POPIA: New Regulations on Processing Health Information Gazetted

Posted 06 March 2026 Written by Acts Online
Category POPIA

Brought to you by SA Legal Academy: The Information Regulator has gazetted new regulations under the Protection of Personal Information Act to clarify the processing of health-related data.

In terms of section 32(6) of the Protection of Personal Information Act, No. 4 of 2013 (POPIA), the Information Regulator has issued regulations intended to assist responsible parties in the interpretation and application of the Act’s provisions regarding special personal information. These regulations, which follow a draft period initiated in September 2025, are effective immediately upon publication.

The regulations provide specific rules for the application of sub-sections 32(1)(b) and 32(1)(f) of the Act. These sub-sections relate to exemptions for the processing of personal information concerning a data subject’s health or sex life by specific entities, including:

  • Insurance companies, medical schemes, and medical scheme administrators where such processing is necessary for the assessment of risk or the performance of an insurance or medical scheme contract; and
  • Schools and institutions of higher education, where processing is necessary for providing special support to pupils or students or making special arrangements in connection with examinations or assessments.

The Information Regulator’s intervention under section 32(6) is designed to ensure that these ‘more detailed rules’ prevent the misuse of sensitive health data while allowing for legitimate administrative and contractual functions within the insurance and education sectors.

What this means for you, your business, or your clients

  • For yourself: You must update your professional knowledge base to include the specific interpretive requirements for section 32(6) when advising on health data privacy.
  • For your business: If your firm processes health-related data for employees or as part of service delivery, you must audit your processing registers to ensure they align with the newly gazetted rules.
  • For your clients: Clients in the insurance, healthcare administration, and education sectors must immediately review their data processing policies to ensure their reliance on section 32 exemptions meets the Regulator’s clarified standards.

Originally published at https://legalacademy.co.za/news/read/popia-data-subject-health-information-regulations-gazetted-in-force

The views expressed herein are those of the author and do not necessarily reflect those of Acts Online. Acts Online accepts no responsibility for the accuracy, completeness or fairness of the article, nor does the information contained herein constitute advice, legal or otherwise.