Protection of Personal Information Act, 2013 (Act No. 4 of 2013)RegulationsRegulations relating to the Processing of Data Subjects' Health Information by Certain Responsible Parties, 2026Chapter 3 : Processing of Special Personal Information by Certain Responsible Parties5. Appropriate safeguards |
| 5.1. | The responsible party that processes health information shall be responsible for maintaining the confidentiality, integrity and availability of such information in its possession or under its control by taking appropriate, reasonable technical and organisational measures in accordance with section 19(1) of the Act to prevent: |
| 5.1.1. | Loss of damage to or unauthorised destruction of health information; and |
| 5.1.2. | Unlawful access to or processing of health information. |
| 5.2. | The safeguards to be maintained under sub-regulation 5.1. must include appropriate measures for— |
| 5.2.1. | the security and confidentiality of records, which measures must address the risks associated with physical or electronic health records; and |
| 5.2.2. | the proper disposal of health records to prevent any reasonably anticipated unauthorised use or disclosure of the health information or unauthorised access to the health information following its disposal. |
| 5.3. | Processing of health information must be undertaken subject to a duty of confidentiality imposed by law, office, employment, profession, or written agreement, as contemplated in section 32(2) of the Act. |
| 5.4. | The responsible party must implement and maintain appropriate and reasonable technical and organisational measures to ensure the integrity and confidentiality of health information, in line with generally accepted information security practices applicable to its sector or industry, as contemplated in section 19 of the Act. |