POPIA/PAIA

29 May 2025

Medical Practice Compliance Newsflash – Part 1 – POPIA Compliance, PAIA Annual Reports & Requirements for the Information Regulator 

Dear Dr

We provide this update to highlight the importance of staying compliant under POPIA legislation and the requirement to submit an annual practice PAIA report. 

Participating providers need to refer to the annual fee reminder newsflash from January 2025 and various aspects covered under our Learning Portfolio yearly programme on the non-clinical aspects and capacity building at a practice level.

This part 1 of 2 update related to POPIA and PAIA compliance and informs of the Office Support and Assistance to participating providers in this regard. 

  • POPIA Compliance, PAIA Annual Reports & Requirements for the Information Regulator 


  • Masterclass: POPIA Compliance:

Most participating medical practices completed the POPIA Compliance Framework in 2021, a paid Learning Portfolio masterclass comprising six lectures in partnership with Assent Compliance and Adv. Marais. The masterclass covered: 

  • Application of POPIA to medical practices and other businesses. 
  • The eight conditions for lawful processing of personal information. 
  • Data subjects’ rights. 
  • The role and responsibilities of the Information Officer in your practice. 
  • Amending contracts with operators and third parties for POPIA compliance. 
  • Steps toward POPIA compliance and managing data breaches.

 

  • POPIA Compliance Framework:

Participating practices received a compliance pack containing approximately 67 forms, including: 

  • Patient consent clause for processing Personal Information (PI). 
  • Staff confidentiality undertaking. 
  • Forms to update operator agreements for POPIA compliance. 
  • Template for the designation of the Information Officer (not an appointment letter, as POPIA automatically designates the head of the practice as the Information Officer).

 

A POPIA Compliance Framework is mandatory under Regulation 4(1)(a) of the POPIA Regulations. Furthermore, Section 109(3) of POPIA requires the Information Regulator to consider factors such as failure to conduct a risk assessment or maintain robust policies, procedures, and practices for protecting personal information before imposing fines. 

 

  • Submitting PAIA Report – 2025

Practices may have received mandatory notices from the Information Regulator to submit their Section 83(4) Annual Reports for 2024/2025, as required by the Promotion of Access to Information Act, 2000 (PAIA). The submission window closes on 30 June 2025. The Information Regulator’s e-Services portal is available at https://inforegulator.org.za/eservices/

As we did last year, our office shall offer assistance with the submission process as follows: 

  • Provide the required details on the EMC portal by using your existing log in and scroll to the Submitting PAIA Report link www.emconline.co.za . Log in with your password and scroll to the PAIA section
  • For any queries please email the Network Manager geraldine@emconline.co.za or the IT Manager abdul-aziz@emconline.co.za
  • Our office will verify the information with Assent Compliance. 
  • We will handle registration and submission on the portal and provide the practice with the reports and confirmation.

 

The cost for this assistance is R380 per practice (previously R350). Practices that used our registration services last year will be charged a reduced rate of R150. All prices exclude VAT. These costs need to be paid upfront. 

 

  • Updated Learning Portfolio CME on POPIA and PAIA requirements

EMC will soon host an updated Learning Portfolio on POPIA and PAIA requirements. 

To ensure compliance, practices must maintain updated documentation, accessible to the Information Regulator, including: 

  • A comprehensive Section 18 POPIA Privacy Notice. 
  • Access and Confidentiality Agreement with Employees.
  • Patient registration processes. 
  • A patient consent form for processing health information. 
  • Section 51 PAIA Manual with the forms.
  • Request for Access to Information Register
  • Personal Information Security Policies.
  • Operator agreements with third parties (that is third parties processing personal information on behalf of the practice). 
  • A data breach notification form. 
  • A data breach response plan for patient personal information.

 

  • PAIA Manual:

Additionally, practices must have a PAIA Manual prepared in accordance with Section 51 of PAIA and aligned with POPIA requirements available at their practice, as well as a link to the Manual on their website. We will provide this manual and access to the relevant forms from the Information Regulator. 

For further assistance or to initiate the submission process, please contact geraldine@emconline.co.za or reply to this email.

Kind regards

EMC Practice Management

For Assistance with the compliance click here
Total Views: 119