Back to Blog
Repairs 08 April 2026 7 min read

Medical Practice POPIA IT Provider: Your Compliance Obligation as an HPCSA Practitioner

If you run a medical practice in Johannesburg—whether in Sandton, Morningside, Bryanston, or anywhere across Gauteng—you have a personal regulatory obligation that most GPs and specialists overlook. U.

If you run a medical practice in Johannesburg—whether in Sandton, Morningside, Bryanston, or anywhere across Gauteng—you have a personal regulatory obligation that most GPs and specialists overlook. Under the Health Professions Council of South Africa (HPCSA) Professional Rules and the Protection of Personal Information Act (POPIA), *you* are liable for patient data breaches. Not your receptionist. Not your IT support company. You.

This liability became sharply real following the Fasken pharmaceutical enforcement action, which established precedent for data controller accountability in healthcare. Yet most medical practitioners we speak to at ZA Support have never read their IT provider's POPIA Section 21 operator agreement—the legal instrument that should transfer certain liability away from the practice and toward the IT company handling your patient records.

This post explains what that obligation means, what compliance actually requires, and how to assess whether your current IT provider has the right framework in place.

Your Personal Liability Under HPCSA Rules

The HPCSA's Professional Rules require you to protect patient information and maintain confidentiality. Breaching this duty isn't just an ethical violation—it exposes you to:

  • Professional conduct inquiries by the HPCSA
  • Suspension or removal from the register
  • Civil claims from affected patients
  • Criminal liability under POPIA (fines up to R10 million for individuals)
  • Reputational damage that directly impacts practice revenue

    • The Fasken pharmaceutical enforcement action demonstrated that regulators will pursue data controller liability aggressively. That company faced substantial penalties for inadequate data protection measures, even though employees—not the company's negligence—caused the initial breach.

    For you as a medical practitioner, the standard is *higher*. You are the data controller. Your IT provider is the data processor. Unless you have a proper Section 21 operator agreement in place, your IT company has no contractual obligation to comply with POPIA, and you remain fully liable for their failures.

    What Is a POPIA Section 21 Operator Agreement?

    POPIA Section 21 establishes the legal framework for "operators" (data processors). An operator agreement is the contract between you (the medical practice, as data controller) and your IT provider (the operator, as data processor).

    Without this agreement, your IT provider is not legally bound to:

  • Implement reasonable security measures to protect patient data
  • Restrict access to records based on medical necessity
  • Report breaches to you immediately
  • Delete data when retention periods end
  • Submit to audits of their security practices
  • Maintain records of processing activities
  • Cooperate with POPIA investigations

    • Most medical practices in Johannesburg do not have a Section 21 operator agreement with their IT provider. This is not a theoretical compliance gap. This is active, unmitigated risk.

    When load shedding or network failures occur—and they do, regularly, across Gauteng—an IT provider without contractual POPIA obligations has no requirement to prioritise your data security during recovery. An operator with a proper agreement does.

    What a Compliant Agreement Requires

    A Section 21 operator agreement should specify:

    Technical and Organisational Measures

    Your IT provider must document how they:

  • Encrypt patient data in transit and at rest
  • Control physical and logical access to systems
  • Maintain secure backups
  • Manage user authentication and privilege levels
  • Monitor systems for unauthorised access
  • Patch vulnerabilities and manage software updates

    • Breach Reporting

    The operator must notify you of any suspected breach *without undue delay*. For medical data, "undue delay" typically means within 24 hours. You then have specific obligations to notify the Information Regulator and affected patients.

    Audit Rights

    You must retain the right to audit your IT provider's security practices, either directly or through a third-party assessor. This is non-negotiable. You cannot delegate compliance and then assume it's happening.

    Data Retention and Deletion

    The agreement must specify retention periods aligned to your practice management policies and statutory obligations (typically 6 years for medical records in South Africa). When retention periods expire, the operator must securely delete or anonymise data.

    Sub-processors

    If your IT provider uses cloud hosting, backup services, or managed security vendors, they must obtain your written consent before engaging those sub-processors. You have the right to object to new sub-processors and to know where your data is physically stored.

    Liability Allocation

    The agreement must clarify which party bears liability for different failure scenarios. If your IT provider's negligence causes a breach, they should indemnify you. If you fail to implement their security recommendations, liability remains with you.

    Why This Matters in Johannesburg's IT Environment

    Gauteng practices face particular pressures. Load shedding is now routine, meaning:

  • Backup generators and uninterruptible power supplies must work flawlessly
  • Recovery time objectives (RTO) and recovery point objectives (RPO) become critical
  • Data integrity during power transitions must be guaranteed

    • An IT provider without a Section 21 operator agreement has no contractual obligation to maintain the infrastructure required to protect your data during load shedding events. You're relying on goodwill, not contractual obligation.

    Additionally, Gauteng's climate means:

  • Cooling system failures affecting server rooms
  • Physical security breaches in suburban IT facilities
  • Network latency affecting telehealth and remote practitioner access

    • A compliant operator agreement requires your IT provider to maintain minimum standards for all of these scenarios.

    How to Assess Your Current IT Provider

    Ask your IT provider these questions in writing:

  • Do you have a POPIA Section 21 operator agreement template? If they hesitate, they probably don't.
  • Can you provide your ISO 27001 certification or SOC 2 audit report? These demonstrate independently verified security controls.
  • Where is our data physically stored? They should specify data centre locations and jurisdictions.
  • What is your breach notification protocol? Demand written confirmation of 24-hour notification.
  • Do you maintain cyber liability insurance? This protects you if they cause a breach.
  • Can we conduct an annual security audit? If they refuse, reconsider the relationship.

    • If your current provider cannot confidently answer these questions, you need a compliant alternative.

    ZA Support's Approach to POPIA Compliance

    At ZA Support, based in Hyde Park, we work exclusively with medical practices across Gauteng. Every engagement includes a from R599 assessment of your current IT infrastructure and POPIA compliance posture.

    That assessment covers:

  • Review of your existing IT provider agreements (or lack thereof)
  • Audit of your data security baseline
  • Identification of regulatory gaps
  • Recommendations for remediation

    • We then implement compliant managed IT services with:

  • A signed POPIA Section 21 operator agreement aligned to HPCSA requirements
  • Technical controls appropriate to medical data sensitivity
  • Breach notification protocols
  • Annual compliance audits and reporting

    • We understand Johannesburg's healthcare IT ecosystem. We know the regulatory environment. And we know your personal liability exposure.

    Frequently Asked Questions

    Who is liable if my IT provider experiences a data breach?

    You are, unless you have a compliant Section 21 operator agreement transferring certain liability to your IT provider. Even with an agreement, you remain the data controller and bear ultimate responsibility for compliance. The agreement clarifies *which* failures are the operator's liability.

    Does POPIA apply to practices using cloud-based practice management software?

    Yes. Cloud software providers are operators under POPIA. Your software vendor must have a POPIA-compliant data processing agreement. Check your contract immediately. Most standard SaaS agreements are not POPIA-compliant without amendment.

    Can I use a generic IT support company without POPIA expertise?

    You can, but you're accepting unmitigated compliance risk. A generic IT support company typically has no experience with healthcare regulation, no ISO 27001 certification, and no operator agreement template. The cost of compliance remediation or a breach far exceeds the cost of hiring a compliant provider.

    What should my breach notification procedure include?

    Document a procedure specifying: (1) immediate isolation of affected systems; (2) notification to your IT provider within 24 hours; (3) assessment of breach scope and severity; (4) notification to the Information Regulator if personal information of more than one person is affected; (5) notification to affected patients; (6) documentation of the breach and remediation actions. This must be written and tested annually.

    How often should I audit my IT provider's POPIA compliance?

    Annually, at minimum. For high-risk practices (those handling sensitive data like mental health or addiction treatment records), consider twice-yearly audits. Your operator agreement should require them to cooperate with audits and remediate identified gaps within 30 days.

    What happens if the Information Regulator investigates a breach at my practice?

    They will review your Section 21 operator agreement, assess whether your IT provider was contractually bound to implement security measures, and determine whether you failed to select a compliant operator. Practices without operator agreements face significantly harsher regulatory outcomes.

    Next Steps

    Your compliance obligation as an HPCSA practitioner is non-delegable. You cannot outsource it to your IT provider. But you can—and must—establish a contractual framework that clarifies roles and transfers appropriate liability.

    Review your current IT support agreement this week. If it does not include a POPIA Section 21 operator clause, contact your provider and request one. If they cannot supply it, begin the process of finding a compliant alternative.

    If you're in Johannesburg or anywhere across Gauteng and need an assessment of your current compliance posture, contact ZA Support. We offer a from R599 assessment covering your IT infrastructure, data security, and POPIA compliance. You can also reach us on WhatsApp at 064 529 5863.

    Your patients trust you with their most sensitive information. Your regulator expects you to protect it. A compliant managed IT provider isn't optional. It's your primary obligation.

    Courtney Bentley, Apple Certified Expert Consultant at ZA Support

    Written by

    Courtney Bentley

    Apple Certified Expert Consultant

    Former Apple South Africa Manager (2007-2009). Founded ZA Support at age 19 in 2009. Forbes Africa 30 Under 30 (2019). Has personally overseen more than 25,000 Mac repairs at ZA Support's Hyde Park workshop. Specialises in component-level logic board repair, liquid damage recovery, and medical practice IT. BSc Informatics (UNISA). Member of the Apple Developer Program.

    View all articles by Courtney

    Need a repair? Assessment: from R599.

    Hyde Park, Johannesburg. Assessment: from R599 on all repairs.

    Call 064 529 5863

    ZA Support Services

    Logic Board RepairLiquid Damage RepairBattery ReplacementMacBook RepairiPhone Screen RepairAll Blog Posts
    All posts