Most dental practices have a patient privacy notice. Most of them believe that is POPIA compliance. It is not.
The Protection of Personal Information Act came into full effect on 1 July 2021. Every dental practice in South Africa processes personal information, including patient names, identity numbers, medical histories, X-rays, and financial records. That makes every dental practice a responsible party under POPIA, with obligations that go far beyond a notice on an intake form.
A privacy notice on an intake form satisfies one clause of Section 18. POPIA has 114 sections. Here is what the others require of your practice.
POPIA penalties for non-compliance: up to R10 million per offence, or up to 10 years imprisonment, or both (Section 107).
The requirement most practices have never met: Information Officer registration
Section 55 of POPIA requires every responsible party, including every dental practice, to designate an Information Officer. This is typically the principal dentist or practice owner. The designation is not optional and it cannot be delegated to a staff member without written authority from the responsible party.
Section 56 then requires that Information Officer to be registered with the Information Regulator of South Africa. Registration is done through the Information Regulator's online portal and takes approximately 30 minutes to complete.
"Most practices have never registered an Information Officer. This is a direct POPIA violation, even if every other part of their documentation is in order."
Has your practice registered an Information Officer with the Information Regulator?
Without registration, your practice is in breach of POPIA regardless of what other documentation you have. The registration confirmation also serves as a required display certificate under the OHSC inspection framework. Missing it creates a deficiency on your inspection report at the same time as it creates a POPIA violation.
Records of processing activities
POPIA requires responsible parties to maintain documented records of their personal information processing activities. This means your practice must be able to answer the following questions in writing, with evidence to support each answer:
- What personal information do you collect? (Name, ID number, medical history, treatment records, financial data, X-rays)
- Why do you collect it? (Treatment purposes, medical aid billing, legal record-keeping obligations under the Health Professions Act)
- Who has access to it? (Clinical staff, reception, billing partners, referral practitioners)
- How long do you retain it? (Patient records: minimum 6 years from last consultation under the Health Professions Act)
- How do you secure it? (Electronic: password protection, encryption. Physical: locked filing, restricted access)
A records of processing document is not a privacy policy. It is an internal working document that maps every category of personal information your practice holds to its purpose, retention period, and security controls. Most practices do not have it.
Security safeguards — Section 19
Section 19 of POPIA requires responsible parties to implement reasonable technical and organisational security measures to protect personal information. For a dental practice, this means having documented security controls, not just implemented ones. The documentation must exist and must be maintained.
What Section 19 requires you to document
- Password policy for practice management systems and all practice computers
- Access control: who can access patient records and on what basis
- Backup policy: how patient data is backed up and how frequently
- Physical security: how paper records are stored and who has access to them
- Third-party processing agreements: if any external party processes patient data on your behalf, such as a billing company or cloud software provider, a written processing agreement must be in place
Breach notification — Section 22
If your practice suffers a data breach, whether a stolen laptop, a hacked system, a physical file going missing, or an email sent to the wrong person, Section 22 of POPIA requires you to notify the Information Regulator and any affected data subjects as soon as reasonably possible after the breach is discovered.
Without a documented breach response protocol, there is no process to follow when it happens. By the time a practice without a protocol has figured out what to do, the notification window has closed. A breach that goes unreported because there was no response procedure is itself a separate POPIA violation, in addition to the breach that caused it.
Patient consent — what Section 18 actually requires
Section 18 requires that patients be notified at the point of collection about what information is being collected, why it is being collected, whether providing it is voluntary or mandatory, and the consequences of not providing it. This notification must include the contact details of your Information Officer.
A generic privacy notice does not satisfy Section 18. The notification must be specific. It must name the Information Officer, state the processing purpose, and, if information is shared with third parties, identify those parties and the legal basis for sharing. Most patient consent forms currently in use at South African dental practices do not meet this standard.
"A POPIA-compliant consent form for a dental practice looks very different from a generic privacy notice. It names a registered Information Officer and states specific processing purposes. Most forms in current use do not meet this requirement."
What complete POPIA compliance requires for a dental practice
POPIA compliance for a dental practice requires the following to be in place, documented, implemented, and maintained over time:
- Designated and registered Information Officer (Sections 55 and 56)
- Records of processing activities covering all personal information categories
- Section 18-compliant patient notification and consent documentation
- Written security safeguards policy covering technical and physical controls
- Third-party processing agreements where applicable
- Data breach response protocol with defined notification steps
- Staff POPIA awareness training and signed confidentiality agreements
- POPIA compliance review schedule, because the legislation is subject to regulatory guidance updates
POPIA compliance is also a scored component of OHSC inspections. Getting it right works in both directions. Read this alongside our guide to NHI accreditation and what it means for your practice.
Which POPIA obligations is your practice meeting?
A free compliance evaluation takes 15 minutes and scores your practice across every compliance area, including a full POPIA gap analysis.
Get Free Evaluation →