A Guidance Note on the processing of personal information of data subjects in the management and containment of COVID-19 has been published by the Information Regulator. The Guidance Note was published in terms of the Protection of Personal Information Act (POPIA). The issuance of the Guidance Note follows the publication of the Regulations which were made in terms of section 27(2) of the Disaster Management Act in March 2020, including those that allow for the tracking and tracing of infected persons and potentially infected persons via cell phone and location data.
The Guidance Note was issued in recognition of the need to effectively manage the spread of COVID-19, which has necessitated the limitation of certain constitutional rights, and to facilitate the processing of personal information of data subjects for the purpose of curbing the spread of COVID-19. In a statement, the Information Regulator declared that the aim of the Guidance Note is to “give effect to the right to privacy as it relates to the protection of personal information” and to “guide public and private bodies and their operators on the reasonable limitation of the right to privacy when they process personal information of data subjects for the purpose of managing the spread of COVID-19”.
Although the Information Regulator is mindful of the fact that not all the sections of POPIA have come into effect, the Regulator encourages proactive compliance by responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects.
Lawful processing
The Guidance Note outlines the conditions for the lawful processing of personal information which responsible parties must comply with when they process personal information of data subjects. “Responsible parties” refer to public and private bodies or any other person which, alone or in conjunction with others, determines the purpose of and means for processing (e.g. collection, receipt, retrieval, usage, dissemination) of personal information. Personal information includes, among others, biometric information, information regarding the physical health of a data subject and location information. In the context of the management of COVID-19, “responsible parties” may include the NCC, National Department of Health, Provincial Department, Local Government, National Institute of Communicable Disease (NICD), National Health Laboratories Services (NHLS), Independent laboratories, Mobile Network Operators and Voluntary Organizations.
The conditions for lawful processing include, among others, the obligations to: (a) process personal information in a responsible, lawful and reasonable manner during the management of COVID-19; (b) ensure that personal information is collected for a specific purpose only, namely to manage the spread of COVID-19; (c) ensure that the personal information is complete, accurate and updated; (d) maintain the documentation of all processing operations which relate to detecting, containing and preventing the spread of COVID-19; (e) put adequate security measures in place to ensure the integrity and confidentiality of personal information of data subjects; and (f) destroy or delete the information when no longer authorised to achieve the purpose of detecting, containing and preventing the spread of COVID-19 unless such information is required for historical, statistical or research purposes and provided that adequate safeguards are in place.
Importantly, it is not necessary for a responsible party to obtain consent from a data subject to process his or her personal information in the context of COVID-19, when: (a) processing complies with the obligation imposed by law on the responsible party; (b) processing protects a legitimate interest of the data subject; (c) processing is necessary for the proper performance of a public law duty by a public body; or (d) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.
Location based data
The Guidance Note also addresses the issue of the provision of location-based data by Electronic Communication Service Providers (ECSPs) to the government in order to track data subjects in the management of COVID-19 or to conduct mass surveillance of data subjects. In this regard, ECSPs are expected to provide the government with the location based data of data subjects, provided that: (a) such provision complies with an obligation imposed by law on the responsible party; or (b) processing protects the legitimate interest of a data subject; or (c) processing is necessary for the proper performance of a public law duty by a public body; or (d) processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied. Government must, however, ensure that it complies with all other applicable conditions for the lawful processing of personal information outlined in the Guidance Note. Electronic Communication Service Providers can also provide the government with location-based data of data subjects and the government can use such personal information for the purpose of conducting mass surveillance of data subjects if the personal information is anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.
Implications
- Employers may request specific information on the health status of an employee in the context of COVID-19, however, the disclosed information should not be used to unfairly discriminate against such an employee.
- Employers can force employees to undergo testing in order to maintain a safe working environment.
- Communication service providers such as Vodacom and Telkom are permitted provide government with location-based data of their users for purposes of managing the spread of COVID-19.
- A data subject may not refuse to give consent to be tested for COVID-19 and the Regulations require any data subject to undergo mandatory testing in order to manage the spread of COVID-19.
- Covid-19 is a notifiable disease and, as such, health authorities should be notified of any positive test results. It is not necessary to obtain the data subject’s consent for these purposes.
- A person who has tested positive has a duty to disclose his or status to enable the government to take appropriate measures to combat the spread of COVID-19.
- All responsible parties, including independent pathology laboratories responsible for the processing of test results, are encouraged to comply with the Guidance Note.
- It is highly unlikely that responsible parties who fail to strictly comply with the Guidance Note will be subject to the penalties envisioned in POPIA. The substantive provisions of POPIA have not been enacted yet. The Regulator has, however, “encouraged” proactive compliance with the Guidance Note.
The Guidance Note makes it clear that although privacy needs to be protected insofar as possible, data and privacy protection measures should not frustrate efforts to manage the spread of COVID-19.
In case of any further queries, please contact us at law@macrobert.co.za.