🏥 MedShield — Complai Africa

Patient Data Protection for Medical Practices

Health data is the most sensitive category under the CDPA. Processing patient records and prescriptions without written consent and a certified DPO carries criminal liability for the practice owner.

⚖ Ask DPO AI Free
📁 MedShield Document Bundle
🏥
Medical Practice Data Protection Policy
CDPA Section 12 compliant
Included
🩺
Patient Written Consent Form
Health data
Included
🤝
Staff Confidentiality Agreement
All clinical staff
Included
🔍
DPIA Template
Health data processing
Included
🔮
Lab/Specialist Data Processing Agreement
Referral data
Included
🚨
Breach Response Protocol + DP3
72-hour POTRAZ rule
Included
📊
Health Data Asset Register
POTRAZ DP1 ready
Included
Your Legal Obligations

What the CDPA Requires from Your Organisation

These are mandatory legal requirements under Zimbabwe law, currently being enforced by POTRAZ.

CDPA S.12(1)(b)
Health Data is Sensitive Data
Health, biometric and genetic data require explicit written consent before processing. Implied or verbal consent is not sufficient. Every patient signs a consent form.
CDPA S.12(3)
Only Health Professionals May Process
Processing of health data is restricted to registered health professionals. Administrative staff must work under supervision and sign confidentiality agreements.
S.I. 155 S.6
POTRAZ Licensing Tiers
Most practices are Tier 1 ($50) or Tier 2 ($300). Larger hospitals may be Tier 3+. Your DPO determines the correct tier from your patient count.
CDPG 5/2024
Cloud-Based Practice Management
If your practice management software stores patient data outside Zimbabwe, POTRAZ authorisation is required before continuing use.
What Your Plan Includes

Comply Foundations, HealthProtect Extras, and Managed DPO Readiness

MedShield combines your Comply tier with HealthProtect overlays for special-category health data. DPO Shield is the recurring layer for named DPO support and ongoing delivery.

🏥
Medical Practice Data Protection Policy
CDPA Section 12 compliant
Comply
🩺
Patient Written Consent Form
Health data
HealthProtect
🤝
Health Special-Category Checklist
Sensitive data handling controls
HealthProtect
🔍
DPIA Template
Health data processing
Comply
🔮
MoHCC Retention Alignment Schedule
Patient records and clinical retention periods
HealthProtect
🚨
Children's Health Data Addendum
Extra controls for minors and guardians
HealthProtect
📊
Health Data Asset Register
POTRAZ DP1 ready
Included
🔎
Compliance Gap Assessment
27-point checklist
Business+
📋
DSAR Response Kit
Patient access requests
Business+
📑
Record of Processing Activities (ROPA)
All health data
Business+
Comply Tier Foundations

ROPA and Impact Assessments from Your Comply Tier

These frameworks come from your Comply package. HealthProtect adds health-specific overlays, while DPO Shield supports ongoing clinical governance and sign-off.

📊

Record of Processing Activities (ROPA)

Required under CDPA Section 13. This is part of Comply Business and above, and becomes the foundation of your POTRAZ-facing operating record.

Your MedShield ROPA covers:

  • Patient names, ID numbers, dates of birth
  • Patient contact details and next of kin
  • Medical history, diagnoses and treatments
  • Prescription and dispensing records
  • Laboratory and radiology results
  • Biometric data (height, weight, blood pressure)
  • Medical aid and insurance details
  • Staff employment and payroll records
  • CCTV footage (reception areas)
  • Website and appointment booking data
Included in: Comply Business and above
🔍

Data Protection Impact Assessment (DPIA)

Required under CDPA Section 18 before any high-risk processing activity. Comply provides the base framework, while HealthProtect adds health-data-specific prompts and controls.

A DPIA is required when you:

  • Introducing electronic health record (EHR/EMR) systems
  • Implementing biometric patient identification
  • Adopting cloud-based practice management software
  • Setting up CCTV in clinical areas
  • Sharing patient data with a new lab or specialist network
  • Any offshore cloud storage of patient records
Included in: all Comply tiers, with scope varying by package
Common Questions

Frequently Asked Questions

We are a small pharmacy with 3 staff. Do we need a DPO? +
If you have 50+ data subjects (patients + staff + website visitors), you must register with POTRAZ. Complai Africa helps you prepare the toolkit and identify the right DPO route, but the registration and formal appointment remain the organisation's responsibility.
How long must we keep patient records? +
Medical records must be retained for a minimum of 10 years from the last consultation under the Health Professions Act. Prescription records must be kept for 5 years. Your MedShield toolkit includes a retention schedule aligned with both health law and the CDPA.
Can we share patient records with specialists? +
Yes, with the patient's explicit written consent and a signed Data Processing Agreement with the specialist. Your toolkit includes a Lab/Specialist Data Processing Agreement template to help you put that arrangement in place.
A patient has asked to see all their data. What do we do? +
This is a Data Subject Access Request. Under CDPA Section 21, respond within 30 days. Your higher-tier MedShield package includes a complete DSAR kit — intake form, verification checklist, and response letter templates.

Need help interpreting the healthcare requirements?

⚖ Ask AskDPO AI — Free, instant guidance

Choose Your MedShield Path

Start with Comply Business, then select the HealthProtect add-on in the next checkout step. Add DPO Shield Business afterward if you need ongoing oversight and support matching with a suitable POTRAZ-certified DPO.

Start Your Compliance
Please enter your organisation name, your name, and a valid email.

🔒 Secure payment via the Complai Africa client portal