Skip to content

COVID-19: The protection of personal information

3 April 2020
– 6 Minute Read


Organisations have been eagerly awaiting the implementation of the remaining provisions of the Protection of Personal Information Act (POPIA) since the Information Regulator approached the President of South Africa earlier this year to issue a commencement date of 1 April 2020.

To date, however, there has been no notice published in the Government Gazette to this effect and accordingly, the remaining provisions of POPIA have not yet come into force.

In light of the COVID-19 pandemic and the uncertainty of the impact it will have in South Africa, it is understandable that Government is primarily focused on considering measures to be implemented to ‘flatten the curve’.

In doing so, however, a significant amount of personal information will be involved in the process.

Statement by the Information Regulator

The importance of the right of access to information and the right to privacy in the management and containment of COVID-19 has been recognised by the Information Regulator in a press statement issued on 19 March 2020. In summary, the statement provides that:

  • While the Information Regulator welcomes the decision of Government to centralise communication on the COVID-19 virus, it has requested Government to intensify and streamline the proactive disclosure of all information relating to the virus. In doing so, information should be communicated in languages which are easily understood and accessible to all South Africans, including people with disabilities.
  • The Information Regulator has implored health and testing centres to ensure that the personal information of individuals who have been tested and/ or treated is protected. Although the majority of the provisions of POPIA are not yet in effect, the Regulator has stated that health and testing centres must ensure that all provisions of POPIA are strictly adhered to when they test or treat patients. For example, they must implement adequate safeguards to ensure that the personal information is secured and is not used for any other purpose.
  • Having regard to the importance of social media in disseminating information relating to COVID-19, the Information Regulator has advised Government to engage with, and request, social media entities to subject all information relating to the virus on their platforms to a third-party fact checking programme and to remove fake news from their platforms.
  • Finally, the Information Regulator has acknowledged the increased risk of data breaches and cybercrime during the COVID-19 crisis and has called on both public and private bodies to increase the security of their operating systems to protect the personal information of individuals against data breaches and unauthorised access.

Contact tracing and the processing of personal information

One major response globally to curb the spread of the COVID-19 virus is contact tracing, which is the practice of identifying and monitoring individuals who may have come into contact with an infected person.

In this regard, the Regulations issued in terms of the Disaster Management Act were amended yesterday to introduce, among other things, a process relating to contact tracing which requires the Department of Health to develop and maintain a national database to enable the tracing of individuals who have, or are reasonably suspected to have, come into contact with any person who has, or is reasonably suspected to have, contracted COVID-19 (COVID-19 Tracing Database).

The Communications, Telecommunications and Postal Services Minister, Stella Ndabeni-Abrahams, confirmed that the COVID-19 Tracing Database was not introduced to ‘spy’ on South Africans but rather as a measure to minimise the spread of the virus while respecting that everyone has the right to privacy.

The COVID-19 Tracing Database will contain all personal information necessary for the contact process to be effective, including (i) in respect of an individual who has tested positive, his or her name, identity or passport number, address, and cell phone number; (ii) the test results of all such people; and (iii) details of the known or suspected contacts of anyone who has tested positive for COVID-19.

People taking samples for purposes of testing, laboratories who conduct the testing and the National Institute for Communicable Diseases are required to assist with collecting the personal information and submitting it to the Director-General: Health for inclusion in the COVID-19 Tracing Database.

The personal information collected is to remain confidential and may not be disclosed unless the disclosure is authorised or is necessary for purposes of preventing or combatting the spread of COVID-19.

Importantly, and in addition to the above collection processes, the Director-General: Health may, without the consent of an individual concerned, direct an electronic communications service provider to furnish it with information relating to the location or movements of (i) an individual known or reasonably suspected to have contracted COVID-19 and (ii) individuals known or reasonably suspected to have come into contact with a person who has contracted COVID-19 since 5 March 2020. To the extent necessary, such information will be included in the COVID-19 Tracing Database.

While some may view this as an invasion of privacy, others may be of the view that it is necessary in light of the global COVID-19 pandemic. In this regard, POPIA provides for the collection of personal information from another source if it is in the interests of national security and allows for the further processing of personal information if it is necessary to mitigate a serious and imminent threat to public health or public safety.

As part of the enforcement process, the amendment makes provision for the designation of a judge who has been discharged from active service or a retired High Court Judge, as the COVID-19 Designated Judge who will make recommendations regarding regulations to safeguard the right to privacy while ensuring the prevention and combatting of COVID-19.

Within six weeks after the national state of disaster has lapsed, individuals whose information was obtained via an electronic communications service provider will be notified and the personal information contained in the COVID-19 Tracing Database will be de-identified and retained for research and teaching purposes.

Any person who fails to comply with the regulations relating to the contact tracing process will be guilty of an offence and may be liable to pay a fine and/ or to imprisonment for a period not exceeding six months.