The Information Regulator has named health one of five priority enforcement sectors for 2026/27. Combined with the new health information regulations in force since March, that brings most ordinary employers — not just clinics — formally into scope.
At a glance
- On 5 May 2026, the Information Regulator presented its 2025/26 Annual Performance Plan to Parliament’s Portfolio Committee, naming five priority sectors for targeted POPIA assessments in 2026/27: banking, insurance, health, retail, and telecommunications and social media
- The Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties came into force on 6 March 2026 with no transitional period, and explicitly bring employers into scope as responsible parties processing health information
- Affects: any business holding employee sick notes, medical certificates, EAP records, IOD paperwork, medical aid queries, return-to-work assessments, or wellness programme data — regardless of size, sector, or whether the business considers itself to be in healthcare
- The substantive shift: implicit “treat this carefully” obligations have become explicit duty-of-confidentiality, lawful-basis, security, and cross-border-transfer requirements
- What to do now: audit which health information the business holds, where it lives, and on what basis — before any external assessment starts there
What’s happened
On 5 May 2026 the Information Regulator presented its 2025/26 Annual Performance Plan to Parliament’s Portfolio Committee on Communications and Digital Technologies. The plan signals a deliberate shift in how the Regulator intends to enforce POPIA: from reactive complaint-handling to proactive, sector-wide review. Five sectors are named as priorities for “targeted assessments” in 2026/27 — banking, insurance, health, retail, and telecommunications and social media.
The announcement follows the publication of the Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, in force from 6 March 2026 with no transitional period. The regulations operationalise POPIA s 26 and s 32(6), and significantly broaden what counts as a regulated processor of health information.
Who this affects
The natural assumption is that “health sector” means hospitals, clinics, pathology laboratories, medical practices, and medical aid administrators. The new regulations explicitly broaden that. Employers — defined as any person, company, or organisation that pays others to work for them — are now within scope as responsible parties, by virtue of routinely holding employee health information.
That definition catches almost every business with staff: the sick note from a GP, the medical certificate after an injury, the EAP referral, the return-to-work assessment, the IOD form, the medical aid query, the wellness programme intake. Size is not a threshold. A 20-person consultancy holding medical certificates is in scope on identical terms to a 5,000-bed hospital group.
What the new rules formalise — and what they newly require
Most of the substance was already implicit in POPIA s 26’s treatment of “special personal information.” What the March 2026 regulations do is operationalise it into explicit requirements.
| Area | Before March 2026 | After March 2026 |
|---|---|---|
| Scope for employers | Implied through s 26 | Explicit — employers named as responsible parties |
| Duty of confidentiality | Assumed from HR role | Must derive from law, professional code, employment relationship, or written agreement |
| Diagnosis on sick notes | Often included by default | Must be balanced against employee’s right to medical privacy — certificate confirms unfitness, not diagnosis |
| Lawful processing ground | Often relied on consent | Consent fragile in employment; legal obligation or benefit administration usually the defensible basis |
| Cross-border transfer | General s 72 rules applied | Explicitly applied to health information; specific grounds required for offshore HR, payroll, EAP, or wellness platforms |
| Security safeguards | Appropriate measures under s 19 | Explicit duty for confidentiality, integrity, and availability of health data |
The Regulator’s 5 May announcement layers on top of this: the body responsible for enforcing the regulations has stated, in advance, that health is one of the sectors where it will be looking proactively rather than waiting for complaints to come in.
Why this matters even for businesses that don’t think of themselves as healthcare
Most SMEs run HR processes through cloud-hosted systems, store sick notes in shared drives, and assume “we don’t really hold medical data — just employment paperwork.” The new regulations close that gap. The same sick note that was a payroll and leave document yesterday is, today, special personal information under POPIA, governed by a regulation that names the business as a responsible party.
The targeted-assessments model raises the practical stakes. Sector-wide assessments draw samples — meaning a business inside the affected population can be selected for review without ever having been the subject of a complaint. The historical reactive model relied on a complaint arriving; the new model does not.
For most ordinary businesses, the upside is also real. A clean, documented approach to employee health information is what employees notice, what enterprise clients ask about in security questionnaires, and what the Regulator wants to see if it does come knocking. The work of doing it well serves all three audiences at once.
Five things worth doing this month
- Audit what health information the business holds. Where it lives — HR system, shared drives, line manager folders, EAP provider, medical aid administrator portal — and who currently has access.
- Review provider contracts. EAP, wellness, occupational health, medical aid administrator, cloud HR. Check for explicit confidentiality clauses and where data is hosted geographically.
- Tighten what gets collected. Sick notes need to confirm unfitness, not disclose diagnoses. Onboarding intake forms should capture only what’s legally required.
- Clarify the lawful basis for each category of health processing. Document it. Consent in employment is a fragile foundation; legal obligation under the BCEA, COIDA, or the EEA is usually the defensible ground.
- Brief line managers on confidentiality expectations explicitly. Implicit duty no longer satisfies the regulations — the obligation needs to be locatable in a contract, a policy, or a documented role description.
The relevant timeline
| Date | Event |
|---|---|
| 6 March 2026 | Regulations on the Processing of Health Information come into force, no transitional period |
| 5 May 2026 | Information Regulator names health one of five priority enforcement sectors for 2026/27 |
| 2026/27 financial year | Targeted, sector-wide assessments commence |
| To follow | Possible health-sector code of conduct under POPIA s 60 (in early consultation) |
What’s still unclear
The Regulator has not yet published its assessment methodology for the 2026/27 priority sectors — what triggers selection, what an assessment looks like in practice, what evidence will be examined. Past targeted assessments suggest focus on documentation, security safeguards, and breach-notification capability, but specifics will become clearer as the first wave proceeds. A health-sector code of conduct under POPIA s 60 is reportedly in early consultation; if it emerges, it will add specificity for healthcare-native businesses, though the underlying scope on ordinary employers will remain.
The Regulator’s published priorities tell us what they intend to look at. The regulations tell us what they intend to find. The window for ordinary businesses to get this right before it becomes an external question, rather than an internal one, is now.
Metatrans helps South African organisations build compliance into how they work — POPIA, PAIA, GDPR, and ISO 27001. metatrans.co.za
If you’d like a working view of what this means for your business specifically — what to change, what to leave alone, what to document — that’s the kind of question our compliance assessments answer. metatrans.co.za/services
This Briefing is informational and reflects the position as at the date shown. It is not legal advice. For decisions specific to your business, take advice from a suitably qualified professional.
Sources and references
Primary sources
- Protection of Personal Information Act 4 of 2013 (POPIA), particularly s 14, s 19, s 22, s 26, s 32(6), s 60, s 72
- Regulations relating to the Processing of Data Subjects’ Health Information by Certain Responsible Parties, 2026 — published in the Government Gazette, in force 6 March 2026
- Information Regulator 2025/26 Annual Performance Plan, presented to Parliament’s Portfolio Committee on Communications and Digital Technologies, 5 May 2026
Secondary sources
- Werksmans Attorneys, South Africa’s Information Regulator: What the 2025/26 Annual Performance Plan means for Business (5 May 2026)
- Fasken, Health Data Under the Microscope: New POPIA Regulations (April 2026)
- ITLawCo, POPIA health data regulations 2026: What you need to know
- Labour Guide South Africa, New POPIA Regulations on the Processing of Health Information: What Employers Must Know
- Moonstone Information Refinery, New POPIA regulations on health information now in force
Metatrans interpretation
- The framing that targeted assessments raise the practical stakes for SMEs through sampling is Metatrans interpretation. The Information Regulator has not stated that small businesses will specifically be sampled; the inference comes from the structural difference between reactive complaint-handling and proactive sectoral review
- The characterisation of consent as a “fragile” lawful basis in employment contexts is established commentary among SA data protection commentators (and is consistent with EU jurisprudence on employer consent), but is not stated literally in the regulations themselves
- The list of HR document types within scope (sick notes, EAP records, IOD paperwork, etc.) is illustrative; the regulations describe the data type by its nature (health information of a data subject) rather than by enumerating documents