POPIA Compliance
How UCIP protects patient health data under the Protection of Personal Information Act.
Last updated: 8 April 2026
Our commitment
UCIP processes special personal information (health data) as defined in POPIA Section 26. We take this responsibility seriously. Patient data recorded during emergency medical transfers is among the most sensitive information that exists, and we build our platform with that in mind.
This page explains the specific technical and organisational measures we implement to comply with POPIA, the 2026 Health Data Regulations, and industry best practices for healthcare data protection.
Legal basis for processing health data
Processing of health data is prohibited by default under POPIA Section 26. We process health data under the following legal grounds:
Section 32 - Healthcare exemption
Processing by medical professionals and healthcare institutions for treatment, care, and administration of patients.
Section 27(1)(a) - Explicit consent
Where required (e.g., research use, data sharing beyond clinical care), we obtain explicit, informed consent with specific purpose descriptions.
Section 27(1)(d) - Legal obligation
Where processing is required by law, such as medical record retention under HPCSA guidelines and the National Health Act.
In compliance with the 2026 Health Data Regulations, each processing activity is mapped to a specific legal ground with documented justification.
POPIA conditions and how we comply
Accountability
We have appointed an Information Officer registered with the Information Regulator. All staff receive POPIA training. Our processing activities are documented and regularly reviewed.
Processing limitation
We only process personal information with a lawful basis (consent, contract performance, healthcare exemption, or legal obligation). Data is collected for specific, explicitly defined purposes and not further processed in ways incompatible with those purposes.
Purpose specification
Personal information is collected for documented purposes: patient care documentation, dispatch management, billing, staff management, and quality improvement. Each purpose is communicated to data subjects at the point of collection.
Further processing limitation
Health data is not repurposed beyond its original collection purpose. Clinical data collected for patient care is not used for marketing. AI features process data only within the clinical context. Simulation sessions are tagged and excluded from operational analysis.
Information quality
We provide tools for data correction and verification. Vital signs include timestamp accuracy. Clinical entries are attributed to specific authors. Patients and staff can request correction of inaccurate information.
Openness
This POPIA Compliance page, our Privacy Policy, and our Terms of Service are publicly available. Data subjects can contact our Information Officer at any time.
Security safeguards (Section 19)
See the detailed technical measures section below.
Data subject participation
Data subjects may request access to, correction of, or deletion of their personal information by contacting our Information Officer. Consent can be withdrawn at any time. We respond to all requests within 30 days.
Technical security measures
Encryption
- In transit: All connections use TLS 1.2+ (HTTPS enforced with HSTS). Database connections use SSL
- At rest: Sensitive database fields encrypted using AES-256 via ActiveRecord Encryption, including patient ID numbers, allergies, and authentication secrets
- Passwords: Hashed using bcrypt with appropriate cost factor. Never stored or transmitted in plain text
Authentication and access control
- Multi-factor authentication: TOTP-based two-factor authentication available for all accounts
- Role-based access: Admin, clinician, and paramedic roles with graduated access levels
- Organisation isolation: Multi-tenant architecture ensures each organisation can only access their own data
- Session security: JWT tokens with 15-minute expiry. Refresh tokens with 30-day maximum lifetime
- PIN lockout: Mobile app PINs lock after 3 failed attempts
- Rate limiting: Login attempts limited to 10 per minute. API requests throttled to prevent abuse
Audit trail
- All access to patient records is logged with user identity, action performed, timestamp, and IP address
- Clinical actions (viewing sessions, exporting PDFs, sharing records) are individually tracked
- Consent grants and revocations are timestamped and attributed
- Audit logs are retained for the full data retention period
Secure sharing
- Session share links use cryptographically random tokens with configurable expiry
- Collaborator access is time-limited and role-based (view only, can comment, full contributor)
- Access counts are tracked on all shared links
Consent management
UCIP includes a built-in consent management system that tracks:
- Data processing consent - Required before processing patient personal information
- Data sharing consent - Required before sharing clinical data with referring or receiving facilities
- Research consent - Optional, for anonymised data use in clinical quality improvement
Each consent record captures who consented, when, the type of consent, and any notes. Consent can be revoked at any time, and revocation is timestamped.
Data retention
We retain medical records in accordance with HPCSA guidelines and the National Health Act. Minimum retention periods are enforced. Data is securely deleted or anonymised after the applicable retention period expires. See our Privacy Policy for specific retention periods.
Processing activities register
In accordance with POPIA Condition 1 (Accountability), we maintain a register of all processing activities involving personal information. This register documents what data we process, why, and for how long.
| Processing Activity | Data Categories | Data Subjects | Legal Basis | Retention |
|---|---|---|---|---|
| Patient care records | Health data, identity, vitals, clinical notes | Patients | Healthcare exemption (s32) | HPCSA minimum (varies by record type) |
| ISBAR clinical handoff | Patient identity, clinical summary, vitals | Patients | Healthcare exemption (s32) | Linked to parent session record |
| Consent management | Consent type, grantor identity, timestamps | Patients | Legal obligation (s27(1)(d)) | Duration of care relationship + retention period |
| Billing and invoicing | Organisation details, amounts, service descriptions | Organisations | Contract performance | 7 years (tax and accounting law) |
| AI-assisted clinical documentation | De-identified clinical text, voice recordings | Patients (de-identified) | Healthcare exemption (s32) + consent | Transient (not persisted after processing) |
| Staff account management | Name, email, role, credentials, HPCSA number | Staff / clinicians | Contract performance | Duration of employment + 1 year |
| Dispatch and booking | Patient name, location, clinical priority | Patients, staff | Healthcare exemption (s32) | Linked to parent session record |
| Custom clinical forms | Organisation-defined clinical fields | Patients | Healthcare exemption (s32) | Linked to parent session record |
| Audit trail logging | User identity, action, IP address, timestamp | Staff, patients (indirectly) | Legal obligation (s27(1)(d)) | Full data retention period |
| Security incident tracking | Incident details, affected records, response actions | Staff, patients (if affected) | Legal obligation (s22) | 5 years from resolution |
This register is reviewed and updated when processing activities change. Last reviewed: 8 April 2026.
Cross-border data transfers
In compliance with POPIA Section 72, we minimise cross-border data transfers. Where third-party AI processing is used (e.g., speech-to-text, image analysis), data processing agreements are in place with providers that offer adequate levels of data protection. We are working toward hosting all primary data within South African borders.
Third-party data processors
In compliance with POPIA Section 20 and 21, we enter into data processing agreements (DPAs) with all third-party operators who process personal information on our behalf. The following processors are currently engaged:
AI Processing Providers
Data shared: De-identified clinical text for speech-to-text, summarisation, and clinical decision support
Cross-border: Yes (United States)
Safeguards: DPA in place, TLS in transit, data not used for model training, de-identification before transmission
Accounting Integration (Xero)
Data shared: Invoice data including organisation names, amounts, and service descriptions
Cross-border: Yes (New Zealand / Australia)
Safeguards: DPA via Xero terms of service, OAuth 2.0 authentication, no health data transmitted
Accounting Integration (Sage)
Data shared: Invoice data including organisation names, amounts, and service descriptions
Cross-border: No (South Africa)
Safeguards: Encrypted API keys, TLS in transit, no health data transmitted
Cloud Infrastructure
Data shared: All application data (encrypted at rest and in transit)
Cross-border: Configurable per deployment (SA-hosted options available)
Safeguards: AES-256 encryption at rest, TLS in transit, DPA in place, SOC 2 certified
Transactional Email Provider
Data shared: Email addresses and notification content (no clinical data)
Cross-border: Yes
Safeguards: TLS in transit, DPA in place, no patient health data included in emails
Payment Gateway (Paystack)
Data shared: Subscription payment details (organisation billing information)
Cross-border: No (South Africa)
Safeguards: PCI-DSS Level 1 certified, no health data transmitted
All DPAs are reviewed annually or when processing changes. We do not share patient health data with any processor except where clinically necessary (AI clinical support) and under strict contractual controls.
Data breach response
In the event of a security breach compromising personal information, we will:
Contain the breach and assess the scope of compromised data
Notify the Information Regulator within 72 hours (POPIA Section 22)
Notify affected data subjects with details of the breach, potential consequences, and recommended protective measures
Implement corrective measures to prevent recurrence
Document the incident, response, and lessons learned
AI features and health data
UCIP uses artificial intelligence for clinical decision support. The following safeguards apply:
- AI features are metered and tracked per organisation for transparency
- On-device AI processing (Professional tier) keeps data on the user's device
- Cloud AI processing (Advanced tier) transmits data to third-party providers under data processing agreements
- AI outputs are presented as aids and must be verified by a qualified clinician
- AI-generated content is clearly distinguished from human-authored entries
- No patient data is used to train third-party AI models
Contact our Information Officer
For any POPIA-related queries, data subject requests, or to report a privacy concern:
Information Officer: Drikus van der Walt
Email: privacy@ucip.co.za
Information Regulator:
Tel: 010 023 5200 | Email: complaints.IR@justice.gov.za