South Africa: Information Regulator issues guidance on COVID-19
On 3 April 2020, the Information Regulator published a guidance note on the processing of personal information in the management and containment of COVID-19 in terms of the Protection of Personal Information Act 4 of 2013 (POPIA).
According to the guidance note, the Information Regulator recognises the fact that not all the sections of POPIA have come into effect. In this regard, the Information Regulator “encourages proactive compliance by responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects”.
The purpose of the guidance note is to effect to the right to privacy as it relates to the protection of personal information; and to provide guidance to public and private bodies and their operators on the limitation of the right to privacy when processing personal information of data subjects for the purpose of containing the spread and reducing the impact of COVID-19.
The guidance note answers key questions relating to COVID-19 as follows:
- Can electronic communication service providers provide location-based data to the government to use for the purpose of tracking data subjects to manage the spread of COVID-19? Yes, the electronic communication service providers must provide the government with mobile location-based data of data subjects, and the government can use such personal information in the management of the spread of COVID-19 if (i) processing complies with an obligation imposed by law on the responsible party; (ii) processing protects the legitimate interest of a data subject; (iii) processing is necessary for the proper performance of a public law duty by a public body; or (iv) processing is necessary for pursuing the legitimate interests of the responsible party or a third party to whom the information is supplied. However, the government must still comply with all applicable conditions for the lawful processing of personal information as set out in the guidance note.
- Can electronic communication service providers provide location-based data to the government to use for the purpose of conducting mass surveillance of data subjects to manage the spread of COVID-19? Yes, electronic communication service providers can provide the government with location-based data of data subjects, and the government can use such personal information for the purpose of conducting mass surveillance of data subjects, if the personal information is anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.
- Can an employer request specific information on the health status of an employee in the context of COVID-19? Yes, an employer is obliged to maintain a safe and hazardous free working environment in terms of the Occupation Health and Safety Act 85 of 1993, read together with the Employment Equity Act 55 of 1998, if an employee’s health status may endanger other employees. The disclosed information should not be used to unfairly discriminate against such an employee.
- Can an employer force an employee to undergo testing for COVID-19? Yes, an employer can force an employee to undergo testing in order to maintain a safe working environment.
- Can a data subject refuse to give consent to be tested for COVID-19? No, a data subject is required to undergo mandatory testing in order to manage the spread of COVID-19.
- Does a person who has tested positive for COVID-19 have a duty to disclose his or her status? Yes, a person who has tested positive has a duty to disclose his or her status to enable the government to take appropriate measures to combat the spread of COVID-19.
The guidance note is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].