• Constitution of the Republic of South Africa, 1996 (Act No 108 of 1996)
  • National Health Act, 2003 (Act No. 61 of 2003)
  • Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002)
  • National Credit Act Act, 2005 (Act No 34 of 2005)
  • Regulations in terms of the Medical Schemes Act, 1998. GNR.1262 of 20 October 1999
  • Children’s Act, 2005 (Act No. 38 of 2005)
  • Choice on Termination of Pregnancy Act, 1996 (Act No. 92 of 1996)
  • Regulations in terms of Health Professions Act, 1974 (Act No 56 of 1974),  Government Notice R688 in Government Gazette 18890 of 15 May 1998
  • Consumer Protection Act, 2008 (Act No 68 of 2008)
  • Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

Constitution of the Republic of South Africa, 1996 (Act No 108 of 1996)

Section 14: Privacy

Everyone has the right to privacy, which includes the right not to have –

(a) their person or home searched;

(b) their property searched;

(c) their possessions seized; or

(d) the privacy of their communications infringed.

Privacy in the National Health Act, 2003 (Act No. 61 of 2003)

Section 14: Confidential

1) All information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment, is confidential.

2) Subject to section 15, no person may disclose any information contemplated in unless

a)     the user consents to that disclosure in writing

b)     a court order or any law requires that disclosure; or

c)     non-disclosure of the information represents a serious threat to public health.

Section 15: Access to health record

1.A health worker or any health care provider that has access to the health records of a user may disclose such personal information to any other person, health care provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user.

2. For the purpose of this section, “personal information” means personal information as defined in section 1 of the Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

Section 16: Access to health records by health care provider

1)    A health care provider may examine a user’s health records for the purposes of-

a)     treatment with the authorisation of the user; and

b)     study, teaching or research with the authorisation of the user, head of the health establishment concerned and the relevant health research ethics committee.

2)     If the study, teaching or research contemplated in subsection (1)(b) reflects or obtains no information as to the identity of the user concerned, it is not necessary to obtain the authorisations contemplated in that subsection.

Electronic Communications and Transactions Act, 2002 (Act No. 25 of 2002) (ECTA)

  • ECTA was enacted to regulate electronic commerce and therefore it only operates in the electronic communications environment.
  • Chapter VIII of ECTA contains provisions which relate to the protection of personal information, of an individual, that has been obtained through electronic transactions.
  • ECTA further states that a data controller may voluntarily subscribe to the data privacy principles outlined in ECTA by recording such fact in any agreement with a data subject.
  • When subscribing to the voluntary data privacy principles the data controller is obliged to subscribe to all nine principles, contained in ECTA, and not just to parts thereof.
  • The rights and obligation of the parties, in the event of a breach of the said voluntary data privacy principles, are to be regulated by the agreement between the parties.
  • Once the POPI Act becomes fully enforceable these principles will only apply to the extent that they are more extensive than the conditions for lawful processing that are contained in the Act.

The voluntary data privacy principles aim to ensure that:

  • a data subject’s personal information is processed lawfully;
  • a data controller must have a lawful purpose(s) for the processing of personal information and the data processing must be necessary to fulfill such purpose;
  • the data subject has knowledge of the specific purpose(s) for which the personal information is being requested;
  • personal information is only used for the purpose(s) for which it was collected by the data controller, by requiring the data controller to obtain express written consent from the data subject to use such personal information for any other purpose than for what it was collected, unless permitted or required to do so by law;
  • a record of the personal information and the specific purpose(s) for which the personal information was collected is retained for as long as that the personal information is used and at least 12 months thereafter;
  • personal information that is held by a data controller is not disclosed to a third party, unless required or permitted by law or with the express written consent of the data subject;
  • in the event that personal information is disclosed to a third party, that a record of the third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed is retained for as long as that the personal information is used and at least 12 months thereafter;
  • the data controller destroys all personal information once the information has become obsolete; and
  • data processing may take place for statistical purposes on the premises that anonymity of the data subject is ensured, by requiring the data controller to ensure that data profiles or statistical data cannot be linked to any specific data subject by a third party.

National Credit Act Act, 2005 (Act No 34 of 2005) (NCA)

The NCA aims to promote a fair and non‐discriminatory marketplace for access to consumer credit by providing for the general regulation of consumer credit and improved standards of consumer information (which inter alia includes the regulation of credit information). The NCA has limited provisions relating to data privacy.

Section 1: Confidential Information means:

“personal information that belongs to a person and is not generally available to or known by others.”

Section 68: Right to confidential treatment

68. (1) Any person who, in terms of this Act, receives, compiles, retains or reports any confidential information pertaining to a consumer or prospective consumer must protect the confidentiality of that information, and in particular, must

(a) use that information only for a purpose permitted or required in terms of this Act, other national legislation or applicable provincial legislation; and
(b) report or release that information only to the consumer or prospective consumer, or to another person

(i) to the extent permitted or required by this Act, other national legislation or applicable provincial legislation; or
(ii) as directed by

(aa) the instructions of the consumer or prospective consumer; or
(bb) an order of a court or the Tribunal.

Regulations in terms of the Medical Schemes Act, 1998. GNR.1262 of 20 October 1999

Paragraph 15J. General provisions.

(2)

(b) any information pertaining to the diagnosis, treatment or health of any beneficiary of a medical scheme must be treated as confidential;
(c) subject to the provisions of any other legislation, a medical scheme is entitled to access any treatment record held by a managed health care organisation or health care provider and other information pertaining to the diagnosis, treatment and health status of the beneficiary in terms of a contract entered into pursuant to regulation 15A, but such information may not be disclosed to any other person without the express consent of the beneficiary;

Children’s Act, 2005 (Act No. 38 of 2005)

Section 13: Information on health care

(1) Every child has the right to –
(a)
(b)
(c)
(d) confidentiality regarding his or her health status and the health status of a parent, care-giver or family member, except when maintaining such
confidentiality is not in the best interests of the child.

Section 112. Confidentiality of National Child Protection Register

(1) All Parts of the Register must be kept confidential and information in the Register may be accessed and disclosed only as provided for in this Act.
(2) The Director-General must take adequate steps –
(a) to protect the information in the Register; and
(b) if the Register is kept in electronic format, to secure the Register from unauthorised intrusion.

Section 133. Confidentiality of information on HIV/AIDS status of children

(1) No person may disclose the fact that a child is HIV-positive without consent given in terms of subsection (2), except –

(a) within the scope of that person’s powers and duties in terms of this Act or any other law;

(b) when necessary for the purpose of carrying out the provisions of this Act;

(c) for the purpose of legal proceedings; or

(d) in terms of an order of a court.

(2) Consent to disclose the fact that a child is HIV-positive may be given by –

(a) the child, if the child is –

(i) 12 years of age or older; or

(ii) under the age of 12 years and is of sufficient maturity to understand the benefits, risks and social implications of such a disclosure;

(b) the parent or care-giver, if the child is under the age of 12 years and is not of sufficient maturity to understand the benefits, risks and social implications of such a disclosure;

(c) a designated child protection organisation arranging the placement of the child, if the child is under the age of 12 years and is not of sufficient maturity to understand the benefits, risks and social implications of such a disclosure;

(d) the superintendent or person in charge of a hospital, if –

(i) the child is under the age of 12 years and is not of sufficient maturity to understand the benefits, risks and social implications of such a disclosure; and

(ii) the child has no parent or care-giver and there is no designated child protection organisation arranging the placement of the child; or

(e) a children’s court, if –

(i) consent in terms of paragraph (a), (b), (c) or (d) is unreasonably withheld and disclosure is in the best interests of the child; or

(ii) the child or the parent or care-giver of the child is incapable of giving consent.

Section 134: Access to contraceptives

(3) A child who obtains condoms, contraceptives or contraceptive advice in terms of this Act is entitled to confidentiality in this respect, subject to section 110.

Choice on Termination of Pregnancy Act, 1996 (Act No. 92 of 1996)

Section 7: Notification and keeping of records

(3)    The person in charge of a facility referred to in section 3, shall, within one month of the termination of a pregnancy at such facility, collate the prescribed information and forward it by registered post confidentially to the Director-General: Provided that the name and address of a woman who has requested or obtained a termination of pregnancy, shall not be included in the prescribed information.

(5)       The identity of a woman who has requested or obtained a termination of pregnancy shall remain confidential at all times unless she herself chooses to disclose that information.

Regulations in terms of Health Professions Act, 1974 (Act No 56 of 1974),  Government Notice R688 in Government Gazette 18890 of 15 May 1998

Paragraph 13: Professional confidentiality

(1)    A practitioner shall divulge verbally or in writing information regarding a patient which he or she ought to divulge only –

(a)    in terms of a statutory provision;

(b)    at the instruction of a court of law; or

(c)    where justified in the public interest.

(2)    Any information other than the information referred to in subrule (1) shall be divulged by a practitioner only –

(a)    with the express consent of the patient;

(b)    in the case of a minor under the age of 12 years, with the written consent of his or her parent or guardian; or

[Para. (b) substituted by GN R68/2009]

(c)    in the case of a deceased patient, with the written consent of his or her next-of-kin or the executor of such deceased patient’s estate.

Consumer Protection Act, 2008 (Act No 68 of 2008)

Section 11: Right to restrict unwanted direct marketing

(1) The right of every person to privacy includes the right to –
(a) refuse to accept;
(b) require another person to discontinue; or
(c) in the case of an approach other than in person, to pre-emptively block, any approach or communication to that person, if the approach or communication is
primarily for the purpose of direct marketing.

Section 107: Breach of confidence

(1) It is an offence to disclose any personal or confidential information concerning the affairs of any person obtained –
(a) in carrying out any function in terms of this Act; or
(b) as a result of initiating a complaint or participating in any proceedings in terms of this Act.
(2) Subsection (1) does not apply to information disclosed –
(a) for the purpose of the proper administration or enforcement of this Act;
(b) for the purpose of the administration of justice; or
(c) at the request of an inspector, regulatory authority or Tribunal member entitled to receive the information.

Promotion of Access to Information Act, 2000 (Act No. 2 of 2000)

Section 63: Mandatory protection of privacy of third party who is natural person

(1) Subject to subsection (2), the head of a private body must refuse a request for access to a record of the body if its disclosure would involve the unreasonable disclosure of personal information about a third party, including a deceased individual.
(2) A record may not be refused in terms of subsection (1) insofar as it consists of information
(a) about an individual who has consented in terms of section 72 or otherwise in writing to its disclosure to the requester concerned;
(b) already publicly available;
(c) that was given to the private body by the individual to whom it relates and the individual was informed by or on behalf of the private body, before it is given, that the information belongs to a class of information that would or might be made available to the public;
(d) about an individual’s physical or mental health, or well-being, who is under the care of the requester and who is
(i) under the age of 18 years; or
(ii) incapable of understanding the nature of the request, and if giving access would be in the individual’s best interests;
(e) about an individual who is deceased and the requester is
(i) the individual’s next of kin; or
(ii) making the request with the written consent of the individual’s next of kin; or
(f) about an individual who is or was an official of a private body and which relates to the position or functions of the individual, including, but not limited to
(i) the fact that the individual is or was an official of that private body;
(ii) the title, work address, work phone number and other similar particulars of the individual;
(iii) the classification, salary scale or remuneration and responsibilities of the position held or services performed by the individual; and
(iv) the name of the individual on a record prepared by the individual in the course of employment.