On 6 March 2026, the Information Regulator brought new POPIA regulations into force governing how certain organisations handle people’s health information. These rules apply immediately and give the Regulator a more concrete basis to test whether your business is protecting sensitive data properly.
For South African SMEs, the key question is simple: are we one of the organisations the Regulator has just put under closer scrutiny?
Does this affect your SME?
The Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026 (Gazette No. 54268), apply to specific categories of organisations that process health information. That includes insurers, medical schemes and administrators, managed healthcare organisations, pension and provident funds, and employers processing employee health information such as sick leave or incapacity records.
Even as an SME, you are likely in scope if you hold employee medical certificates, manage disability or occupational health matters, administer group risk benefits or pensions, or provide services to insurers and healthcare players that involve health data.
What has actually changed?
POPIA has always treated health information as “special” personal information, but the new regulations turn high‑level principles into specific, testable rules. Health data is now clearly positioned as a high‑risk category that will attract attention in audits, complaints and investigations.
- Every use of health data must be justified: For each way you collect, use or share health information, you must be able to explain why you need it and which POPIA provision allows that specific use.
- Security is both technical and organisational: The regulations expect appropriate access controls, encryption and backups on systems, as well as practical measures like locked storage, controlled printing and staff training for anyone handling health records.
- Confidentiality duties must be explicit: Employees and service providers who handle health information should be under clear written confidentiality obligations via contracts, codes of conduct and policies.
- No grace period: The regulations are already in force; there is no multi‑year transition window.
What this means for SME boards and executives
For leadership, this is fundamentally a governance and risk issue. The Regulator now has a clearer framework to assess whether your handling of health information is lawful, necessary and secure. Health‑data incidents can carry heightened regulatory, reputational and commercial impact, especially where employee or customer trust is at stake.
Larger partners – insurers, schemes, corporates – are also likely to tighten their vendor due‑diligence questions around POPIA and health information. SMEs that move early will be better positioned as low‑risk, resilient partners.
A practical approach for SMEs
You don’t need an enterprise‑scale programme to respond effectively. A focused, leadership‑backed plan is enough for most SMEs:
- Identify where you touch health data: HR and payroll, incapacity management, wellness or surveillance programmes, benefits and insurance, and any client work involving medical details.
- List your key uses and legal bases: For each use, record why you need the data and which POPIA ground you rely on, keeping the register short but clear.
- Fix obvious security and process gaps: Limit access on a “need to know” basis, lock physical files away, tighten email/printing practices and ensure appropriate controls on systems that store health data.
- Align documents and contracts: Update employment documentation, policies and third‑party contracts so they reflect your actual practices and the new expectations around confidentiality and safeguards.
- Brief the people who handle the data: Give HR, managers and relevant IT/compliance staff a clear, practical briefing on what has changed and how to escalate issues.
How Digital Progression can help
POPIA compliance is a core part of our advisory work at Digital Progression. We help South African SMEs translate these regulations into practical controls and documentation – without drowning the business in red tape. Typical engagements include:
- A focused review of where you process health information and how the new regulations affect you.
- Updating your POPIA records, policies and contracts to reflect the new requirements in a way that fits SME realities.
- A pragmatic security and incident‑response check for systems and processes that handle health data.
- Concise briefings for boards, executives and key staff so they understand the risks and the agreed roadmap.
If your organisation handles employee or customer health information and you are unsure how these regulations affect your risk, we offer a fixed‑scope POPIA health‑data review designed specifically for South African SMEs. Contact us to schedule a discussion with our team.