In response to the management and containment of Covid-19 in South Africa, the Information Regulator, established in terms of the Protection of Personal Information Act, has issued a guidance note on the processing of personal information of data subjects – the person whose personal information is being accessed, reports law firm Lawtons.
The firm states that the purpose of the guidance note is to guide public and private bodies and their operators on the reasonable limitation of the constitutional right to privacy when processing personal information for purposes of managing the spread of Covid-19.
The guidance note was issued following the publication of revised regulations by the Cooperative Governance and Traditional Affairs Minister Nkosazana Dlamini Zuma on April 2, which make provision for a Covid-19 tracing database.
Since the outbreak of Covid-19, governments around the world have implemented a range of digital tracking, physical surveillance and censorship measures as a way to monitor, contain or mitigate the spread of the pandemic in their jurisdictions.
Countries including Austria, Singapore, Belgium, Italy and Germany are all gathering anonymised or aggregated location data from telecoms companies to help track the spread of Covid-19.
In terms of the revised regulations, Lawtons points out that Department of Health director-general Dr Anban Pillay is authorised to direct electronic communications service providers to provide him with information regarding the location or movements of any person known or reasonably suspected to have contracted Covid-19.
They are also authorised to provide the location or movements of any person known or reasonably suspected to have come into contact with such a person.
Lawtons highlights significant points in the guidance note, the first being that the term “responsible party” is defined as a public or private body or any other person who, alone or in conjunction with others, determines the purpose and means for processing personal information.
These include the National Command Council, the national Department of Health, a provincial department, local government, the National Institute for Communicable Diseases, the National Health Laboratory Service, independent laboratories, mobile network operators and voluntary organisations.
The purpose for the collection of personal information of a data subject by a responsible party must be to detect, contain and prevent the spread of Covid-19, states Lawtons, adding however that processing of personal information of a data subject must be done in a lawful and reasonable manner.
In this regard, Lawtons explains that electronic communication service providers can provide the government with location-based data relating to data subjects and the government can use such personal information for the purpose of conducting mass surveillance of data subjects if the personal information is anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.
In addition, the firm notes that medical professionals, healthcare institutions or facilities or social services may process special personal information of a data subject. This information may include personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject or the criminal behaviour of a data subject. This can be done if such processing is necessary for the proper treatment and care of a data subject in the context of Covid-19, Lawtons notes.
However, the firm also highlights that a responsible party need not obtain consent from a data subject to process their personal information in the context of Covid-19. The contexts where this is applicable include where such processing protects a legitimate interest of the data subject, is necessary for the proper performance of a public law duty by a public body, is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied or complies with the obligation imposed by law on the responsible party.
Further, according to Lawtons, a responsible party may further process personal information of a data subject notwithstanding the fact that such processing is not compatible with the original purpose for which it was collected if it is necessary to prevent a serious and imminent threat to public safety or public health, the life or health of a data subject or another individual.
Public health interests, the firm notes, can provide legitimate reasons to increase monitoring of individuals, but monitoring must be approached with caution in order to strike a balance between public health concerns and the right to privacy. If left unchecked and unchallenged, these measures have the potential to fundamentally alter the future of privacy in the context of human rights, Lawtons concludes.