Healthcare practices store a substantial amount of personal information of patients and medical debtors, who are defined as data subjects in terms of the Protection of Personal Information Act 4 of 2013 (the Act). The Act gives data subjects the right to request that personal information be deleted or destroyed by completing Form 2 of the regulations of the Act. However, when a patient or medical debtor requests the deletion or destruction of their personal information, the question begs if the practice should just immediately comply and if not, what the reasons and remedies are.

Though the Act gives data subjects the right to request the deletion or destruction of personal information, the practice also has rights to protect and legal responsibilities imposed on them by the HPCSA and legislation. 

When these rights and responsibilities come into direct conflict with the right of the data subject, the POPIA purposes to balance these conflicting rights and protect relevant important interests of both parties. 

It is good to know that the flow and retention of information is a necessary right and is protected by the Act, so that normal day to day life and business activities can continue without the threat of penalty.

There are a number of factors that should be considered before any personal information should be deleted or destroyed.

Table of Contents 

The Reasons for a Request for Deletion or Destruction 

The Act allows patients and medical debtors to request the deletion or destruction of personal information for the following reasons:

  1. Inaccurate, incomplete or misleading information.
  2. Irrelevant or excessive information.
  3. Out of date information.
  4. Unlawfully obtained information.
  5. Information that no longer serves the purpose for which it was collected.

These reasons have practical implications for the healthcare practice and should guide the practice on how to ensure that the information can be legally retained.

Practical Implications for the Practice 

Inaccurate, incomplete or misleading information should be eliminated and receptionists should, therefore, make sure all information on forms are fully completed by patients and checked where possible, e.g. reconciling ID numbers with ID documents and doing validation checks with medical aids.

Irrelevant or excessive information should never be collected. The practice should only collect information that is relevant and necessary for the purposes of providing healthcare services, adhering to the ethical rules of the HPCSA and protecting the rights of the practice, e.g. debt collection.

Out of date information is a real problem for the healthcare practice. The practice should make provision for regular updates of information. This can be done in writing at the reception, or by using a software application that can request updates of the personal information from patients by sending update links.

Unlawfully obtained information is information that has e.g. not been received directly from patients or guardians of minors and should be carefully scrutinised. When assisting emergency patients, the practice should document when information was received by another person who brought the patient to the practice. The Act excuses the practice if the information could not reasonably have been obtained from the patient or medical debtor, but making notes of this will allow the practice to prove that such circumstances were present.

When information no longer serves the purpose for which it was collected, it should be destroyed. However, in the normal course of business of the practice, there is little information that falls into this category. Care should, therefore, be taken not to delete anything that has negative future implications for the practice or the patient.

The following are a few examples that the practice should take into account:

  1. Financial records cannot simply be deleted, otherwise brought forward balances and reporting will be distorted.
  2. Clinical information should be kept for different time periods based on the ethical rules of the HPCSA and legislation.
  3. Information that is necessary for the practice to defend itself against negligence and other legal claims must also be retained.

The Right to Deny the Request

It is clear from the above that the normal day to day collection of information for the purposes of healthcare do not under normal circumstances satisfy the reasons for the destruction of personal information. 

The practice can thus deny the request to delete or destroy the information. In such cases, inform the patient or medical debtor of the reasons for the denial and keep a record thereof for later proof should they turn to the Information Regulator for further action.

More Information

For information about the CPD accredited course on the Protection of Personal Information Act, click here