Knowledge Empowers

Although the Covid-19 pandemic has rightly been the dominant focus for healthcare practitioners, the government has not relented on the coming into effect of the Protection of Personal Information Act 4 of 2013 (POPIA). 

Implementing the POPIA requirements is something that every healthcare practice must pursue. Since confidentiality is only one of the requirements of the POPIA, practitioners must understand what needs to be in place to be POPIA compliant. A lack of knowledge will create dangerous non-compliance, fear or vulnerability to being bullied into acquiring unnecessary products or services. 

Table of Contents 

One-time POPIA Certification? 

It is tempting to think that a business can pay a consulting company to implement the provisions of the POPIA, obtain a certificate of compliance, and never think of the act again. However, compliance is not a one-time-box-ticking exercise. Instead, a new culture must be established and maintained in the practice.

The new culture in a practice calls for ongoing mindfulness of data protection. For example, if a receptionist leaves their workstation and doesn’t lock the screen, it means that personal information can be compromised. Likewise, a printer installed at a location where the public can access printed documents like scripts is a security compromise. Any form of certification of compliance will immediately be of no value when such compromising actions occur.

Becoming Familiar with the POPIA

The act requires that both practitioners and their personnel familiarise themselves with the act’s requirements about data protection. Therefore, the practice should keep records of data protection training. If you have not yet familiarised yourself with your responsibilities, you can complete a 90-minute online CPD-accredited course on the provisions of the POPIA by clicking here

Once you understand the requirements of the act, you can start with a systematic process of implementation. The practice can implement and maintain most of the requirements without any assistance from third parties.

  1. This compliance framework diagram divides the requirements into four stages of implementation: 
  2. The establish compliance stage – what to put in place and how to foster a culture of compliance;
  3. The collection stage;
  4. The compliance continuity stage – since the POPIA is not a one-time-box-ticking exercise; and
  5. The post-use stage – what to do with old information.

Each stage contains specific categories that group requirements logically together. Click here to download the rest of the action maps as a FREE booklet to implement the different requirements listed under the categories step-by-step.


Before you spend money on your data protection responsibilities, first understand what needs to be accomplished. Then you will know if and how you can spend your money well and feel confident about the measures you put in place. 


  • RP – Responsible Party
  • IO – Information Officer
  • DIO – Deputy Information Officer
  • PI – Personal Information
  • DS – Data Subject (most often the patient)
  • IR – Information Regulator