The Covid-19 pandemic has resulted in many countries adopting extraordinary, and sometimes unprecedented, measures in an effort to contain, or at least slow the spread of the virus. In many instances, peoples' movement has been severely restricted and even monitored, resulting in new privacy implications.
Locally, commercial law firm Cliffe Dekker Hofmeyr (CDH) technology, media and telecommunications practice director Fatima Ameer-Mia says the South African government has published regulations under the Disaster Management Act, that enable the government to trace persons who are known, or reasonably suspected, to have come into contact with any person known or reasonably suspected to have contracted Covid-19 (referred to as affected persons).
“The regulations are clear that these extraordinary measures are being taken to urgently combat the Covid-19 crisis and are not intended to go further than this,” she says.
As part of these measures, the Department of Health is empowered to develop and maintain a national database of affected persons which includes collecting various personal and special personal information about them.
“This includes the power to direct electronic communications service providers to provide geographical location data of affected persons for purposes of contact tracing,” Ameer-Mia points out.
However, she says the regulations are very specific and do not provide the State with “over-arching powers”, explaining that the information is limited to affected persons for a specific period – from March 5 until the date when the national disaster is terminated.
Further, Ameer-Mia says the regulations expressly make provision that such information is strictly confidential and may not be disclosed or used for any purpose other than in furtherance of the State's combatting and preventing the spread of Covid-19 through this process.
From a privacy perspective, she notes that, although the substantive provisions of the Protection of Personal Information (Popi) Act are not yet fully in force, every South African is afforded the right to privacy under both the common law and Constitution.
“This right encompasses the right to be free from intrusions and is based on the assumption that no one can unlawfully gain access, or put into the public domain, information which an individual reasonably regards as private.”
However, Ameer-Mia again points out that the right to privacy can be limited in accordance with Section 36 of the Constitution, which provides that the limitation must be reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom. In this regard, she says that only a law of general application could effectively be relied on by the State to limit the right to privacy.
“The Disaster Management Act and regulations would constitute this law and the beneficial purpose of the law, being to effectively counteract the spread of Covid-19, would need to balance against the infringement to privacy.”
She highlights that the Information Regulator, under the Popi Act, has published a guidance note relating to the lawful procession of personal information, which public and private bodies must comply with. These include that personal information is collected for the specific purpose of only managing the spread of Covid-19.
“Adequate security measures must be put in place to ensure the integrity and confidentiality of such personal information.”
In addition, the public and private bodies must ensure that the data is destroyed or deleted when no longer authorised to retain it, Ameer-Mia explains.
Typically, she notes that an individual would need to consent to geolocation tracking when using mobile application software. “Consent would be the basis for the processing of such personal information.”
According to Ameer-Mia, the Information Regulator has confirmed that an electronic communications service provider can provide location-based data to the government to use for tracking data subjects to manage the spread of Covid-19 based on the exceptions under Popi Act and that a data subject's consent is not required in these circumstances.
However, she points out that once the State of Disaster comes to an end, personal information may only be retained (apart from what is included in the Covid-19 tracing database) for a period of six weeks after being obtained and must, thereafter, be destroyed.
De-identified (not attached to a specific person) information may only be used for research or study purposes.
While individuals' privacy rights are being infringed, Ameer-Mia says the infringement is based on a lawful purpose in these specific circumstances.
“Should the State continue to track individuals data post-Covid-19 without a lawful purpose, then it would potentially constitute an infringement of privacy and an individual would be able to bring an action (delictual claim) against the State and/or electronic communications service providers for infringement of their right to privacy based on their common law and constitutional rights, provided that they can prove that they have suffered damages.”