maintain Policies & Procedures
05.1_Policy_Statement_and_Manual_for_the_POPI_Act – MSW
05.1_Policy_Statement_and_Manual_for_the_POPI_Act – PDF
05.2_Collection_and_Use_of_Personal_and_Special_Personal_Information_Policy – MSW
05.2_Collection_and_Use_of_Personal_and_Special_Personal_Information_Policy – PDF 05.3_Collection_and_Use_of_Children_and_Minors’_Personal_Information – MSW
05.3_Collection_and_Use_of_Children_and_Minors’_Personal_Information – PDF
05.4_Information_Quality_Policy – MSW
05.4_Information_Quality_Policy – PDF
05.5_Social_Media_Policy – MSW
05.5_Social_Media_Policy – PDF
05.6_Bring_your_Own_Device_Policy.docx – MSW
05.6_Bring_your_Own_Device_Policy.docx – PDF
05.7_Clear_Screen_and_Desktop_Policy.docx – MSW
05.7_Clear_Screen_and_Desktop_Policy.docx – PDF
05.8_Password_Management_Policy_and_Guidelines – MSW
05.8_Password_Management_Policy_and_Guidelines – PDF
05.9_Shred_it_all_Policy – MSW
05.9_Shred_it_all_Policy – PDF
05.10_Use_of_Transportable_Media_Policy – MSW
05.10_Use_of_Transportable_Media_Policy – PDF
Folder 6: Managing Data Subject Rights
06.1_Consent_to_use_Patient_Personal_Information_Policy – MSW
06.1_Consent_to_use_Patient_Personal_Information_Policy – PDF
06.2_Authorisation_for_Release_of_Personal_Information_Third_Parties – MSW
06.2_Authorisation_for_Release_of_Personal_Information_Third_Parties – PDF
06.3_Practice_Payment_Policy – MSW
06.3_Practice_Payment_Policy – PDF
06.4_Practice_Privacy_Notification_Patient_Handout – MSW
06.4_Practice_Privacy_Notification_Patient_Handout – PDF
06.5_Patient_Identification_Policy – MSW
06.5_Patient_Identification_Policy – PDF
Folder 7: Manage Information Security Risk during Communication and Transmission
07.1_Guidelines_for_Use_of_Email_by_Employees – MSW
07.1_Guidelines_for_Use_of_Email_by_Employees – PDF
07.2_Instant_Messaging_Security_and_Usage_Guidelines – MSW
07.2_Instant_Messaging_Security_and_Usage_Guidelines – PDF
07.3_Guidelines_for_Use_of_Faxes_by_Employees – MSW
07.3_Guidelines_for_Use_of_Faxes_by_Employees – PDF
07.4_Patient_Consent_for_Electronic_Communication – MSW
07.4_Patient_Consent_for_Electronic_Communication – PDF
07.5_Fax_Cover_Letter_Confidentiality_Notice_and_Disclaimer – MSW
07.5_Fax_Cover_Letter_Confidentiality_Notice_and_Disclaimer – PDF
Folder 08_Managing Third Party Compliance
08.1_Personal Information Handling Questionnaire for Suppliers and their Contractors – MSW
08.1_Personal Information Handling Questionnaire for Suppliers and their Contractors – PDF
08.2_Confidentiality_Provisions_for_Supplier_Agreements – MSW 08.2_Confidentiality_Provisions_for_Supplier_Agreements – PDF
08.3_ Approved Vendors – MSW
08.3_ Approved Vendors – PDF
Folder 09_Security of Personal Information
09.1_Information_Security_Policy – MSW
09.1_Information_Security_Policy – PDF
Folder 10_Respond to Requests and Complaints from Individuals
10.5. Form 1_Objection_Processing_Personal_Information_Terms_Section_11_3_POPI – MSW
10.5. Form 1_Objection_Processing_Personal_Information_Terms_Section_11_3_POPI – PDF
10.6. Form 2_Request_Correction_Deletion_Personal_Information_Section 24_1 – MSW
10.6. Form 2_Request_Correction_Deletion_Personal_Information_Section 24_1 – PDF
Folder 11_Legislation_Regulations_Ethical Guidelines
11.1_Protection_of_Personal_InformationI_Act__2013-004 – MSW
11.1_Protection_of_Personal_InformationI_Act__2013-004 – PDF
11.2_Regulations Relating to the Protection of Personal Information – MSW
11.2_Regulations Relating to the Protection of Personal Information – PDF
11.3_National_Health_Act_2003-61 – MSW
11.3_National_Health_Act_2003-61 – PDF
11.4_Promotion_of_Access_to_Information_Act_2000-2 – MSW
11.4_Promotion_of_Access_to_Information_Act_2000-2 – PDF
11.5_HPCSA_Booklet 3_National Patients’ Rights Charter – PDF
11.6_HPCSA_Booklet 5_Confidentiality Protecting_and_Providing_Information – PDF
11.7_HPCSA_Booklet 9_Guidelines_on_Keeping_of_Patient_Records – PDF
11.8_Booklet 10_Telemedicine.pdf – PDF
11.9_Booklet 16_Ethical_Guidelines_on_Social_Media – PDF