South Africa’s Information Regulator has issued the final Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties under the Protection of Personal Information Act, 2013 (POPIA). The Regulations follow the earlier draft version that was released for public comment in September 2025.

A review of the final instrument indicates that the Regulator carefully considered the feedback received during the consultation process. Several provisions that generated concern in the draft text have not been carried forward into the final Regulations, resulting in a framework that more closely reflects the structure of POPIA itself.

Narrower scope and clearer legal basis

One notable revision concerns the scope of the Regulations. References to information relating to an individual’s sex life, which appeared in the draft version, have been removed. The final Regulations therefore focus exclusively on the processing of health-related personal information.

The objective of the Regulations has also been clarified. The final text expressly refers to section 32(6) of POPIA, which allows the Regulator to prescribe more detailed rules relating to the application of sections 36(1)(b) and 36(1)(f). The Regulations serve as those supplementary rules.

Sections 36(1)(b) and (f) permit certain entities to process personal information relating to a data subject’s health or sex life for defined purposes. The categories of entities authorised to process such information include insurance companies, medical schemes, scheme administrators, managed healthcare organisations, administrative bodies, pension funds, employers and institutions acting on their behalf. The Regulations contain definitions for each of these categories and apply only to responsible parties and operators that fall within those defined groups.

Another important adjustment relates to the concept of an employer. In the draft Regulations, the definition was tied to the Occupational Health and Safety Act and appeared to be limited to employers operating within certain administrative structures. The final Regulations adopt a broader and more practical description. An employer is now understood to be any individual, company or organisation that engages people to perform work under its direction in exchange for remuneration, thereby creating an employment relationship.

Provisions removed from the draft Regulations

A number of requirements that appeared in the earlier draft were ultimately omitted from the final Regulations.

Dual authorisation and Legitimate Interest Assessments

The draft Regulations appeared to suggest that organisations would need both a lawful basis under section 11 of POPIA and a separate authorisation under section 32 in order to process health or sex life information. They also proposed that responsible parties relying on the lawful basis of legitimate interests would need to conduct a Legitimate Interest Assessment (LIA) before processing the information. These proposals raised concerns because they seemed inconsistent with POPIA’s existing structure governing the processing of special personal information. The final Regulations no longer include these requirements.

Requirement for a written agreement with the data subject

The draft version also suggested that health or sex life information could only be processed if a written agreement existed between the responsible party and the data subject. This interpretation was criticised as being inconsistent with section 32(2) of POPIA, which provides that such information may be processed where there is an obligation of confidentiality arising from law, profession, employment or contractual agreement. The final Regulations now simply refer back to section 32(2), recognising that a written agreement is only one possible basis for establishing the required confidentiality obligation.

Cross-border transfer notification

Another controversial feature of the draft Regulations involved detailed requirements for notifying data subjects when their health information was transferred outside South Africa. These provisions appeared to impose obligations beyond those already contained in POPIA. The final Regulations do not retain these notification rules.

However, the Regulations also do not address the separate requirement under section 57(1)(d) of POPIA, which in some circumstances requires prior authorisation from the Information Regulator before certain types of special personal information are transferred across borders.

Governance, safeguards and record management

Additional provisions in the draft Regulations dealing with governance frameworks, compliance with ISO standards, recommended safeguards from the Health Professions Council of South Africa, as well as rules relating to retention, destruction and de-identification of health information, have also been removed from the final version.

Practical effect of the final Regulations

In their final form, the Regulations largely reaffirm the framework already established under POPIA rather than introducing extensive new compliance obligations. They clarify how certain organisations may process health-related personal information while remaining consistent with the statutory scheme set out in the Act.

Entities that fall within the scope of the Regulations, including insurers, medical schemes, pension funds, administrators, employers and related institutions, should nonetheless review the new instrument carefully. Even though the final Regulations are less prescriptive than the draft version, organisations must still ensure that their handling of health information complies fully with the broader requirements of POPIA.