Since the outbreak of COVID-19, governments around the world have implemented a range of digital tracking, physical surveillance and censorship measures as a way to monitor, contain or mitigate the spread of the pandemic in their jurisdictions.
Countries including Austria, Singapore, Belgium, Italy and Germany are all reportedly gathering anonymised or aggregated location data from telecom companies to help track the spread of COVID-19.
In response to the management and containment of COVID-19 in South Africa, the Information Regulator, established in terms of the Protection of Personal Information Act, 2013, has issued a Guidance Note on the processing of personal information of data subjects (a “data subject” is the person whose personal information is being accessed).
The purpose of the Guidance Note is to guide public and private bodies and their operators on the reasonable limitation of the constitutional right to privacy when processing personal information for purposes of managing the spread of COVID-19.
The Guidance Note was issued following the publication of revised regulations by the Minister of Cooperative Governance and Traditional Affairs on 2 April 2020, which make provision for a COVID-19 Tracing Database. In terms of the revised regulations, the Director-General of the Department of Health is authorised to direct electronic communications service providers to provide him or her with information regarding the location or movements of any person known or reasonably suspected to have contracted COVID-19; and the location or movements of any person known or reasonably suspected to have come into contact with such a person.
The following significant points are highlighted in the Guidance Note:
The term ‘Responsible Party’ is defined as a public or private body or any other person who, alone or in conjunction with others, determines the purpose and means for processing personal information, such as the National Command Council, National Department of Health, a provincial department, local government, the National Institute for Communicable Diseases, the National Health Laboratory Service, independent laboratories, mobile network operators, and voluntary organizations.
The purpose for the collection of personal information of a data subject by a Responsible Party must be to detect, contain and prevent the spread of COVID-19.
Processing of personal information of a data subject must be done in a lawful and reasonable manner.
Electronic communication service providers can provide the government with location-based data relating to data subjects and the government can use such personal information for the purpose of conducting mass surveillance of data subjects if the personal information is anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.
Medical professionals, healthcare institutions or facilities or social services may process special personal information of a data subject (i.e. personal information concerning the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject or the criminal behaviour of a data subject), if such processing is necessary for the proper treatment and care of a data subject in the context of COVID-19.
A Responsible Party need not obtain consent from a data subject to process his or her personal information in the context of COVID-19 where such processing protects a legitimate interest of the data subject, is necessary for the proper performance of a public law duty by a public body, is necessary for pursuing the legitimate interests of the Responsible Party or of a third party to whom the information is supplied, or complies with the obligation imposed by law on the Responsible Party.
A Responsible Party may further process personal information of a data subject notwithstanding the fact that such processing is not compatible with the original purpose for which it was collected if it is necessary to prevent a serious and imminent threat to public safety or public health, the life or health of a data subject or another individual.
Public health interests can provide legitimate reasons to increase monitoring of individuals, but monitoring must be approached with caution in order to strike a balance between public health concerns, on the one hand, and the right to privacy on the other. If left unchecked and unchallenged, these measures have the potential to fundamentally alter the future of privacy in the context of human rights.
Useful link: https://www.justice.gov.za/inforeg/docs/InfoRegSA-GuidanceNote-PPI-Covid19-20200403.pdf