Most epidemiologists are of the opinion that if we are testing for and not consequently tracing for COVID-19 infections, we will likely get incomplete information on how to combat COVID-19. In our previous article published on 4 May 2020 we discussed the extent of COVID-19 pandemic control through the use of personal data and how the Information Regulator, through its published guidance note, confirmed that telecom operators would be permitted to provide the government with the location data of data subjects.
The government has to date also been relying on community health care workers to screen the public for COVID-19 symptoms and track others who have come into contact with infected persons. This does not however appear to be conclusive and it is therefore crucial for government to leverage technological capabilities in the fight against COVID-19.
About the COVI-ID App
The COVID-19 pandemic has seen governments across the world developing technologies to trace and contain the spread of the virus through contact tracing apps. Recently, the South African government has partnered up with the University of Cape Town to develop COVI-ID. COVI-ID is a smartphone app to assist people who have come into contact with people who have tested positive for COVID-19 and those who may be unaware that they have COVID-19. The COVI-ID app is a voluntary app that uses bluetooth and geolocation to collect a data subject's personal information.
The personal information will be the data subject's personal location and infection status which will be stored on the data subject's phone using self-sovereignty identity.
Self-sovereign identity is a technology used to manage digital identities which means that data subjects have control over the manner and method in which their personal information is kept and used because the personal data is stored on their devices, without the need to rely on a central repository. Similarly, in the case of the COVI-ID app, the personal information is saved on the data subject's personal device and not on a centralised government or private-sector database.
The COVI-ID app is designed in such a way that it protects the privacy of data subjects as they have the authority to control who has access to their personal information data. This means that data subjects can decide whether or not to share their data with public health authorities. In the event that they elect to share their personal information via the COVI-ID app, they have the authority and control to decide who has access to the data, the purpose for which it is used and for how long the authorised persons have access to it.
GDPR Compliance
The COVI-ID app makes use of a General Data Privacy Regulation ("GDPR") based privacy policy and is said to comply with the Protection of Personal Information Act, 4 of 2013 ("POPIA") (which is still to become effective in future). It is essential for contact tracing apps such as COVI-ID to be transparent and to be compliant with Articles 13 and 14 of the GDPR, as well as section 5 of POPIA which deals with the rights of data subjects. Articles 13 and 14 of the GDPR deal with the information that must be provided to the data subject when a controller collects personal data from the data subject. In terms of Article 35 of the GDPR, a data protection impact assessment would need to be conducted in order to mitigate risks to rights and freedoms of data subjects.
Where new technologies are used to process personal information, an impact assessment should be carried out by taking into account the nature, scope, context and purpose of processing personal information to determine whether the processing of personal information is likely to result in a high risk to rights and freedoms of data subjects.
COVI-ID is said to comply with the principle of data minimisation and purpose limitation given that the personal information that is collected is used for a specified purpose.
Track-and-trace Regulations
The COVI-ID app honours the safeguards to mitigate privacy invasion provided for in regulation 8 of the track-and-trace regulations issued in terms of section 27(2) of the Disaster Management Act 57 of 2002 ("the Regulations"). In terms of the Regulations, only authorised persons may disclose information contained in the COVID-19 tracing database or any information obtained through regulation 8 of the amended Regulations provided that it is necessary for the purpose of addressing, preventing or combatting the spread of COVID-19. It is unclear whether this applies to the information collected via the COVI-ID app. In the event that it applies, there is a limitation placed on the government on the purpose for which it may use the personal information. Where the processing of personal information by the government is not compatible with the original purpose for which it was collected, it must be necessary for the prevention of a serious and imminent threat to public safety or public health, the life or health of a data subject or another individual. This exception is applicable if the information collected is used for historical, statistical or research purposes. Accordingly, the information contained on the COVID-19 tracing database is kept strictly confidential and may only be disclosed by authorised persons.
Contact tracing, when combined with physical distancing and regular testing has proven to be a powerful asset in controlling the spread of COVID-19 worldwide. Contact tracing through the COVI-ID app has the potential to play an instrumental role in combatting COVID-19 by tracing and locating anyone who has been in contact with COVID-19 positive persons. This tracing, it would appear, can all be done without violating the data subject's right to privacy and this is welcomed.
Originally published 03 June 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.