The Information Regulator has referred the National Department of Health (NDoH) to the Enforcement Committee over the issue of certain personal information the department collected as part of the management of the spread of COVID-19.
In a statement, the information watchdog says this decision follows numerous unsuccessful requests for information to the NDoH made by the regulator.
According to the authority, referral to the Enforcement Committee can culminate in an enforcement notice, which has the same effect as a court order.
Faced with an increased number of complaints over the unlawful processing of personal information, South Africa’s Information Regulator in August announced the establishment of an Enforcement Committee.
It is chaired by advocate Helen Fourie SC, and Simonè Magardie serves as the alternative chairperson.
Fourie is a member of the Pretoria Society of Advocates and has served as an acting judge in the North Gauteng High Court.
Safeguard guarantee
The regulator notes that in April 2020, the contact tracing regulations were issued in terms of the Disaster Management Act. These regulations authorised the compilation of an electronic COVID-19 contact tracing database for the purpose of managing the spread of the virus, it says.
The database was supposed to contain information such as the first name, surname, identity or passport number, residential address and COVID-19 test results of people who are known or suspected to have come into contact with persons known or suspected to have contracted COVID-19.
The regulator points out these regulations directed that the NDoH, as the custodian of the database, must, within six weeks of the lapse of the National State of Disaster, destroy or de-identify the information in the database.
Further to that, the de-identified information could only be used for research, study or teaching purposes, it adds.
The regulator says it had sought to obtain confirmation and guarantees from the NDoH that personal information collected during COVID-19 had been de-identified or destroyed after the lifting of the National State of Disaster.
After the National State of Disaster was declared, the regulator issued (on 3 April 2020) a guidance note on the processing of personal information in the management and containment of COVID-19.
According to the watchdog, the note indicated that during and/or after the National State of Disaster, the regulator will monitor compliance with the guidance note and regulations by the NDoH.
Since May 2022, it states, the regulator has been demanding from the NDoH a report indicating how the department is complying with the lawful processing of personal information collected during the COVID-19 response.
Specifically, it adds, the regulator wanted the NDoH to advise whether it (NDoH) had destroyed and/or de-identified the information that had been transferred to it during the National State of Disaster in accordance with the procedure set out in the Disaster Management Regulations and provide the regulator with evidence of such action.
Additionally, the regulator wanted the NDoH to confirm it had obtained a report from an expert third-party IT security firm as to the reliability and suitability of the IT security safeguards in place in relation to personal, location and health data held by, or on behalf of, government in relation to COVID-19. The regulator wanted access to this report.
It explains this report was recommended to the minister of health by retired justice Kate O'Regan, who had served as the designated judge to monitor the implementation of the track and trace programme to protect people’s privacy.
“Despite acknowledging receipt of the regulator’s letters, the NDoH failed to accede to the regulator’s requests or explicitly refused to comply,” it says.
“This is despite a formal Information Notice in terms of section 90 of POPIA [Protection of Personal Information Act] that the regulator issued in November 2022. The Information Notice wanted the same information that was requested in previous letters to the NDoH. There was no response to the Information Notice. Therefore, the regulator is left with no other option than to refer the matter to the Enforcement Committee in terms of section 92(1) of POPIA.”
Ensuring accountability
Advocate Pansy Tlakula, chairperson of the regulator, says: “The regulator is obliged to monitor the NDoH and the National Institute for Communicable Diseases for compliance with the guidance note we issued on the processing of personal information in the management and containment of the COVID-19 pandemic.
“This guidance note was issued in terms of POPIA and requires that the NDoH submits its report to Parliament as indicated. Compliance is not optional. Personal information that was collected during the pandemic included special personal information of people, such as COVID test results, and there must be accountability for how that personal information has been handled.
“We have been lenient with the NDoH on this point, but we would be failing the data subjects if we, as the regulator, do not take action to ensure there is compliance and accountability.”
Share