The collection and processing of personal data is regulated to protect privacy and ensure that data collection is proportional to the seriousness of the threat caused by the pandemic.
Contact tracing overview
As COVID-19 cases are rising, the need to contain the spread cannot be more emphasised. An important system used for these purposes is what as known as "contact tracing". This system was first mentioned in Government Notice R.480 of 29 April 2020.
In terms of this regulation, the National Department of Health was obliged to develop and maintain a national data base to enable the tracing of people who are known to or are reasonably expected to have come into contact with people who have tested positive for COVID-19. The information required for tracing people constitutes personal information.
The 29 April regulations additionally required entities in the accommodation industry to submit personal information relating to any individuals who were staying at the accommodation during the lockdown. Furthermore, the Director-General: Health was empowered to request information from electronic communication service providers pertaining to the location and movements of individuals who contracted the virus or may have been in contact with someone who has tested positive. Essentially, the State was given the ability to probe into what happens in a person's private life, a distinct contradiction to the generally accepted rules relating to privacy.
Your right to privacy?
The right to privacy is a fundamental human right enshrined in the Constitution. It provides the basis for keeping details of one's private life out of the public domain. However, due to the global pandemic, it is required to be balanced with the obligation to protect public healthcare rights. As such, a surveillance practice known as 'contact tracing' has been rolled out to manage and contain the spread of the virus.
This empowers the State to limit the right to privacy in order to curb the spread of COVID-19, by collecting personal information of individuals for purposes of tracing those who have been in contact with confirmed coronavirus cases and to monitor the geographical location of new cases in real-time.
Further, the regulations have placed a duty on the accommodation and electronic communications industry to provide the personal information necessary to assist the State in managing the virus. But surely this is a direct infringement of your constitutional right to privacy?
Gaining access to the personal information of people in South Africa from their mobile devices or computer for COVID-19 contact tracing purposes can be a justifiable infringement. The South African Constitution permits the limitation of rights by law but requires the limitation to be justifiable. An infringement on the right to privacy ( in the case of personal data) will not be unconstitutional if it takes place subject to justification for infringing rights in an open and democratic society based on human dignity, equality and freedom. Where an infringement can be justified in accordance with the criteria in s36 of the Constitution, it will be constitutionally valid. Briefly, s36 of the Constitution provides for the limitation of fundamental rights by way of general limitation. It also provides for a two-stage approach, where one must establish (i) whether the right to privacy has been infringed by the law (i.e. regulations governing contact tracing) or the conduct of the Government; and (ii) whether the infringement can be justified as a permissible limitation to the right to privacy (which necessarily depends on a positive answer to the first question).
Protection of Personal Information Act ("POPIA")
POPIA gives effect to Section 14 of the Constitution - the right to privacy - by safeguarding personal information when it is processed by a responsible party, subject to justifiable limitations. In terms of POPIA, a person's geographical location data is classified as personal information and is therefore protected. However, there are certain circumstances in which personal information is exempt from being protected, for example where a public body such as the Department of Health is involved in processing personal information for reasons of public interest in health and safety. On the other hand, health data such as an individual's COVID status would qualify as special personal information in terms of POPI. When special personal information is collected, processed and stored there are additional safeguards that the National Department of Health or private entities would need to adhere to.
In order to observe the 8 conditions for lawful processing of personal information in chapter 3 of POPIA, responsible parties are obligated to adhere to principles of data management and processing, which include accountability, the lawfulness of processing, consent, justification, objection, data collection and retention and data integrity. In order to comply with these conditions, the collection of personal information of persons infected with COVID-19 by the Department of Health or private entities must be limited to a specific purpose which is to detect, contain and prevent the spread of COVID-19 ("specific purpose") and the Department of Health or private entities concerned must process the personal information of data subjects in a reasonable and lawful manner in line with this specific purpose.
POPIA exempts the Department of Health from obtaining consent from persons infected with COVID-19 to process personal information when the processing complies with a legal obligation imposed on the Department of Health, is done to protect a legitimate interest of the persons infected with the virus, and necessitates the proper performance of a public law duty by a public body or is necessary for pursuing the legitimate interests of the Department of Health or a third party. Furthermore, the Department of Health must not retain records of personal information of persons infected with the virus for longer than necessary to achieve the specific purpose and must destroy or delete a record of personal information or de-identify it, in a manner that prevents its reconstruction in an intelligible form.
POPIA goes on to state that the further processing of personal information of persons infected with COVID-19, which is generally not compatible with the original purpose for which it was collected, is permitted if it is necessary to prevent a serious and imminent threat to public safety or public health, the life or health of persons infected with COVID-19 or another individual or if the information is used for historical, statistical or research purposes, in which case it should not be published in an identifiable form. And lastly, the Department of Health must ensure that the personal information is complete, accurate, and updated and maintain the documentation of all processing operations which relate to detecting, containing and preventing the spread of COVID-19.
The Contact Tracing Regulations
On 25 June, the government made amendments to Regulation 8, which regulates contact tracing. The amendments were published in Government Notice R.480 of 29 April 2020 and amended by Government Notice No. R 608 of 28 May 2020.
The consent of the data subject is a fundamental pillar of South African privacy law. As such, the regulations needed to provide for this. However, they provided that personal information must be stored,, processed and used. As we mentioned, these regulations also empowered certain stakeholders to process information of persons' locations, movements and accommodation. No provisions were made with regard to the consent of the data subject. However, the amendments have addressed some of these concerns by providing that consent be obtained on an "opt-in" basis, with the conditions of the processing strictly outlined. It is unclear from the amended regulations whether this applies only in the context of electronic communication service providers or if it also includes the accommodation industry.
To protect the right to privacy, data management practices that govern the collection and data processing by the National Department of Health are regulated. These practices allow for the development and maintenance of a COVID-19 database. Furthermore, it ensures that the data collection by the National Department of Health or private entities is proportional to the seriousness of the threat caused by COVID-19. The practices are limited to what is necessary for the South African government to achieve the specific public-health objective of combating COVID19 and that all measures taken are in line with POPIA and the Constitution. The regulations also contain nine safeguards to mitigate privacy invasion with the interest of public health at stake (see our Regulation Safe Guards for further information on the safeguards).
For further reading on the topic, here's an article on South Africa's contact tracing app.
Originally published 28 July 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.