Protection of Personal Information Act, 2013 (Act No. 4 of 2013)Chapter 3 : Conditions for Lawful Processing of Personal InformationPart B : Processing of special personal information32. Authorisation concerning data subject's health or sex life |
(1) | The prohibition on processing personal information concerning a data subject’s health or sex life, as referred to in section 26, does not apply to the processing by— |
(a) | medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned; |
(b) | insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for— |
(i) | assessing the risk to be insured by the insurance company or covered by the medical scheme and the data subject has not objected to the processing; |
(ii) | the performance of an insurance or medical scheme agreement; or |
(iii) | the enforcement of any contractual rights and obligations; |
(c) | schools, if such processing is necessary to provide special support for pupils or making special arrangements in connection with their health or sex life; |
(d) | any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties; |
(e) | any public body, if such processing is necessary in connection with the implementation of prison sentences or detention measures; or |
(f) | administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for— |
(i) | the implementation of the provisions of laws, pension regulations or collective agreements which create rights dependent on the health or sex life of the data subject; or |
(ii) | the reintegration of or support for workers or persons entitled to benefit in connection with sickness or work incapacity. |
(2) | In the cases referred to under subsection (1), the information may only be processed by responsible parties subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between the responsible party and the data subject. |
(3) | A responsible party that is permitted to process information concerning a data subject’s health or sex life in terms of this section and is not subject to an obligation of confidentiality by virtue of office, profession or legal provision, must treat the information as confidential, unless the responsible party is required by law or in connection with their duties to communicate the information to other parties who are authorised to process such information in accordance with subsection (1). |
(4) | The prohibition on processing any of the categories of personal information referred to in section 26, does not apply if it is necessary to supplement the processing of personal information concerning a data subject’s health, as referred to under subsection (1)(a), with a view to the proper treatment or care of the data subject. |
(5) | Personal information concerning inherited characteristics may not be processed in respect of a data subject from whom the information concerned has been obtained, unless— |
(a) | a serious medical interest prevails; or |
(b) | the processing is necessary for historical, statistical or research activity. |
(6) | More detailed rules may be prescribed concerning the application of subsection (1)(b) and (f). |