Democratic Alliance spokesperson on health Wilmot James has described the request by the SA Department of Health for medical aids to pass on the names and addresses of all their members for use in a central government database a breach of the Constitutional right to privacy and said the government had no right to each member's personal information.
The Times reports that the Council for Medical Schemes, which regulates medical aids‚ in July made a presentation explaining to schemes why it wanted this data. The presentation explains the data would help the government bill some medical aid members who currently use state hospitals and clinics for free. The DoH also wants a single list of every patient in the country to be held on a central database as part of National Health Insurance‚ according to the presentation.
The DoH wants information on what medical aid option each person is on and what the relationship between the main member and their beneficiaries are.
James said: "The state has no right to our personal information and the Council for Medical Schemes has no business in providing it. It cannot be that national government asks a national institution to break our own laws." The DA has said it knows at least some medical aids have refused to provide it‚ but others have passed it on to the council.
Werksmans Attorney's Neil Kirby is quoted in the report as saying that the DoH may have trouble enforcing this request as it contradicted a provision in the Medical Schemes Act.
"Section 60(2) of the Medical Schemes Act‚ 1998 prohibits any person from disclosing information about the affairs of a medical scheme unless it is done in terms of his or her duties in terms of the Act or as a witness before a court."
Spokesperson for the DoH, Joe Maila has, meanwhile, hit back at medical schemes that wouldn’t provide the data. He said: "Firstly‚ the registry is not to collect personal or private information as the DA claims‚ but to ensure that the public sector is able to identify medical scheme members so that their scheme can be billed for services rendered in the public sector. " He said the information such as which options members are choosing and the ages and geographic distrubution of members was solely for research purposes and would be anonymised.
"We are aware that some schemes do not want this information to be available neither to the department or the public. They have a lot to hide. They go around mobilising proxies to fight this battle for them. We are the last to act unethically in respect to patient confidentiality because we are the custodians of that."
The report says the two largest medical aid schemes Government Employee Medical Aid Scheme and Discovery Health Medical Aid Scheme were unable to comment at time of going to print.
The DA is taking the complaint to the Information Regulator. The DA claims the government is requesting personal information as defined in the Protection of Personal Information Act without having the necessary safeguards to protect the information, says a Beeld report.
The DA suggests the government move is intended to ‘capture’ the ‘resource rich’ medical aids as part of its National Health Insurance plans. According to the party, it had obtained a legal opinion confirming that Motsoaledi was over-reaching his powers.
James said in a press statement:
“The DA have a letter from the Health Minister, Aaron Motsoaledi, to the Council for Medical Schemes (CMS) in July last year in which he requested the CMS to collect private data about medical scheme members in order maintain a ‘Beneficiary Registry’ of members.
“His outrageous request – to collect very private, sensitive information, to which the government has no right – is not only unconstitutional, but also in flagrant violation of the Protection of Personal Information Act (POPI), Act No.4 of 2013. Additionally, it poses a real security risk to individual citizens.
“The Minister’s request claimed to be for purposes of ‘monitoring the impact of current policies and identifying medical scheme members who access services in the public sector’.
“In his letter, the Minister said the Department of Health requests ‘all medical schemes, administrators and regulated private health care funding entities to furnish the CMS with regular updated electronic records pertaining to basic personal, demographic (including domicile) details of all members and their beneficiaries, as stored on their respective member management systems.’
“The CMS, then under registrar Daniel Lehutjo, no doubt wishing to please the Minister with enthusiasm, turned the request into a directive, a copy of which we have in our possession. Many medical scheme principals rightly refused to divulge the requested information.
“A legal opinion we sought on the matter has confirmed that the Minister Motsoaledi’s request over-reaches.
“Section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy. The right to privacy naturally includes a right to protection against the unlawful collection, dissemination and use of personal information. The State must respect, protect, promote and fulfill the rights in the Bill of Rights.
“Additionally, POPI does not sanction this type of activity. The Act is designed to ensure that all South African institutions including medical aid schemes conduct themselves in a responsible manner when collecting, processing, storing and sharing entity’s personal information by holding them accountable for abusing or compromising citizen’s personal information in any way.”
“Chapter 5 of POPI creates an Information Regulator, currently accountable to the National Assembly, whose responsibility is to ensure that all South African institutions comply with POPI’s strict legal injunction to not compromise the privacy of our personal information. Amongst other things this Regulator needs to monitor and enforce compliance with the POPI Act, and receive and investigate complaints. An aggrieved party can naturally also institute civil action for damages sustained, where applicable.
Section 5 of the POPI Act specifically deals with the privacy rights of data subjects.
“Section 5 states that:
‘A data subject has the right to have his, her or its personal information processed in accordance with the conditions for the lawful processing of personal information as referred to in Chapter 3’
“In the case of the CMS, there are eight separate conditions that have to be complied with in order for personal information to be lawfully processed:
i. Accountability (section 8) – the responsible party must ensure full compliance with the POPI Act;
ii. Processing limitation (sections 9 to 12) – Information must be processed lawfully and in a reasonable manner that does not infringe on the privacy of the data subject. Only the minimal necessary information – that is information that is adequate, relevant and not excessive – may be processed, and there must be grounds for said processing, as specified in section 11 the Act, which includes inter alia consent, performance in terms of a contract, or the protection of the legitimate interest of the data subject;
iii. Specific Purpose (sections 13 and 14) – The personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party, and steps must be taken to ensure that the data subject is aware of said purpose. Records of personal information must generally not be retained any longer than is necessary for achieving the purpose for which the information was collected or subsequently processed;
iv. Further processing limitation (section 15) – Further processing of personal information must be in accordance or compatible with the purpose for which it was originally collected;
v. Information quality (section 16) – Reasonable steps must be taken to ensure that information is complete, accurate and updated;
vi. Openness (sections 17 and 18) – If personal information is collected, the responsible party must take reasonably practicable steps to ensure that the data subject is aware of the information being collected, the purpose of collection, recipients et cetera;
vii. Security Safeguards (sections 19 to 22) – A responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information; and
viii. Data subject participation (sections 23 to 25) – The data subject must have access to the information, and must have the ability to correct information.
“Processing the personal information of children is strictly prohibited in terms of section 34 unless it is done with the consent of a competent person (such as a parent or guardian); if the information has deliberately been made public by the child with the permission of a competent person (such as the parent or guardian); where a right or obligation exists in law or for historical, statistical and research purposes where such serves a public interest and it’s necessary in order to attain said purpose or where it is impossible to obtain consent.
“We will lodge a complaint in terms of Section 74(1) read with section 75 of POPI with the Information Regulator against the CMS.
“Whilst POPI does not apply to the processing of personal information by the Cabinet and its committees, this does not mean that the Minister does not need to respect the privacy rights of individuals. The Minister is still bound by the Constitution, which guarantees everyone’s the right to privacy.
“Minister Motsoaledi is not legally entitled to the information and does not need it in the suggested format to answer his questions. Considering that no provision appears to be made regarding the security of the information, such a database could automatically and easily be targeted by hackers and would severely compromise medical aid members.
Given the number of people and institutions that must, by necessity, access the database, it will be close to impossible to ensure the security of the information.
“In September last year, the DA noted with alarm the appointment of Board of Healthcare Funders (BHF) chairman the late Dr. Humphrey Zokufa as the new Registrar of the CMS. Dr. Zokufa died yesterday and our greatest sympathy goes out to his family.
“We feared that, as Registrar, he would not be as robustly independent from Minister Motsoaledi as he should be. Although the requested and subsequent directive from the CMS to collect private data from medical scheme members was issued before Dr Zokufa’s tenure, our fear was he would be only too keen to continue with the CMS project.
“This could be another instance of ‘state capture’, this time by Minister Motsoaledi, to make sure medical aid schemes are led for NHI rather than prudential and market regulatory purposes. Minister Motsoaledi would love to park the resource-rich medical schemes in the NHI. However, the law governs the CMS and any effort to subject it to political ends must – and will – compel a legal challenge.”
[link url="http://www.timeslive.co.za/local/2017/01/23/Health-department-wants-details-of-medical-aid-members-to-be-stored-in-central-government-database"]The Times report[/link]
[link url="http://media24.newspaperdirect.com/epaper/viewer.aspx"]Beeld report[/link]
[link url="https://press-admin.voteda.org/wp-content/uploads/2017/01/Health-Authorities-want-to-illegally-access-private-information-23-January-2017.pdf"]Department of Health letter[/link]
[link url="https://www.da.org.za/2017/01/health-departments-response-das-expose-illegal-gathering-information-misleading/"]DA material[/link]