The Information Regulator of South Africa has invited written submissions by 10 October 2025 on newly proposed regulations under the Protection of Personal Information Act 4 of 2013 (POPIA).

These draft regulations aim to enhance transparency and accountability in how organisations handle personal information relating to individuals’ health status and sex life, categories recognised as special personal information under the Act.

Purpose of the Proposed Amendments

The proposed framework seeks to strengthen the protection of sensitive medical and sexual health data by:

• Clarifying how such information may lawfully be processed or shared, and
• Empowering both the Information Regulator and data subjects to challenge any misuse or unauthorised disclosure of this type of information.

Once approved, these regulations will extend to a wide range of sectors and entities that routinely process health-related data, including:

• Medical schemes and managed healthcare providers
• Insurance companies and pension funds
• Administrative and supporting institutions involved in benefits management, claims processing, and healthcare data administration.

Key Areas Covered by the Draft Regulations

The proposed rules introduce a number of important compliance measures, including:

• Processing and handling requirements: Setting out lawful grounds and limits for collecting or using sensitive health information.
• Legitimate interest assessments: Requiring organisations to justify the necessity and proportionality of processing such data.
• Public interest exceptions: Defining conditions under which data may be accessed or disclosed for legitimate public purposes.
• Security and safeguard obligations: Mandating appropriate technical and organisational measures to prevent data breaches or unauthorised access.
• Cross-border data transfer rules: Tightening controls around the export of personal health information to other countries.

Next Steps and Participation

The Information Regulator has encouraged all affected stakeholders, including healthcare providers, insurers, pension administrators, and compliance officers, to review the draft regulations and submit written comments before the 10 October 2025 deadline.

This consultation process forms part of the Regulator’s broader commitment to ensuring ethical data governance, particularly in sectors that handle highly sensitive personal information.

Accessing the Draft Regulations

The draft regulations and the corresponding Government Gazette notice can be accessed online via the Information Regulator’s official website or the Government Printing Works portal.

For assistance with POPIA compliance, data protection policies, or privacy impact assessments, contact Mayet & Associates Attorneys. Our team advises clients across the insurance, healthcare, and financial sectors on lawful data processing, regulatory engagement, and cross-border data governance.