As the big hype about the Protection of Personal Information Act dissipates like mist before the sun, it is pertinent to revisit one of the ongoing compliance requirements of this legislation.

The accountability requirement of the POPIA creates the need for healthcare practices that process personal and special personal (healthcare) information to ensure that all employees are:

  1. fully aware of the policies and procedures that are relevant to their roles in relation to the processing of that information;
  2. provided with induction and refresher training; and
  3. assessed so that the healthcare practice can report on the awareness of employees.


There are a couple of ways to meet this requirement:


1. Policies & Procedures

The practice should draft policies and procedures and highlight their importance for compliance with protecting personal information by:

  1. communicating the policies and procedures to employees; and
  2. making the policies and procedures readily available, e.g. on an intranet or in paper format in the practice (e.g. guidelines, posters or publications that help to emphasise essential messages and raise employee awareness of policies and procedures).


2. Data Protection Awareness Training

The practice can enrol all employees for an online data protection awareness training programme tailor-made for healthcare practices to teach personnel the national and HPCSA-specific requirements. This training will enable employees to understand the critical areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management. The practice should regularly review that all training is completed and certificates are available as proof of compliance.

Training programmes should include induction and refresher training for all employees on data protection and information governance. The practice must keep records to demonstrate that employees understand the training and keep records of the assessments at the end of the training sessions to test employees’ understanding and ensure that it was effective, which could include a minimum pass mark. 

Copies of all training records should be kept with details of who received the training and employees should be monitored to confirm that all training programs were completed in line with the practice’s requirements. Employees who do not complete the training should be reminded to complete all programs so that the practice will stay POPIA compliant.


Specialised Data Protection Awareness Training

The practice can subscribe their specialised roles or functions with key data protection responsibilities, such as practice managers and dedicated IT personnel, for additional training and professional development beyond the basic level provided to all employees. These roles in the practice carry greater responsibility and should be well-equipped to support the practice with data protection.


Regularly Raise Awareness

The practice should regularly raise awareness of data protection, information governance and associated policies and procedures in meetings and other employee forums. Make it easy for employees to access relevant material. Keep the evidence that your practice regularly uses a variety of appropriate methods to raise employee awareness and the profile of data protection and information governance, for example, by emails, briefings and meetings, posters and handouts and make it easy for employees to access relevant material and find out who to contact if they have any queries relating to data protection and information governance.


In summary

To be POPIA compliant is an ongoing training and awareness project. There is no such thing as once compliant, always compliance. Old and dusty check boxes on a long compliance list will not help the practice in case of data loss or data breach.

GoodX Courses provides courses on the POPIA and Data Protection Awareness Training. For more information, visit courses@goodx.co.za.