Information Regulator monitors DOH for POPIA compliance

Sibahle Malinga
By Sibahle Malinga, ITWeb senior news journalist.
Johannesburg, 25 Apr 2022

The Information Regulator (IR) says it will monitor compliance by the National Department of Health (DOH) and National Institute for Communicable Diseases (NICD) with the Protection of Personal Information Act (POPIA).

According to a statement, in September 2020, the enforcer of SA’s privacy law submitted its report to Parliament undertaking that at the end of the National State of Disaster, it will monitor compliance by the DOH with POPIA in general and the guidance note in particular.

Earlier this month, president Cyril Ramaphosa announced the National State of Disaster would be lifted from 5 April, after 750 days since inception.

During the National State of Disaster, government had to take unprecedented measures to identify prevalence of COVID-19 and containment of the spread of the virus − done through conducting over 24 million COVID-19 tests and deploying tracking methods and tools.

The IR says the COVID-19 testing, vaccination and track-and-tracing of necessity required collection by the DOH of vast amounts of personal information. This large-scale possible invasion of privacy and processing of personal information was and is still one of the regulator’s concerns during and after the National State of Disaster.

This led to the regulator issuing a guidance note on the processing of personal information in the management and containment of COVID-19. In the note, the regulator emphasised the importance of compliance with all conditions for lawful processing of personal information.

De-identification requirements

In accordance with section 89 of POPIA, the IR says it has requested the DOH to report to it no later than 29 April on how it and/or NICD will comply with applicable conditions for lawful processing of personal information.

This includes reference to section 14 of POPIA, which provides that records of personal information must not be retained any longer than necessary for achieving the purpose for which the information was collected or subsequently processed.

“In particular, the regulator wants to know the measures taken or to be undertaken to ensure compliance with the de-identification requirements, the retention period for personal information collected for track-and-trace purposes, and the method or manner to be applied in destroying or deleting the records of personal information. The regulator undertook to ensure personal information on the COVID-19 tracing database is de-identified, which means any information that can be used to identify a person is deleted,” says the IR.

By this action, the IR says it wants to ensure the de-identified personal information is used strictly for research, study and teaching purposes only. The info watchdog says it undertook to monitor processes in place for destroying all personal information on the COVID-19 tracing database which had not been de-identified.

In addition, the regulator says it wants to know whether the NICD or DOH intends to transfer or has transferred the personal information to a third-party that is in a foreign country and the level of protection afforded to the information by the foreign country.

Lastly, the regulator wants the DOH and NICD to provide details about the nature or category of the special personal information and personal information of children held by or under the control of these institutions.

“The regulator requires this information from the DOH and NICD in order to determine if it is necessary or appropriate to conduct compliance assessment on the Department of Health and NICD, which we are empowered to do in terms of section 89 of POPIA,” explains advocate Collen Weapon, a member of the regulator.

Breaching the rules and regulations outlined by POPIA can have serious implications for the organisation, which can have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.