South Africa’s POPIA Health Data Rules

The Information Regulator of South Africa didn’t issue a press release with fanfare. It simply published the final regulations on the processing of health information last week, quietly closing a consultation period that began with a draft in September 2025. The document, formally titled “Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties,” has been awaited by every insurer, medical scheme, employer, and administrator in the country.

What emerged is not the sweeping new compliance machine many feared. Instead, the Regulator listened — and scaled back. References to sex-life information are gone. Demands for separate legitimate interest assessments, mandatory written agreements with every data subject, and detailed cross-border notification scripts have vanished. The final rules largely restate what POPIA already requires, with a handful of helpful clarifications.

That’s not to say they’re irrelevant. For organisations that handle South African health data — from life insurers running medical underwriting to employers managing occupational health programmes — these regulations draw a sharper line around exactly who must comply and how. And in a country where POPIA enforcement is finally gaining teeth in 2026, that line matters.

POPIA’s Long Road to Health-Data Clarity

Let’s rewind. South Africa’s Protection of Personal Information Act (POPIA) has been fully enforceable since 1 July 2021. Section 26 classifies health information as “special personal information,” meaning it is generally prohibited from processing unless one of the narrow exceptions in sections 27–33 applies. One of those exceptions — section 32 — specifically authorises certain responsible parties (insurance companies, medical schemes, administrators, pension funds, employers and their institutions) to process health data for defined purposes such as assessing insurance risk, managing medical-scheme claims, or fulfilling employment-related health obligations.

Section 32(6) also gave the Regulator the power to prescribe “more detailed rules” on how sections 36(1)(b) and (f) operate. That’s exactly what these new regulations are: the promised detail. But the draft version, released in September 2025, went further. It introduced procedural hoops that many lawyers argued were not contemplated by the Act itself.

What the Draft Promised — and What Disappeared

The draft regulations contained several provisions that sent compliance teams scrambling for new templates and processes:

• A dual-authorisation requirement: both a section 32 justification and a separate lawful basis under section 11(1).
• Mandatory legitimate interest assessments (LIAs) whenever legitimate interest was relied upon.
• A blanket rule that processing could only occur under a written agreement with the data subject.
• Detailed cross-border transfer notifications and prescribed safeguards (ISO standards, HPCSA guidelines, governance structures).
• Rules on record retention, destruction, de-identification, and public-interest authorisations.

None of these survived in the final version. The Regulator explicitly dropped the sex-life references, narrowed the scope to health information only, and removed the LIA obligation. The written-agreement clause was replaced with a direct citation to section 32(2), acknowledging that confidentiality can arise from employment contracts, professional duties, or statute — not only from a fresh piece of paper signed by the data subject.

Cross-border notification language is gone too. While section 57(1)(d) of POPIA still requires prior authorisation from the Regulator for certain transfers of special personal information, the new regulations do not layer extra obligations on top.

“It is apparent from the final text of the Regulations that the Regulator duly considered the submissions received during the public comment period.” — Nadine Mather and Chloë Loubser, Bowmans, 16 March 2026

Who Is Actually Caught by These Rules?

The regulations apply only to a defined list of responsible parties and their operators:

• Insurance companies
• Medical schemes and their administrators
• Managed healthcare organisations
• Administrative bodies
• Pension funds
• Employers (now defined broadly: any person, company or organisation that pays others to work under a contractual relationship — a welcome expansion from the draft’s narrower Occupational Health and Safety Act linkage)

If your organisation falls outside this list — a general retailer running a wellness app, a tech start-up building a fitness tracker, or a hospital processing patient data under the National Health Act — these specific regulations do not apply. You still operate under the general POPIA special-personal-information rules, of course, but you avoid the new sector-specific overlay.

What You Actually Have to Do Now

Here is the unvarnished checklist for every affected organisation in 2026:

1. Confirm you are in scope. Update your data-mapping exercise to tag every flow of health information that touches insurance, medical schemes, pension funds, or employment health obligations.
2. Review confidentiality obligations. Ensure every processor agreement and internal policy explicitly references the duty of confidentiality under section 32(2). No new written agreement with every individual is required.
3. Revisit purpose limitation. Health data may only be processed for the specific purposes listed in section 32 and the regulations. Any secondary use (marketing, AI training, research) still needs fresh justification or consent.
4. Update cross-border transfer assessments. While the regulations dropped the notification script, you must still satisfy section 72 (adequate protection or binding agreements) or obtain Regulator approval under section 57 where special personal information leaves the Republic.
5. Refresh DPIA-style risk assessments. Although POPIA does not use the GDPR term “DPIA,” the Act’s accountability principle requires organisations to document that processing is necessary, proportionate, and secure. The new regulations reinforce this for health data.
6. Train the frontline. Claims assessors, occupational-health nurses, and HR teams need clear guidance that health information cannot be shared internally unless strictly necessary for the permitted purpose.

POPIA Regulatory Help

This is the second major POPIA regulatory update in six months. The first — the long-awaited “Guidelines on the Processing of Personal Information for Direct Marketing” — arrived in late 2025. Together they signal that the Information Regulator is moving from awareness-raising to operational enforcement.

For multinational groups, the South African position is now clearer than ever when compared with GDPR Article 9 or the UK’s DPA 2018 Schedule 1 conditions for health data. South Africa has chosen a sector-specific, purpose-limited approach rather than a consent-heavy model. That makes compliance easier for local insurers but trickier for global platforms trying to apply a one-size-fits-all template.

Penalties remain unchanged and severe: administrative fines up to R10 million, criminal liability for directors, and potential civil claims from data subjects. With the Regulator having issued its first significant enforcement notices in 2025, the message is clear — documentation and demonstrable accountability are now table stakes.

AI and Future-Proofing

One unspoken tension: many insurers and medical schemes are already feeding anonymised health data into generative-AI underwriting models. The regulations do not address de-identification standards or AI-specific risks directly. Expect the Regulator to issue further guidance in 2027. Organisations that proactively document their anonymisation techniques today will be ahead of the curve.

Captain Compliance Was Built for Exactly This Kind of Regulatory Whiplash

When the draft regulations landed in September 2025, our clients immediately asked: “Do we need new templates? New assessments? New consent language?” The final version rendered most of those questions obsolete overnight. That is why we built automated regulatory-change tracking that maps new publications like these straight into your existing DPIAs, processor agreements, and risk registers.