Health Authorities want to illegally access private information

23 January 2017

The DA have a letter from the Health Minister, Aaron Motsoaledi, to the Council for Medical Schemes (CMS) in July last year in which he requested the CMS to collect private data about medical scheme members in order maintain a ‘Beneficiary Registry’ of members.

His outrageous request – to collect very private, sensitive information, to which the government has no right - is not only unconstitutional, but also in flagrant violation of the Protection of Personal Information Act (POPI), Act No.4 of 2013. Additionally, it poses a real security risk to individual citizens.

The Minister’s request claimed to be for purposes of “monitoring the impact of current policies and identifying medical scheme members who access services in the public sector”.

In his letter, the Minister said the Department of Health requests ‘all medical schemes, administrators and regulated private health care funding entities to furnish the CMS with regular updated electronic records pertaining to basic personal, demographic (including domicile) details of all members and their beneficiaries, as stored on their respective member management systems.’

The CMS, then under registrar Daniel Lehutjo, no doubt wishing to please the Minister with enthusiasm, turned the request into a directive, a copy of which we have in our possession. Many medical scheme principals rightly refused to divulge the requested information.

A legal opinion we sought on the matter has confirmed that the Minister Motsoaledi’s request over-reaches.

Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. The right to privacy naturally includes a right to protection against the unlawful collection, dissemination and use of personal information. The State must respect, protect, promote and fulfill the rights in the Bill of Rights.

Additionally, POPI does not sanction this type of activity. The Act is designed to ensure that all South African institutions including medical aid schemes conduct themselves in a responsible manner when collecting, processing, storing and sharing entity’s personal information by holding them accountable for abusing or compromising citizen’s personal information in any way.

Chapter 5 of POPI creates an Information Regulator, currently accountable to the National Assembly, whose responsibility is to ensure that all South African institutions comply with POPI’s strict legal injunction to not compromise the privacy of our personal information. Amongst other things this Regulator needs to monitor and enforce compliance with the POPI Act, and receive and investigate complaints. An aggrieved party can naturally also institute civil action for damages sustained, where applicable.

Section 5 of the POPI Act specifically deals with the privacy rights of data subjects. Section 5 states that:

“A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3”

In the case of the CMS, there are eight separate conditions that have to be complied with in order for personal information to be lawfully processed:

i. Accountability (section 8) – the responsible party must ensure full compliance with the POPI Act;

ii. Processing limitation (sections 9 to 12) – Information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject. Only the minimal necessary information – that is information that is adequate, relevant and not excessive - may be processed, and there must be grounds for said processing, as specified in section 11 the Act, which includes inter alia consent, performance in terms of a contract, or the protection of the legitimate interest of the data subject;

iii. Specific Purpose (sections 13 and 14) – The personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party, and steps must be taken to ensure that the data subject is aware of said purpose. Records of personal information must generally not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed;

iv. Further processing limitation (section 15) – Further processing of personal information must be in accordance or compatible with the purpose for which it was originally collected;

v. Information quality (section 16) – Reasonable steps must be taken to ensure that information is complete, accurate and updated;

vi. Openness (sections 17 and 18) – If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of the information being collected, the purpose of collection, recipients et cetera;

vii. Security Safeguards (sections 19 to 22) – A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information; and

viii. Data subject participation (sections 23 to 25) – The data subject must have access to the information, and must have the ability to correct information.

Processing the personal information of children is strictly prohibited in terms of section 34 unless it is done with the consent of a competent person (such as a parent or guardian); if the information has deliberately been made public by the child with the permission of a competent person (such as the parent or guardian); where a right or obligation exists in law or for historical, statistical and research purposes where such serves a public interest and it’s necessary in order to attain said purpose or where it is impossible to obtain consent.

We will lodge a complaint in terms of Section 74(1) read with section 75 of POPI with the Information Regulator against the CMS.

Whilst POPI does not apply to the processing of personal information by the Cabinet and its committees, this does not mean that the Minister does not need to respect the privacy rights of individuals. The Minister is still bound by the Constitution, which guarantees everyone’s the right to privacy.

Minister Motsoaledi is not legally entitled to the information and does not need it in the suggested format to answer his questions. Considering that no provision appears to be made regarding the security of the information, such a database could automatically and easily be targeted by hackers and would severely compromise medical aid members.

Given the number of people and institutions that must, by necessity, access the database, it will be close to impossible to ensure the security of the information.

In September last year, the DA noted with alarm the appointment of Board of Healthcare Funders (BHF) chairman the late Dr. Humphrey Zokufa as the new Registrar of the CMS. Dr. Zokufa died yesterday and our greatest sympathy goes out to his family.

We feared that, as Registrar, he would not be as robustly independent from Minister Motsoaledi as he should be. Although the requested and subsequent directive from the CMS to collect private data from medical scheme members was issued before Dr. Zokufa’s tenure, our fear was he would be only too keen to continue with the CMS project.

This could be another instance of ‘state capture’, this time by Minister Motsoaledi, to make sure medical aid schemes are led for NHI rather than prudential and market regulatory purposes. Minister Motsoaledi would love to park the resource-rich medical schemes in the NHI. However, the law governs the CMS and any effort to subject it to political ends must - and will - compel a legal challenge.

When the DA is in national government, we would fundamentally change the way Regulators and related institutions are governed. In Our Health Plan (OHP), released in November 2016, we recommend that the CMS be firewalled from the Minister of Health. The CMS should remain the prudential and market conduct Regulator of medical schemes, but under DA governance the Council and all appeal structures will be appointed independently of the Minister and the entities it regulates.

South Africans did not fight for and achieve a rights-based democracy only to be victim to the devious manoeuvres of a Minister schooled in the behind-the-scenes manipulative culture of the ANC-in-exile.

The state has no right to our personal information and the CMS has no business in providing it. It cannot be that national government asks a national institution to break our own laws.

Issued by Wilmot James, DA Shadow Minister of Health, 23 January 2017