POPIA and Employee Medical Records: The Compliance Risk Employers Cannot Ignore

On 6 March 2026, the Information Regulator published regulations governing the processing of health information under POPIA (Government Gazette No. 54268). Employers are one of eight categories of responsible parties to which the Regulations apply, in defined circumstances (e.g., processing necessary for implementing laws or collective agreements creating rights tied to health, or for reintegration/support of workers in connection with sickness or incapacity). The regulations took effect immediately with no transitional period. Non-compliance carries administrative fines of up to R10 million and criminal liability of up to 10 years’ imprisonment for serious offences.

Sick leave certificates, occupational health assessments, disability documentation, fitness-for-duty reports, and pre-employment medical results all constitute special personal information under POPIA (section 26 read with section 1) — the highest level of protection under South African law.

Employer Obligations

• Lawful basis. Each category of health data processing must be mapped to a documented ground under section 27, read with section 32, of POPIA. A general HR policy does not constitute a lawful basis.

• Security safeguards. Physical records require locked, secure storage. Electronic records require encryption and access controls. Disposal must prevent unauthorised access.

• Confidentiality. Disclosure generally requires the employee’s written consent, a court order, or another lawful basis recognised under POPIA (e.g., an applicable section 27 or section 32 authorisation, compliance with a legal obligation, or protection of the data subject’s vital interests).

• Cross-border transfers. Employers using HR or wellness platforms that store data outside South Africa must satisfy the requirements of section 72 of POPIA.

Operator Agreements with Occupational Health Providers

Where an employer engages an external occupational health provider, the relationship and respective POPIA roles (responsible party and operator) should be formally documented before services commence — typically via an operator agreement under section 21 of POPIA. In practice, this rarely occurs. An employer in possession of medical files without a documented operator agreement risks holding those records without an adequate lawful basis and security arrangement, and remains accountable for storage, access control, retention, and destruction.

Common Deficiencies

• Health data stored alongside general personnel records — no separation, no restricted access;

• No documented lawful basis for processing — health information collected routinely without recorded justification;

• No operator agreement with occupational health providers — medical files received without formal allocation of responsibility;

• Unrestricted access — HR, payroll, and management personnel viewing health data without a need-to-know basis;

• No compliant disposal — records discarded rather than securely destroyed.

Recommended Steps

1. Map all employee health data: categories, lawful basis, storage location, and access permissions.

2. Separate health records from general HR files and restrict access on a documented need-to-know basis.

3. Review occupational health provider agreements for POPIA roles, operator obligations, storage, access control, retention, and disposal provisions.

4. Assess HR and wellness platform agreements for POPIA-compliant provisions and cross-border transfer compliance.

5. Implement secure destruction procedures for health records exceeding their retention period.

6. Train HR, payroll, and management on the classification and handling of health data as special personal information.

This article is for informational purposes only and does not constitute legal advice. For specific legal guidance on protected disclosures, employment practices, or compliance obligations, consult a qualified labour law practitioner.

© 2026 Global Business Solutions (GBS). All rights reserved.

Stay informed, stay compliant, and stay ahead of workplace change by joining the Mid-Year Labour Law Update 2026 (#MLLU2026), presented by Jonathan Goldberg and the expert GBS team. This practical and highly relevant labour law event will unpack the most important Labour Court, Labour Appeal Court, Constitutional Court, and CCMA decisions from the first half of 2026, together with key statutory developments, NEDLAC proposals, and emerging workplace risks. With live sessions in five cities, online attendance options, 100+ updated case summaries, 6 CPD points, valuable take-home resources, and 6 months’ access to the MLLU/ALLU Bot, MLLU2026 is designed to help employers, HR, ER, IR, and legal professionals prepare confidently for the second half of the year. The MLLU/ALLU Bot is trained on case summaries and findings from recent Mid-Year and Annual Labour Law Update sessions and gives delegates practical post-session support, including help with policy drafting, checklists, case lookups, and summaries. With more than 610 delegates attending #MLLU2025, the Mid-Year Labour Law Update is one of the biggest and most relevant labour law updates in South Africa. Register now to secure your place.

View our upcoming events: Upcoming Events and Qualifications, like AI Compass Intake 2, DIGITAL INTELLIGENCE: Leading in a Technology-Transformed World (Harvard ManageMentor®), Employment Equity Committee Capacitation, and #MLLU2026.

*All workshops are offered as customised in-house training that can be presented virtually or on-site.