Privacy Policy

Privacy Statement

of the Office of Health Standards Compliance (“OHSC”)

and Office of the Health Ombud (“OHO”)


Who we are


Our website address is:

Terms of Use

This website supports Chrome and other internet browsers.

The material or content contained in these web pages is provided for general information purposes only.

While every care and effort has been taken to ensure the accuracy of the information provided, the Office of Health Standards Compliance (“the OHSC”) and the Office of the Health Ombud (“the OHO”) make no representation and give no warranty, whether express or implied, relating to the correctness of the information published on these web pages. The OHSC and the OHO accept no responsibility for, and the user indemnifies the OHSC and the OHO and holds them both harmless from, any loss, liability, damage or expense of whatsoever nature (including but not limited to direct, indirect and consequential loss), arising from the reliance on information contained in these pages, or otherwise connected with the information in these pages [whether arising from breach of contract (fundamental or otherwise), delict, negligence, gross negligence or otherwise].

Except where otherwise stated, the copyright of all the website contents is owned by the OHSC. No part of the site contents may be reproduced or transmitted or re-used or be made available in any manner or any media, unless prior written consent has been obtained from the OHSC Information Officer.

In the event of any dispute of whatever nature arising as a result of the use of the information in these web pages, the user (including users resident outside the Republic of South Africa) accepts that the law of the Republic of South Africa shall apply. The content of this website is intended for general information only and is not intended to serve as advice.


If you have further questions about the disclaimer, please do not hesitate to privacy@ohsc,



The OHSC and the OHO have a legal mandate in terms of the National Health Amendment Act No 12 of 2013 to protect and promote the health and safety of users of health services in South Africa by:

  • Monitoring and enforcing compliance by health establishments with prescribed norms and standards set by the Minister of Health and do this through a process of conducting inspections and certification and enforcement of compliance those standards; and


  • Ensuring and investigating breaches of those standards and withdrawing such certification if necessary and investigating and resolving complaints relating to the national health system to ensure the safety of users of health care services.


The Office of the Health Ombud (OHO) is an independent function also established in terms of the National Health Amendment Act No 12 of 2013 and is responsible for the investigation and adjudication of complaints relating to the breach of norms and standards from health care users. The Ombud is accountable and reports directly to the Minister of Health. Currently the OHO is assisted by staff designated and seconded by the OHSC with the concurrence of the Ombud. The Complaints Management and Information Management functions and the website is jointly hosted and serviced by the OHSC and its Information Communication and Technology Unit.

To achieve its objectives as set out above, the OHSC and OHO must collect and use information, including personal information as defined in the Protection of Personal Information Act No 4 of 2013. Personal information means information which alone or jointly with other factors identifies you as a person. This includes information such as your name, contact details, telephone number, biometric information, registration number and any other information we collect.

The OHSC and OHO treats all personal information collected through different channels as private and confidential. The purpose of this Privacy Statement is to explain how and why we use your personal information and what steps we will take to ensure that your personal information is adequately safeguarded in the course of our business processes as a regulator and as an employer.

​Right to change this Privacy Statement

This Privacy Statement may in future be amended to align with changes in the law or changes in technology which impact on how we process your personal information. We will publish all changes which describe our new practices on our websites, and the latest version will replace previous versions.

Collection of personal information

Personal information is collected directly from you and may be collected indirectly from other external sources for purposes of fulfilling our legislative mandate and sector specific obligations.

Due to the nature of the work of the OHSC and OHO, we need to have a complete view of the national health system and health establishments which we regulate, understand their operations and the consumers of health care services and be proactive and pre-emptive in effectively identifying risks that impact on the achievement of our mandate. In order to effectively achieve this, the OHSC and OHO must collect information from multiple sources, which include:

  • Other health care regulators. These regulators may be inside or outside of South Africa
  • Media sources such as newspapers, social media and the broadcast news
  • Law enforcement agencies such as the South African Police Service
  • Members of the public
  • Whistle-blowers
  • Our service providers
  • Recruitment agencies

Why do we collect personal information?

We collect your personal information for a number of reasons which include the following:

  • To monitor and evaluate compliance with norms and standards as prescribed by the Minister of Health for various categories of health establishments for which the OHSC is the responsible certification authority (our regulatory mandate).
  • Monitor and analyse the indicators of risks as an early warning system relating to breaches of norms and standards and report them to the Minister of Health to apply an appropriate intervention.
  • Identify areas of risk and make recommendations for intervention by a national or provincial or municipal health department as appropriate -to ensure adequacy of compliance with the prescribed norms and standards.
  • In addition to the external regulatory mandate in respect of health establishments that make up the national health system, we also manage the employment relationship and systems for our employees.
  • For processing your application for employment, where you have applied for employment with us.

What personal information do we collect?

Each of our divisions collect and process different attributes of your personal information at specific points of either our legislative regulatory mandate or for internal business purposes such as HR or procurement. Please see below a non-exhaustive list of personal information categories that we collect and process.

  • Identifying number (employee number; company registration numbers, ID number),
  • e-mail addresses, physical address, telephone number
  • Names, surname, marital status, nationality, age, physical health status, mental health status, well-being, disability status, language, date of birth.

Some of this information may be more prevalent in our employment processes than in the core regulatory business divisions.

  • Biometric information such as fingerprinting, particularly in our employment processes.
  • Information on your race, ethnic or social origin, criminal recordings/proceedings.
  • Education, medical, financial, employment information 


​We may not be able to carry out our legislative oversight mandate of health establishments or provide our services to the public, employ you or procure your services without relevant aspects of your personal information, that has been lawfully acquired. 


In the course of conducting inspections or investigations of health establishments we may come into possession of your personal information in instances where the OHSC and the OHO have a legislative mandate to provide this public oversight function which we nonetheless will carry out with due regard to your privacy and the sensitivity of the information collected for regulatory purposes. In such instances obtaining your consent is not practical and is therefore subject to the Protection of Personal Information. Should we be required to disclose such information while reporting on our regulatory functions we will ensure that your rights as a data subject are duly recognised and will only disclose specifics of your personal information –- if the law requires or permits it.  

Publication and access to OHSC and OHO registers

The OHSC and OHO collectively, make accessible certain information to the public on its website(s), such as lists of regulated entities and persons. The accessible information includes the details of the regulated health establishments, its contact information, names of appointed compliance officers, key individuals etc.

We will only make accessible limited information that will allow the public the ability to verify licensed entities and persons and contact them for their needs, where necessary. 

The use of Third Parties

We will from time to time share your personal information with third parties with whom we have concurrent regulatory jurisdiction or use as service providers. We will only disclose your personal information if: 

  • It is necessary to fulfil our regulatory in terms of the National Health Amendment Act
  • The law requires it for any other purpose
  • For necessary business purposes
  • We have a public duty to disclose the information
  • Your legitimate interests require disclosure or
  • You have, in certain instances – directly provided consent for us to disclose your information. 


These third parties may include but not necessarily be limited to:

  • OHSC and OHO service providers
  • Other regulators (including foreign regulators)
  • Law enforcement agencies
  • Verification agents (such as those we use for employment screening)


Where applicable, we request the third parties with whom we share information, to take adequate measures and comply with applicable data protection laws and ensure the adequacy of the safeguards they use in their processes to protect the information we are disclosing to them. We do this through appropriate contractual arrangements with these third parties. We also take internal measures to ensure that the third parties we appoint have adequate and appropriate measures to protect the information we provide to them, in whatever format.

Transborder information flows

Where necessary and appropriate, your personal information may be processed in other countries for:

  • Business purposes, in instances where our third parties are located in countries outside of South Africa.
  • Sharing with other regulators outside of South Africa for fulfilling a legislative mandate
  • Law enforcement agencies for investigation purposes.


These countries may not have the same level of data protection laws as South Africa. However, before we transfer personal information outside South Africa, we have stringent processes to ensure that appropriate organisational and data security safeguards are put in place to protect the personal information which includes contractual and internal due diligence measures. 

Your Rights

You have rights as a data subject which you can exercise in relation to the personal information, we hold about you.  To enquire or enforce these rights – requests must be made in writing,to the OHSC Deputy Information Officer on the contact details provided in this statement. 


You can exercise your right to:

  • Request access to the information we hold about you. For this please visit our PAIA Manual to learn more about the process for request to access to information.
  • We may, as permitted by law in certain circumstances, charge a fee for this service.
  • Make a request for the correction or deletion of your personal information or that of any data subject in our possession or under our control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading, or obtained unlawfully.
  • Make a request for the destruction and deletion of your personal information that we are no longer authorised to retain.
  • Object to the way in which we process your personal information.
  • Complain to us about the way we use your personal information using the contact details of the Deputy Information Officer. If you are not satisfied with how we handle your complaint, you can lodge a complaint with the Information Regulator using their details provided in this statement.
  • Query a decision that we make about some of our services that was made solely by automated means.
  • ​It is important to note that these rights are not absolute and must be balanced against other competing rights. As such they may be limited owing to the nature of our public interest mandate. We may also rely on certain exceptions which may impact on your rights, for example, when conducting inspections of health establishments, we view patient files without your direct consent to evaluate compliance with norms and standards of care as it is a legal obligation of the OHSC, and we are acting in the interests of all health care users. You have a right to object or the right of access to certain information may also be limited. We will only do this where the public interest which we are mandated to protect outweighs to a substantial degree interference with your privacy. Where possible in terms of law, we will explain the exception we are relying on and its impact on your rights. 

Our Security Practices

Our security systems and controls are designed to maintain confidentiality, prevent loss, unauthorised access and damage to information by unauthorised parties. Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.

Anonymous collection of data from use of our website

We monitor user experience while you are using our website and collect anonymous connection statistics through our monitoring solution. This is to improve our website service and add value to you when you visit our website. 


Use of cookies on website

We use cookie technology on our website. Cookies are small files which are stored on a user’s computer or device when you use our website(s). We have non-essential cookies that enable us to distinguish users, and strict electronic communication transport security protocols which allows a website to declare itself as a secure host. Should you wish to disable the use of this technology please click on the link below.


Links to other websites on our website

Our website may have links to or from other websites of other regulatory bodies that are not operated by the OHSC or OHO. We request that you read and familiarise yourself with the privacy and security policies of these other websites as we are not responsible for the privacy and security of the websites mentioned -but only manage the websites of the OHSC and the OHO. 

Use and monitoring of electronic communications

It is important that we keep the public abreast of any development that has a public interest. As such we communicate with you and the public using different channels, including the media.

Retention of personal information

Our retention schedule and information policies define how long we keep all types of records, including any personal information we process in the different divisions. Personal information is retained and destroyed as required or authorised by law, and for defined purposes related to the activities of the OHSC and OHO. 

How to contact us

If you have any queries, about our privacy notice and how we process your personal information, please contact the: OHSC Deputy Information Officer at

​Physical address:

Office of Health Standards Compliance (OHSC)
79 Steve Biko Road

If you have any complaints/ need clarification about how we handle your information you may direct those queries to the Deputy Information Office or escalate them in respect of unresolved complaints for resolution to:

South African Information Regulator: contact details are as follows: 

Physical Address:

JD House, 27 Stiemens Street

Postal Address:

P.O Box 31533
Johannesburg, 2017
Complaints email:  
General enquiries email:
Website: ​