South Africa: Regulator publishes guidance note on processing personal information during Coronavirus
The Information Regulator ('the Regulator') published, on 3 April 2020, its Guidance Note ('the Guidance Note') on the Processing of Personal Information in the Management and Containment of the COVID-19 Pandemic in terms of the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). In particular, the Guidance Note highlights that not all sections of POPIA have come into effect, despite the Regulator asking for promulgation before 1 April 2020. However, the Guidance Note encourages proactive compliance by responsible parties when processing personal information belonging to COVID-19 ('Coronavirus') cases or their contacts.
Specifically, the Guidance Note outlines that responsible parties must adhere to principles of data processing which include accountability, lawfulness of processing, consent, justification, data retention, purpose specification, and documentation. Furthermore, the Guidance Note states that electronic communication service providers must provide the Government with mobile location-based data and that it can be used for the purposes of mass surveillance of data subjects in the management of Coronavirus.