SECTOR ALERT

The Information Regulator’s health focus: what businesses outside healthcare still need to do

The Information Regulator has named health one of five priority enforcement sectors for 2026/27. Combined with the new health information regulations in force since March, that brings most ordinary employers — not just clinics — formally into scope.

By Christelle @ Metatrans

Published: 16 May 2026 · Last reviewed: 16 May 2026 · 4 minute read

At a glance

• On 5 May 2026, the Information Regulator presented its 2025/26 Annual Performance Plan to Parliament’s Portfolio Committee, naming five priority sectors for targeted POPIA assessments in 2026/27: banking, insurance, health, retail, and telecommunications and social media
• The Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties came into force on 6 March 2026 with no transitional period, and explicitly bring employers into scope as responsible parties processing health information
• Affects: any business holding employee sick notes, medical certificates, EAP records, IOD paperwork, medical aid queries, return-to-work assessments, or wellness programme data — regardless of size, sector, or whether the business considers itself to be in healthcare
• The substantive shift: implicit “treat this carefully” obligations have become explicit duty-of-confidentiality, lawful-basis, security, and cross-border-transfer requirements
• What to do now: audit which health information the business holds, where it lives, and on what basis — before any external assessment starts there

What’s happened

On 5 May 2026 the Information Regulator presented its 2025/26 Annual Performance Plan to Parliament’s Portfolio Committee on Communications and Digital Technologies. The plan signals a deliberate shift in how the Regulator intends to enforce POPIA: from reactive complaint-handling to proactive, sector-wide review. Five sectors are named as priorities for “targeted assessments” in 2026/27 — banking, insurance, health, retail, and telecommunications and social media.

The announcement follows the publication of the Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, in force from 6 March 2026 with no transitional period. The regulations operationalise POPIA s 26 and s 32(6), and significantly broaden what counts as a regulated processor of health information.

Who this affects

The natural assumption is that “health sector” means hospitals, clinics, pathology laboratories, medical practices, and medical aid administrators. The new regulations explicitly broaden that. Employers — defined as any person, company, or organisation that pays others to work for them — are now within scope as responsible parties, by virtue of routinely holding employee health information.

That definition catches almost every business with staff: the sick note from a GP, the medical certificate after an injury, the EAP referral, the return-to-work assessment, the IOD form, the medical aid query, the wellness programme intake. Size is not a threshold. A 20-person consultancy holding medical certificates is in scope on identical terms to a 5,000-bed hospital group.

What the new rules formalise — and what they newly require

Most of the substance was already implicit in POPIA s 26’s treatment of “special personal information.” What the March 2026 regulations do is operationalise it into explicit requirements.

The Regulator’s 5 May announcement layers on top of this: the body responsible for enforcing the regulations has stated, in advance, that health is one of the sectors where it will be looking proactively rather than waiting for complaints to come in.

Why this matters even for businesses that don’t think of themselves as healthcare

Most SMEs run HR processes through cloud-hosted systems, store sick notes in shared drives, and assume “we don’t really hold medical data — just employment paperwork.” The new regulations close that gap. The same sick note that was a payroll and leave document yesterday is, today, special personal information under POPIA, governed by a regulation that names the business as a responsible party.

The targeted-assessments model raises the practical stakes. Sector-wide assessments draw samples — meaning a business inside the affected population can be selected for review without ever having been the subject of a complaint. The historical reactive model relied on a complaint arriving; the new model does not.

For most ordinary businesses, the upside is also real. A clean, documented approach to employee health information is what employees notice, what enterprise clients ask about in security questionnaires, and what the Regulator wants to see if it does come knocking. The work of doing it well serves all three audiences at once.

Five things worth doing this month

1. Audit what health information the business holds. Where it lives — HR system, shared drives, line manager folders, EAP provider, medical aid administrator portal — and who currently has access.
2. Review provider contracts. EAP, wellness, occupational health, medical aid administrator, cloud HR. Check for explicit confidentiality clauses and where data is hosted geographically.
3. Tighten what gets collected. Sick notes need to confirm unfitness, not disclose diagnoses. Onboarding intake forms should capture only what’s legally required.
4. Clarify the lawful basis for each category of health processing. Document it. Consent in employment is a fragile foundation; legal obligation under the BCEA, COIDA, or the EEA is usually the defensible ground.
5. Brief line managers on confidentiality expectations explicitly. Implicit duty no longer satisfies the regulations — the obligation needs to be locatable in a contract, a policy, or a documented role description.

The relevant timeline

What’s still unclear

The Regulator has not yet published its assessment methodology for the 2026/27 priority sectors — what triggers selection, what an assessment looks like in practice, what evidence will be examined. Past targeted assessments suggest focus on documentation, security safeguards, and breach-notification capability, but specifics will become clearer as the first wave proceeds. A health-sector code of conduct under POPIA s 60 is reportedly in early consultation; if it emerges, it will add specificity for healthcare-native businesses, though the underlying scope on ordinary employers will remain.

The Regulator’s published priorities tell us what they intend to look at. The regulations tell us what they intend to find. The window for ordinary businesses to get this right before it becomes an external question, rather than an internal one, is now.

Metatrans helps South African organisations build compliance into how they work — POPIA, PAIA, GDPR, and ISO 27001. metatrans.co.za

If you’d like a working view of what this means for your business specifically — what to change, what to leave alone, what to document — that’s the kind of question our compliance assessments answer. metatrans.co.za/services

This Briefing is informational and reflects the position as at the date shown. It is not legal advice. For decisions specific to your business, take advice from a suitably qualified professional.

Sources and references

Primary sources

• Protection of Personal Information Act 4 of 2013 (POPIA), particularly s 14, s 19, s 22, s 26, s 32(6), s 60, s 72
• Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026 — published in the Government Gazette, in force 6 March 2026
• Information Regulator 2025/26 Annual Performance Plan, presented to Parliament’s Portfolio Committee on Communications and Digital Technologies, 5 May 2026

Secondary sources

• Werksmans Attorneys, South Africa’s Information Regulator: What the 2025/26 Annual Performance Plan means for Business (5 May 2026)
• Fasken, Health Data Under the Microscope: New POPIA Regulations (April 2026)
• ITLawCo, POPIA health data regulations 2026: What you need to know
• Labour Guide South Africa, New POPIA Regulations on the Processing of Health Information: What Employers Must Know
• Moonstone Information Refinery, New POPIA regulations on health information now in force

Metatrans interpretation

• The framing that targeted assessments raise the practical stakes for SMEs through sampling is Metatrans interpretation. The Information Regulator has not stated that small businesses will specifically be sampled; the inference comes from the structural difference between reactive complaint-handling and proactive sectoral review
• The characterisation of consent as a “fragile” lawful basis in employment contexts is established commentary among SA data protection commentators (and is consistent with EU jurisprudence on employer consent), but is not stated literally in the regulations themselves
• The list of HR document types within scope (sick notes, EAP records, IOD paperwork, etc.) is illustrative; the regulations describe the data type by its nature (health information of a data subject) rather than by enumerating documents

Tags

• Sub-type: Sector Alert
• Primary framework: POPIA
• Affected function: HR · Operations · Compliance
• Sector: All — with healthcare emphasis

Distribution variants

Email package

• Subject line: Briefing: Health just made the Regulator’s priority list — and most employers are in scope
• Preview text: The Information Regulator has named healthcare a priority sector. The catch is what “health” now means.
• Sender display name: [Author name] · Metatrans
• Body: Full Briefing as above. For shorter sends, use the At a glance block plus a “Read the full Briefing” link to the website version.

LinkedIn post (~300 words)

The Information Regulator has named health one of five priority enforcement sectors for 2026/27.

Most employers will assume this doesn’t apply to them — they’re not in healthcare.

Under the new health information regulations in force since March, they almost certainly are. Here’s why.

On 5 May 2026 the Information Regulator presented its 2025/26 Annual Performance Plan to Parliament. Five sectors are named for targeted, sector-wide POPIA assessments in 2026/27: banking, insurance, health, retail, and telecommunications and social media. This is a deliberate shift from reactive complaint-handling to proactive review.

The catch is what “health” now means. The Regulations on the Processing of Health Information, in force since 6 March 2026, explicitly bring employers into scope as responsible parties. Sick notes, medical certificates, EAP records, return-to-work assessments, IOD paperwork, medical aid queries, wellness programme data — all of it is regulated health information.

Size is not a threshold. A 20-person consultancy holding medical certificates is in scope on the same terms as a hospital group.

Five things worth doing this month:

→ Audit which health information the business holds and where it lives → Review EAP, wellness, and HR provider contracts for confidentiality and cross-border data flows → Tighten what’s collected — sick notes confirm unfitness, not diagnoses → Document the lawful basis (consent in employment is fragile; legal obligation usually applies) → Brief line managers on confidentiality expectations explicitly

The Regulator’s published priorities tell us what they intend to look at. The regulations tell us what they intend to find. The window to get this right before it becomes an external question is now.

Full Briefing: [link]

#POPIA #DataPrivacy #HRCompliance #InformationRegulator #SouthAfrica

WhatsApp / short share (252 characters)

Briefing: The Information Regulator has named health a priority enforcement sector for 2026/27. With March’s new health regulations, ordinary employers — not just healthcare — are now formally in scope. What to check before assessments begin: [link]

Editor’s notes

• Body word count: ~860 words across mandatory and conditional sections (recipe target: 450–900). ✓
• Sub-type: Sector Alert. Justification — the piece anchors on a specific regulator action (the 5 May Annual Performance Plan) with practical implications, against the backdrop of the in-force March regulations. Could defensibly be classified Regulation Watch if framed primarily around the regulations rather than the IR’s priorities; current framing leads with the priorities, making Sector Alert the cleaner fit.
• Two tables present (recipe cap: two). ✓
• “Want to, not have to” framing visible in Why this matters even for businesses that don’t think of themselves as healthcare and in the closing block.
• Legal-status disclaimer included even though optional for Sector Alert — the piece references in-force regulations and provider-contract review, both of which sit close to legal territory.
• Review date: 16 November 2026 (default 6 months). Earlier review if a health-sector code of conduct under POPIA s 60 is published, or if the Information Regulator publishes assessment methodology for the 2026/27 priority sectors.
• One date to verify before publication: 5 May 2026 (the Annual Performance Plan presentation to the Portfolio Committee). Source: Werksmans Attorneys summary; cross-check against the Portfolio Committee’s published minutes if available.
• The Government Gazette date for the March 2026 health regulations: sources cite both 27 February 2026 (gazette publication) and 6 March 2026 (commencement). The Briefing uses 6 March 2026 as the in-force date — worth confirming against the gazette text itself.
• Suggested related links for §7.5 chrome: a future Briefing on data inventories (referenced in §1 of What to do); the Insights piece on breach notification (currently in draft, Lancet, notification and the hour after).