The purpose of the Guidance Note is to guide responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects.
On 3 April 2020,the Information Regulator ('the Regulator') published a Guidance Note on the Processing of Personal Information in the Management and Containment of the COVID-19 Pandemic ('the Guidance Note') in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). Certain sections of POPIA have been in effect since 2014, but these all deal with procedural and formal matters. There have been reports that the remaining sections of POPIA (those that actually provide substantive protection to the personal information of data subjects) were due to come into effect on 1 April and, had this occurred, they may have assisted with data privacy guidance during this time.
The purpose of the Guidance Note is to guide responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects. Moreover, it aims to give effect to section 14 of the Constitution, the right to privacy, as well as guide public and private bodies as well as their operators on the limitation of the right to privacy when processing the information of data subjects with COVID-19.
Data Management and Processing
The Regulator requires responsible parties to adhere to principles of data management and processing which includes accountability, lawfulness of processing, consent, justification, objection, data collection and retention and data integrity. Briefly, the principles stipulate the following:
- the collection of personal information of data subjects by responsible parties is limited to a specific purpose which is to detect, contain and prevent the spread of COVID-19 ("specific purpose") and responsible parties must process the personal information of data subjects in a reasonable and lawful manner in line with this specific purpose;
- responsible parties are exempt from obtaining consent from data subjects to process their information when processing complies with a legal obligation imposed on the responsible party, protects a legitimate interest of the data subject, necessitates for the proper performance of a public law duty by a public body or is necessary for pursuing the legitimate interests of the responsible party or of a third party;
- responsible parties must not retain records of personal information of data subjects for longer than authorised to achieve the specific purpose, and must destroy or delete a record of personal information or de-identify it, in a manner that prevents its reconstruction in an intelligible form;
- the further processing of personal information of a data subject, which is generally not compatible with the original purpose for which it was collected, is permitted if it is necessary to prevent a serious and imminent threat to public safety or public health, the life or health of a data subject or another individual or if the information is used for historical, statistical or research purposes, in which case it should not be published in an identifiable form; and
- the responsible party must ensure that the personal information is complete, accurate, and updated and maintain the documentation of all processing operations which relate to detecting, containing and preventing the spread of COVID-19.
The principles of data management and processing mentioned above are in line with the exemptions provided in section 6 of POPIA and closely resemble the 8 conditions for lawful processing of personal information in Chapter 3 of POPIA. The 8 conditions are: accountability, processing limitation, purpose specifications, retention and restriction of records, further processing to be compatible with purpose of collection, information quality, openness, security safeguards and the data subject's participation.
Security Measures on Integrity and Confidentiality of Personal Information
The Regulator requires the responsible party to take appropriate, reasonable technical and organisational measures to prevent the loss or damage to, or unauthorised access of, personal information. It also obliges a responsible party who engages an operator to process personal information on its behalf to enter into a written contract with an operator to ensure that the operator establishes and maintains the required security measures when processing personal information. In terms of the Guidance Note, an operator may only process personal information with the knowledge or authorisation of a responsible party and may only disclose such information if required to do so by law, or in the course of the proper performance of its duty.
The Guidance Note closely mirrors section 19 of POPIA, which deals with the security measures on integrity and confidentiality of personal information. However, unlike section 19, the Guidance Note fails to place an obligation on the responsible party to take reasonable measures to identify all reasonably foreseeable internal and external risks to the personal data in his/her position or control. The Guidance Note does, however, mention the obligation on the responsible party in terms of s21 of POPIA to enter into a written contract with the operator, and to ensure that an operator that processes personal information for it establishes and maintains the security measures referred to in section 19.
Data Breaches
Where the has been unauthorised access to the system of an operator the Guidance Note obliges the operator to report the incident to the responsible party, and the responsible party must report the incident to the Regulator and the data subject/s within a reasonable time. This provision mirrors section 22 of POPIA.
The Guidance Note makes no mention of how responsible parties should go about reporting a data breach, whereas Section 22(4) of POPIA states that a data breach notification must be in writing and communicated to the data subject in one of various ways, or as directed by the Regulator.
Section 26 of POPIA places a general prohibition on the processing of "special personal information", which consists of the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or the criminal behaviour of a data subject ,This is subject to section 27, which lists a few exceptions. The exceptions include where the data subject's consent has been obtained, and where the processing of special information is necessary for the establishment, exercise or defence of a right in law. The Guidance Note also makes an exception for medical professionals, healthcare institutions or facilities or social services to process special personal information where such processing is necessary for the proper treatment and care of a data subject in the context of COVID-19. The other exception enables a responsible party to process special information subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between a responsible party and a data subject.
In addition, on 26 March 2020, the Minister of Communications and Digital Technologies issued the Electronic Communications, Postal and Broadcasting Directions, under regulation 10(8) of the Regulations made under the Disaster Management Act 57 of 2002. The direction obliges telecommunications service providers to aid with the tracking and tracing of people. The Regulator confirms in the Guidance Note that Electronic Communication Service Providers are obliged to provide the Government with mobile location-based data of data subjects and the Government can use that personal information in the management of the spread of COVID19 or for the purpose of conducting mass surveillance of data subjects if the personal information is anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.