Mental Health Coaching
Occupational Therapy
Inpatient Outpatient
Vocational Rehabilitation Mentorship Programmes Contact Login

PERSONAL INFORMATION PROTECTION (POPIA) POLICY

Grounded Well Wise Pty Ltd & Jonas Occupational Therapists Inc

  1. Purpose of this Policy

This Policy sets out how personal information is collected, used, stored, shared, and protected by Grounded Well Wise Pty Ltd and Jonas Occupational Therapists Inc in compliance with the Protection of Personal Information Act, 2013 (POPIA).

The purpose is to:

  • Ensure lawful and ethical handling of personal information
  • Protect the privacy of patients, employees, and stakeholders
  • Support safe, professional, and compliant service delivery
  1. Organisational Structure and Responsibility

Grounded Well Wise Pty Ltd and Jonas Occupational Therapists Inc are separate registered legal entities but operate in an integrated manner.

  • Grounded Well Wise Pty Ltd is responsible for:
    • Administration
    • Information systems
    • Data storage and governance
  • Jonas Occupational Therapists Inc is responsible for:
    • Clinical service delivery
    • Collection and use of patient information in therapy contexts

Depending on the context:

  • Either entity may act as a Responsible Party as defined in POPIA
  • Staff may act as Operators when processing information on behalf of the Practice

This unified policy applies across both entities to ensure consistent compliance.

  1. Scope of Application

This Policy applies to all:

  • Employees and contractors
  • Patients and their families
  • Referrers (e.g. doctors, case managers, employers)
  • Medical schemes and insurers
  • Any third parties interacting with the Practice

It covers all personal information processed in:

  • Clinical services
  • Administrative functions
  • Recruitment and employment
  • Digital and physical records
  1. Types of Personal Information We Process

The Practice processes:

4.1 General Personal Information

  • Names, ID numbers, contact details
  • Employment and financial information
  • Communication records

4.2 Special Personal Information (highly sensitive)

  • Health and mental health information
  • Therapy notes and assessments
  • Medico-legal and rehabilitation reports

All such information is handled with strict confidentiality.

  1. Principles for Processing Personal Information

The Practice applies the following POPIA principles:

5.1 Lawfulness and Transparency

Personal information is processed:

  • Lawfully and fairly
  • For clear and legitimate purposes
  • With appropriate awareness or consent where required

5.2 Purpose Limitation

Information is collected only for:

  • Clinical care
  • Administrative and operational functions
  • Legal and contractual obligations

Information is not used beyond the original purpose unless:

  • Consent is obtained, or
  • Required by law

5.3 Data Minimisation

Only information that is:

  • Relevant
  • Adequate
  • Necessary

is collected and used.

5.4 Information Quality

Reasonable steps are taken to ensure information is:

  • Accurate
  • Complete
  • Updated where necessary

5.5 Security Safeguards

The Practice takes appropriate technical and organisational measures to:

  • Prevent unauthorised access
  • Protect against loss, misuse, or damage
  • Ensure confidentiality of personal information

5.6 Retention and Destruction

Personal information is retained:

  • In accordance with legal, clinical, and HPCSA requirements
  • Only for as long as necessary

When no longer required, records are:

  • Securely destroyed
  • De-identified where appropriate
  1. Clinical Information Handling

Special care is taken in relation to clinical information, including:

  • Therapy notes and assessments
  • Group therapy participation
  • Reports to employers, insurers, or legal entities

Information is:

  • Shared only with appropriate consent or legal justification
  • Limited to what is necessary for the intended purpose

Group therapy confidentiality is emphasised, but cannot be fully guaranteed due to the nature of group settings.

  1. Sharing of Information

Personal information may be shared:

  • With treating professionals involved in care
  • With funders (e.g. medical schemes, insurers)
  • With employers (where consent or legal basis exists)
  • When required by law or court process

Only relevant information is disclosed.

  1. Internal Access and Multi-Site Operations

Authorised staff may access personal information:

  • Across practice locations (e.g. Johannesburg, Durban)
  • On a need-to-know basis

All access must comply with:

  • Confidentiality requirements
  • This Policy
  1. Digital Communication and Systems

Personal information may be processed via:

  • Email systems
  • Practice management software
  • Cloud-based storage platforms
  • Telehealth platforms

Use of informal communication tools (e.g. WhatsApp) must:

  • Be minimised
  • Maintain confidentiality
  • Avoid transmission of sensitive information where possible
  1. Employee and Contractor Information

The Practice processes personal information relating to:

  • Recruitment
  • Employment records
  • Performance and operational management

All employee information is:

  • Treated as confidential
  • Processed in accordance with POPIA and labour law
  1. Consent

Where applicable:

  • Consent will be obtained for collection and use of personal information
  • Consent may be withdrawn at any time, subject to legal or contractual limitations

Clients will be informed of:

  • The purpose of data collection
  • Consequences of withholding or withdrawing consent
  1. Data Subject Rights

Individuals have the right to:

  • Access their personal information
  • Request correction or updating
  • Request deletion where appropriate
  • Lodge a complaint

Requests must be submitted to the Information Officer.

  1. Information Officer

The Practice appoints an Information Officer responsible for:

  • POPIA compliance
  • Managing access requests
  • Handling complaints

Details:

  • Name: Haneke Jonas
  • Email: [email protected]
  • Address: Mayo Clinic 5, Joseph Lister St, Constantia Kloof, 1715.
  1. Breaches and Complaints

If a data breach or concern arises:

  • It must be reported immediately to the Information Officer
  • The Practice will investigate and respond as required

Complaints will be:

  • Acknowledged
  • Investigated
  • Responded to within a reasonable timeframe
  1. Staff Responsibilities

All staff must:

  • Maintain confidentiality
  • Handle information securely
  • Follow Practice policies and procedures
  • Report risks or breaches promptly

Failure to comply may result in disciplinary action.

  1. Policy Implementation and Review

The Practice:

  • Provides training on data protection
  • Maintains supporting procedures and forms
  • Reviews this policy periodically.