All you need to know about COVID-19 track and trace rules
The Information Regulator has acknowledged the need to track and trace infected persons and potentially infected persons to effectively manage the spread of the COVID-19 pandemic necessitates a limitation of various constitutional rights.
On Friday, the regulator issued a Guidance Note on the processing (eg, collection, receipt, usage) of personal information of data subjects in the management and containment of COVID- 19.
It is issued in terms of the Protection of Personal Information Act (POPIA).
The regulator’s note comes after the Department of Cooperative Governance and Traditional Affairs and ministers of the National Command Council last week announced enhanced lockdown regulations, including those that allow tracking and tracing via cellphones.
In a statement, the Information Regulator says the issuance of the Guidance Note follows the publication of the regulations which were made by the minister of cooperative governance and traditional Affairs, Dr Nkosazana Dlamini-Zuma, in terms of section 27(2) of the Disaster Management Act in March 2020 and the subsequent amendments thereto.
It says the purpose of the Guidance Note is to guide public and private bodies and their operators on the reasonable limitation of the right to privacy when they process personal information of data subjects for the purpose of managing the spread of COVID-19.
“The regulator recognises the need to effectively manage the spread of COVID-19, which has necessitated the limitation of various constitutional rights and supports the need to process personal information of data subjects for the purpose of curbing the spread of COVID-19,” says advocate Pansy Tlakula, chairperson of the Information Regulator.
Lawful processing of personal information
The Guidance Note outlines the conditions for the lawful processing of personal information which public and private bodies must comply with when they process personal information of data subjects.
The regulator says these conditions include the following obligations: to ensure that personal information is collected for a specific purpose only, namely to manage the spread of COVID-19; to put adequate security measures in place to ensure the integrity and confidentiality of personal information of data subjects; and to destroy or delete the information when no longer authorised to retain it.
Tlakula says the Guidance Note also addresses the issue of the provision of location-based data by Electronic Communication Service Providers (ECSPs) to government to track data subjects in the management of COVID-19.
In this regard, the Guidance Note stipulates the ECSPs should provide the government with the location-based data of data subjects which the latter can use for managing COVID-19 if such provision complies with an obligation imposed by law, among other requirements.
However, Tlakula says, government must ensure it complies with all other applicable conditions for the lawful processing of personal information outlined in the guidance.
“The regulator is cognisant of the fact that not all the provisions of POPIA have come into effect. However, it encourages proactive compliance with POPIA in order to give effect to the right to privacy as it relates to the protection of personal information.”
Commenting on the Guidance Note, Alon Alkalay, tech law advisor at Endcode, says: “The regulator affirmed that communications service providers such as Vodacom and Telkom are able to provide the government with the location-based data to be used for managing COVID-19 where such provision arises from a legal obligation.”
Alkalay points out the regulator lists conditions for the lawful processing of personal information which public and private bodies must comply with when they process personal information.
Describing the impact on individuals, Alkalay says under the Guidance Note:
- A person who has tested positive for COVID-19 has a duty to disclose his or her status;
- A data subject may not refuse to give consent to be tested for COVID-19;
- An employer can force an employee to undergo testing in order to maintain a safe working environment;
- An employer may request specific information on the health status of an employee in the context of COVID-19;
- Communication service providers may process location-based data and provide the data to government to manage the spread of COVID-19; and
- Privacy of health information insofar as it relates to COVID-19, and your location data is limited under the circumstances.
Alkalay points out that where employers are collecting information to detect, contain and prevent the spread of COVID-19 in the organisation, the employer should not retain records of such personal information for longer than authorised (for such purpose).
“This limitation on the use of personal information falls away if it is necessary to prevent a serious and imminent threat to public safety or public health, the life or health of the person or another individual,” he says.
“The information may also be used for historical, statistical or research purposes and cannot be shared in a way that discloses the identity of any person. Employers should also maintain records of all operations which relate to collecting of employees’ personal information for detecting, containing and preventing the spread of COVID-19.”
No POPIA consequences
Nonetheless, Alkalay says organisations would not be subject to the POPIA’s penalties and sanctions if they do not comply with the Guidance Note.
“We say this for the following reasons. The substantive provisions of the POPIA (containing rights and duties for data subjects, responsible parties and operators) are not yet in force.
“The Guidance Note encourages proactive compliance and is issued to support organisations balancing measures to combat COVID-19 while navigating avoidance of undue limitations of rights to privacy.”
Alkalay notes all public and private organisations collecting and processing personal information under the circumstances do, however, need to ensure compliance with the provisions of the Disaster Management Act and the regulations issued under it, or face offences and penalties recorded in the Disaster Management Act.
“Importantly, each of the organisations will want to ensure strict compliance with the Department of Cooperative Governance and Traditional Affairs amended regulations issued on 2 April. Chapter three specifically provides for limited tracing of persons who are known or reasonably suspected to have come into contact with any person known or reasonably suspected to have contracted the virus.
“The information that should be included in the tracing database is limited to names, identity numbers, contact information, COVID-19 test results. The period is limited to 5 March 2020 until the date of termination of the national state of disaster.”
He explains the information collected is to be regarded as confidential and no person may disclose the information unless authorised to do so, or the disclosure is necessary for the “purpose of addressing, preventing or combatting the spread of COVID-19”.
To provide for oversight of these processes and ensure no abuse of the database occurs, a designated judge will be furnished with a weekly report from the health department’s director-general, setting out the names and details of all persons whose location or movements were obtained.
Electronic communications interception
Alkalay says information collected may only be retained by the director-general for a period of six weeks, after which it should be destroyed.
“Critically, nothing in the regulation entitles the director-general of health or any other person to intercept the contents of any electronic communication.
“The amended regulations do not direct the Internet and digital sector in general to provide location-based services to the relevant authorities, only licensed communication service providers.
“Assessing the adequacy of the balance struck between the right to privacy and other competing rights in the context of public safety measures to combat the COVID-19 pandemic is a delicate enquiry,” Alkalay says.
“Certainly, the amended regulations issued on tracking and tracing in its clarity on limitations and oversight and accountability measures is a positive step. The Information Regulator makes a point to address individual concerns regarding privacy and for the time being, at least while the data protection law is not in force, a watch on individual privacy implications is clearly where the Information Regulator is key,” he concludes.