Government has published amendment regulations authorising the national Department of Health to develop and maintain a national database to enable people to be traced during the coronavirus lockdown.
According to law firm Webber Wentzel, the database will contain information deemed necessary for the tracing process to be effective, including:
- The first name and surname, ID number, address(es), and mobile numbers of all persons who have been tested for Covid-19 (persons of interest);
- The Covid-19 test results of all Persons of Interest; and
- Details of the known or suspected contacts of any Persons of Interest who tested positive for Covid-19.
Under the amendment regulations, the director-general of Health may also require an electronic communications service provider (such as a mobile operator) to provide certain information for inclusion in the database.
This information would relate to:
- The location of persons of interest; and
- The location or movements of any person known or reasonably suspected to have come into contact with Persons of Interest.
In a separate set of regulations, government also directed that the South African Post Office may make available its national address system and any other applicable database to assist authorities to identify and trace individuals who are infected by Covid-19,
The information that the post office makes available may further be correlated with other sources from the government and even the private sector, said law firm Norton Rose Fulbright.
“The details will be made available by the Post Office upon written request by relevant officials of the Department of Health, law enforcement agencies or other organs of state involved with the management and control of the spread of Covid-19,” Norton Rose Fulbright said.
The extraordinary governmental measures such as this track-and-trace system may be considered a serious limitation of individuals’ constitutional and common law right to privacy, Norton Rose Fulbright said.
“Although the Protection of Personal Information Act (POPI) is not yet in force, entities still have common law obligations in relation to individuals’ personal information,” it said.
“This duty will apply to the Post Office, government and private sector, to the extent that they disclose personal information of individuals to the relevant authorities under Covid-19 regulations.”
Norton Rose noted that companies in the private sector may have further contractual obligations to their clients to secure their personal information and notify them of the disclosure of their personal information.
Entities must ensure that they take sufficiently appropriate steps to verify and authenticate any requests for the disclosure of personal information of individuals, and disclose only as much information as is required by the relevant regulations, it said.
“It is not clear whether any specific identification must accompany the written request for the information or whether there are specific officials identified to ensure there is no abuse of the request for the information.
“Nonetheless, the South African Post Office is giving effect to the Directions in order to ensure timeous tracking of infected or potentially infected individuals, in order to curb the spread of the virus.”
Is my consent actually needed?
Livia Dyer, a partner at law firm Bowmans, noted that under general data protection principles, personal information can be collected, used and stored where:
- The person collecting and using the information has a legal obligation to do so;
- It is necessary in order for a government or other public body to perform its public law duties;
- It is necessary to pursue the legitimate interests of the person collecting and using the information.
“Consent by data subjects (such as people who have been tested for Covid-19) is not required,” she said.
“Health information in particular, which is sensitive personal information, can only be processed for very limited purposes, including the exercise of legal rights and obligations and for historical, statistical and research purposes where a public interest is served.
“Accordingly, contact tracing is not necessarily impermissible from a data protection and privacy perspective, provided that it is subject to strict controls.”
Dyer said that the types of controls contained in the regulations include that the information may only be obtained, used or disclosed by authorised persons and where necessary for the purposes of addressing, preventing or combating the spread of Covid-19.
The director-general of the Department of Health must, within six weeks after the national state of disaster has lapsed, or has been terminated, notify every person whose information has been obtained that information regarding their location or movements was obtained in terms of these amended regulations, she said.
“In addition, within six weeks after the end of the national state of disaster, the information in the Covid-19 tracing database must be de-identified (and the de-identified information may only be retained and used for research, study and teaching purposes).
“Further, in an attempt to reassure the public that voice conversations and messages will not be listened to, the regulations explicitly state that nothing in the regulations entitle the director-general of the Department of Health, or any other person, to intercept the contents of any electronic communication.”