Legitimate Interests and the Draft Regulations on Processing Health and Sex Life Information under POPIA 

Category: Privacy Law and POPIA
written by Lucinda Botes | October 3, 2025

On 26 September 2025, the Information Regulator published a notice inviting public comment on the draft Regulations relating to the processing of a data subject’s health or sex life information by certain responsible parties in terms of section 112(2)(c) (“the Draft Regulations”) of the Protection of Personal Information Act, 2013 (“POPIA”).   

The Draft Regulations apply to a defined set of responsible parties, namely insurance companies, medical schemes, medical scheme administrators, managed healthcare organisations, administrative bodies, pension funds, employers working for administrative bodies or pension funds and institutions working for administrative bodies or pension funds. 

The Draft Regulations provide that where a responsible party has determined that it is necessary to process a data subject’s health or sex life information in order to implement a law, regulation, or collective agreement, and where the responsible party seeks to rely on section 11(1)(f) of POPIA because consent cannot be obtained, that party must first conduct a Legitimate Interest Assessment (“LIA”)1.  The Draft Regulations further provide that responsible parties or third parties processing such information for the purpose of protecting a data subject’s legitimate interests, or pursuing their own legitimate interests, must conduct an LIA. 2  

The central issue with this approach is that it confuses and collapses distinct authorisations for processing special personal information under POPIA.  By way of example, section 32(1)(f)(i) would authorise a pension fund to process health information of a data subject if such processing is necessary for the implementation of laws, pension regulations or collective agreements which create rights dependant on the health of the data subject.  The authorisation is already expressly provided in section 32(1)(f)(i).  Therefore, there is no need to consider legitimate interest or consent as an authorisation to process the information.  Requiring the pension fund to first seek consent and, if it fails, to justify the processing through legitimate interest, is redundant. 

By introducing “consent” into this context, the Draft Regulations risk creating the impression that consent must always be sought first and that if it is not obtainable, a responsible party may then consider “legitimate interest”.  In our view, this misrepresents POPIA’s framework,  because section 32(1)(f)(i) is the correct and only sufficient authorisation required. 

Furthermore, the inclusion of “legitimate interest” in the Draft Regulations is problematic.  POPIA does not recognise “legitimate interest” as an authorisation to process special personal information.   

Section 26 of POPIA prohibits processing special personal information, which includes health and sex life information.  Sections 27 then provides for general authorisations to process special personal information, which are limited to: 

  • consent; 

  • processing necessary for the establishment, exercise or defence of a right or obligation in law; 

  • processing necessary to comply with an obligation of international public law; 

  • processing for historical, statistical or research purposes to the extent that it serves a public interest and subject to certain safeguards; 

  • information deliberately made public by the data subject; or 

  • compliance with the specific provisions of sections 28 to 33. 

For example, section 32 of POPIA sets out a list of specific authorisations that apply to health or sex life information in particular circumstances, such as an insurance company processing medical information for assessing insurable risk.3 

As demonstrated, “legitimate interest” in section 11(1)(f) applies only to ordinary personal information and is not extended to special personal information.  By introducing legitimate interest as a lawful basis for processing health or sex life information, the Draft Regulations expand the list of authorisations beyond what is enacted in POPIA.  This has several implications in that: 

  • it creates a new ground for lawful processing of special personal information that is not authorised by POPIA; 

  • it dilutes the higher standard of protection that POPIA purposefully affords to special personal information, undermining POPIA’s careful distinction between ordinary and special categories of personal information; and 

  • it risks creating regulatory uncertainty. 

In short, while the Regulations are well-intentioned in seeking to provide guidance, they create uncertainty by collapsing legal obligation, consent, and legitimate interest into a single blended framework and by introducing “legitimate interest” as an authorisation for processing health and sex life information, a ground POPIA does not contemplate. 

The Draft Regulations are open for public comment until 10 October 2025.  While this article has highlighted one of the most pressing flaws there are, in our view, numerous other problematic provisions in the draft text.  These issues require careful attention because they have the potential to create compliance challenges for employers, medical schemes, pension funds and other affected entities. 

We encourage all stakeholders to review the Draft Regulations critically and to submit comments to the Information Regulator before the deadline.  Our team is available to assist affected entities in preparing and submitting well-motivated comments to ensure that operational realities and compliance obligations are properly aligned.