POPIA Compliance

1. Our Commitment to POPIA

The Protection of Personal Information Act, 2013 (POPIA) is South Africa's primary data protection legislation, designed to promote the protection of personal information processed by public and private bodies. As a healthcare technology provider handling sensitive personal and health-related data, EzeHealth is fully committed to complying with all provisions of POPIA.

This page outlines how EzeHealth processes personal information, the measures we take to protect that information, and how we uphold the rights of data subjects as required by the Act.

EzeHealth acts as both a responsible party (for personal information we collect directly, such as website enquiries and account registration data) and as an operator (for personal information that our clients, as responsible parties, process through our platform, such as patient records and care data).

2. Data Processing Principles

POPIA establishes eight conditions for the lawful processing of personal information. EzeHealth adheres to all of these conditions:

3. Lawful Processing Conditions

EzeHealth processes personal information only when one or more of the following lawful conditions are met:

• Consent: The data subject has given explicit, informed, and voluntary consent to the processing of their personal information for a specific purpose.
• Contract: Processing is necessary for the conclusion or performance of a contract to which the data subject is a party, such as a subscription agreement.
• Legal Obligation: Processing is necessary for compliance with a legal obligation, such as tax or regulatory reporting requirements.
• Legitimate Interest: Processing is necessary for the pursuit of legitimate interests of the responsible party or a third party, provided that the interests of the data subject do not override those interests.
• Protection of Vital Interest: Processing is necessary to protect the life or health of a data subject, particularly relevant in a healthcare context.

4. Special Personal Information

Given the nature of our platform, EzeHealth may process special personal information as defined under Section 26 of POPIA, including health-related data. We process this information in strict compliance with the following:

• Health-related personal information is processed only with explicit consent of the data subject or their authorised representative, or where processing is necessary for the provision of healthcare services.
• Additional security measures are applied to special personal information, including enhanced access controls and encryption.
• Access to health data within the platform is restricted to authorised healthcare professionals on a need-to-know basis.
• We do not use health data for purposes unrelated to the provision of healthcare services.

5. Security Measures

EzeHealth implements comprehensive technical and organisational security measures to protect personal information, as required by Section 19 of POPIA:

Technical Measures

• Encryption: All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption.
• Access Controls: Role-based access controls (RBAC) ensure that users can only access data relevant to their role and responsibilities.
• Authentication: Multi-factor authentication (MFA) is available for all accounts. Strong password policies are enforced.
• Network Security: Firewalls, intrusion detection systems, and regular vulnerability scanning protect our infrastructure.
• Audit Logging: All access to personal information is logged and monitored for suspicious activity.
• Secure Hosting: Our servers are hosted in secure, Tier III+ data centres within South Africa, with redundant systems and environmental controls.

Organisational Measures

• Staff Training: All employees undergo regular training on data protection, POPIA compliance, and information security best practices.
• Confidentiality Agreements: All staff and contractors with access to personal information are required to sign confidentiality agreements.
• Data Protection Policies: We maintain comprehensive internal policies covering data handling, incident response, and breach notification.
• Regular Audits: We conduct periodic internal audits and engage independent third parties for security assessments.
• Vendor Management: Third-party service providers are vetted for POPIA compliance and are bound by data processing agreements.

6. Data Subject Rights

Under POPIA, data subjects have the following rights, which EzeHealth fully respects and facilitates:

To exercise any of these rights, please contact our Information Officer using the details provided below. We will respond to all requests within a reasonable time, and no later than 30 days from receipt of the request, as required by POPIA.

7. Information Officer

In accordance with Section 55 of POPIA, EzeHealth has appointed an Information Officer who is responsible for ensuring compliance with the Act and for addressing any queries or complaints related to the processing of personal information.

Our Information Officer is registered with the Information Regulator as required by Section 55(2) of POPIA.

8. Data Breach Notification

In the event of a security compromise that results in the unauthorised access to or acquisition of personal information, EzeHealth will take the following steps in accordance with Section 22 of POPIA:

1. Immediate Response: Contain the breach, assess its scope and severity, and take steps to prevent further compromise.
2. Notification to the Information Regulator: Notify the Information Regulator as soon as reasonably possible after discovery of the breach, providing all relevant details including the nature of the breach, the categories of data subjects affected, and the measures taken to address the breach.
3. Notification to Affected Data Subjects: Notify affected data subjects as soon as reasonably possible, either directly or through public announcement if direct notification is not feasible. The notification will include a description of the breach, the types of personal information involved, recommended protective measures, and our contact details for further enquiries.
4. Client Notification: For breaches affecting data processed on behalf of our clients, we will promptly notify the affected clients so they can fulfil their own POPIA obligations.
5. Post-Breach Review: Conduct a thorough review of the incident, implement corrective measures, and update security protocols as needed to prevent recurrence.

9. Cross-Border Data Transfers

EzeHealth primarily hosts and processes data within South Africa. In the event that personal information needs to be transferred to a jurisdiction outside South Africa, we will ensure that:

• The recipient country has adequate data protection legislation, as determined by the Information Regulator.
• The data subject has consented to the transfer after being informed of the risks.
• The transfer is necessary for the performance of a contract between the data subject and the responsible party.
• Appropriate contractual safeguards are in place to protect the personal information.

10. PAIA Manual

In compliance with the Promotion of Access to Information Act (PAIA), EzeHealth maintains a PAIA Manual that describes the categories of records held and the process for requesting access to information. A copy of this manual is available upon request by contacting our Information Officer.

11. Updates to This Page

We may update this POPIA compliance page from time to time to reflect changes in our practices or in the regulatory landscape. The latest version will always be available on our website. We encourage you to review this page periodically.

12. Information Regulator

If you have concerns about how your personal information is being processed, or if you wish to lodge a complaint, you may contact the Information Regulator of South Africa: