The Information Regulator (Regulator) has published a Guidance Note on the Processing of Personal Information in the Management and Containment of the Covid-19 pandemic in terms of the Protection of Personal Information Act 4 Of 2013 (POPIA).
While not all the sections of POPIA have come into effect, the Regulator encourages proactive compliance by responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects.
Purpose
The Guidance Note was issued to:
- Give effect to the right to privacy as it relates to the protection of personal information.
- Provide guidance to the public and private bodies and their operators on the limitation of the right to privacy when processing personal information of data subjects for the purpose of containing the spread and reduce the impact of COVID-19.
The Regulator also answers questions relating to the sharing of location-based data and the rights of employers in relation to personal information of employees and deals with issues relating to whether a person can refuse to provide consent to be tested and what the disclosure requirements are if tested positive.
Responsible parties must adhere to certain conditions when processing personal information of data subjects
A “responsible party” means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. Responsible parties must process personal information of data subjects in a responsible, lawful and reasonable manner during the management of COVID-19.
The Guidance Notice also deals with issues relating to:
- Whether it is necessary for consent to be obtained from a data subject;
- Collection of information for a specific purpose;
- The retention and restriction of records;
- Whether it is necessary for consent to be obtained from a data subject;
- The circumstances in which information may be further processed even if such processing is not compatible with the original purpose for which it was collected;
- The quality and accuracy of information collected;
- Maintenance of documentation relating to all processing operations;
- Security measures regarding the integrity and confidentiality of personal information;
- Access to information held by a responsible party; and
- The conditions relating to processing of special personal information and the obligation of confidentiality.
Sharing of Location Based Data
The Information Regulator has confirmed that Electronic Communication Service Providers can provide location-based data to the Government to use for the purpose of tracking people to manage the spread of COVID-19. However, the Government must still comply with all the applicable conditions for the lawful processing of information as set out in the Guidance Note.
They can also provide this information to the Government for the purpose of conducting mass surveillance, but in this case the personal information must be anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.
Employment
The Information Regulator provides s important answers to questions which employers may have in the context of the COVID -19 pandemic.
- Can an employer request specific information about the health status of an employee?
Yes, an employer can request specific information on the health status of an employee in the context of COVID -19. An employer is obliged to maintain a safe and hazardous free working environment in terms of the Occupation Health and Safety Act read together with the Employment Equity Act, if an employee’s health status may endanger other employees. However, the disclosed information should not be used to unfairly discriminate against such an employee.
- Can an employer force an employee to undergo testing for the COVID-19 virus?
Yes, the employer can force an employee to undergo testing in order to maintain a safe working environment.
Consent
A person (i.e. data subject) cannot refuse to give consent to be tested for COVID-19. The Regulations require any data subject to undergo mandatory testing in order to manage the spread of COVID-19.
Disclosure
A person who has tested positive has a duty to disclose his or status to enable the Government to take appropriate measures to combat the spread of COVID-19.
Click on the links below to find out about our POPI Compliance offerings: