Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

South Africa: Contact tracing and its aftermath

In 2013, after a period of nine years and 11 iterations of a data protection bill being mulled over by the government, South Africa's legislature passed the Protection of Personal Information Act, 2013 (Act 4 of 2013) ('POPIA'). POPIA awaited signature of the President, before finally coming into force and effect in June 2020, with an implementation or 'grace' period of 12 months being provided for organisations to comply. Amidst the peak of the COVID-19 pandemic, the South African Presidency finally decided to enact POPIA into law.  In this article, Ridwaan Boda, Executive at ENSafrica discusses the Information Regulator's ('the Regulator') bid to protect the personal health information of South African data subjects during this time, with a focus on contact tracing in South Africa. / Essentials collection /

Due to the COVID-19 pandemic, the last two and half years have placed an unprecedented level of awareness around healthcare issues globally. The timing of POPIA coming into force was seen by many businesses as being inopportune given the level to which businesses were financially affected and that complying with legislation such as POPIA comes at a cost. To some observers, much of the governments motivation for finally enacting POPIA into law, despite the macro-economic circumstances, was the unprecedented scale which healthcare information and data was being collected and processed, alongside the fact that South Africa was being used as a testing ground for foreign companies to conduct clinical trials. 

In April 2020, prior to POPIA being enacted, a government notice amended the regulations published in terms of the Disaster Management Act, 2002 to provide for the mandatory establishment of the COVID 19 Tracing Database by the National Department of Health ('DOH'). This database was intended to trace people who are known or reasonably suspected to have come into contact with any person known or reasonably suspected to have contracted COVID-19.

The database was to include all information necessary for the contact tracing process to be effective, including:

  • first name and surname;
  • identity/passport numbers;
  • residential address and other address where such person could be located;
  • cellular phone numbers of all persons who have been tested for COVID-19;
  • the COVID-19 test results of all such persons; and
  • the details of the known or suspected contacts of any person who tested positive for COVID-19.

All of the above information constitutes personal information, as defined in POPIA. As established by the regulations, all such information was required to be kept confidential and should not have been disclosed either without authorisation or only if the disclosure was necessary in addressing, preventing, or combatting the spread of COVID-19.

The regulations also allowed the Director-General of Health, in writing and without prior notice to the person concerned, to direct an electronic communications service provider licensed under the Electronic Communications Act 36 of 2005 to provide the location or movements of persons known or reasonably suspected of having contracted COVID-19 or come into contact with COVID-19. The Director-General of Health was only obligated to notify every person whose information was obtained through an electronic communications service provider within six weeks after the national state of disaster lapsed or was terminated (which date notably has yet to arrive).

In addition, within six weeks after the national state of disaster lapsed or was terminated:

  • the information in the database must be de-identified;
  • the de-identified information in the database must be retained and used only for research, study, and teaching purposes;
  • all information in the database that has not been de-identified must be destroyed; and
  • the Director-General of Health must file a report with the COVID-19 Designated Judge recording the steps taken in this regard, who, once received, will also be entitled to give directions as to any further steps to be taken to protect the right to privacy of those persons whose data has been collected.

Notably, despite POPIA not having been fully enacted at the time, the Regulator, established in terms of POPIA on 3 April 2020, issued a guidance note on the processing of personal information of data subjects in the management and containment of COVID-19. In terms of this guidance note, electronic communication service providers are required to provide location-based data to the government and the government is permitted to use such data for the purpose of tracking data subjects to manage the spread of COVID-19, if, among other things, processing complies with an obligation imposed by law on the responsible party.

The sharing of data between electronic communication service providers and the Department of Health (and use thereof) for purposes relating to the establishment of the database under the Disaster Regulations, would clearly constitute an obligation imposed by law on the DOH and electronic communication service providers.

However, the guidance note stated that the government must still comply with all the applicable conditions for the lawful processing of the information as set out in the guidance note. This would include the obligation to implement security safeguards.

The National State of Disaster ended on 5 April 2022, with some regulations still continuing to apply.

In September 2020, the Regulator issued a statement (and subsequently further statements including in a report submitted to Parliament) to the effect that:

  • it will monitor compliance by the DOH and National Institute for Communicable Diseases ('NICD') with POPIA;
  • it will monitor compliance by the DOH with POPIA in general and the guidance note in particular;
  • COVID-19 testing, vaccination, and track-and-tracing data collected by the DOH of vast amounts of personal information and this large-scale possible invasion of privacy and processing of personal information was and is still one of the Regulator's concerns during and after the National State of Disaster;
  • it has requested that the DOH report to it no later than 29 April 2022 on how it and/or NICD will comply with applicable conditions for lawful processing of personal information, including in relation to how it intends to comply with the POPIA requirement that records of personal information must not be retained any longer than necessary for achieving the purpose for which the information was collected or subsequently processed;
  • it sought 'information on the measures taken or to be undertaken to ensure compliance with the de-identification requirements, the retention period for personal information collected for track-and-trace purposes, and the method or manner to be applied in destroying or deleting the records of personal information. The regulator undertook to ensure personal information on the COVID-19 tracing database is de-identified, which means any information that can be used to identify a person is deleted';
  • it  undertook to monitor processes in place for destroying all personal information on the COVID-19 tracing database which had not been de-identified;
  • it required information as to whether the NICD or DOH intends to transfer or has transferred the personal information to a third-party that is in a foreign country and the level of protection afforded to the information by the foreign country; and 
  • it required the DOH and NICD to provide details about the nature or category of the special personal information and personal information of children held by or under the control of these institutions.

In essence, '..the regulator requires this information from the DOH and NICD in order to determine if it is necessary or appropriate to conduct compliance assessment on the Department of Health and NICD, which we are empowered to do in terms of section 89 of POPIA'.

The date of 29 April 2022 has since passed. There is no indication from the Regulator, the DOH, or the NICD as to whether the report required was ever filed and/or whether the DOH and NICD complied with the requirements determined by the Regulator. There has been no official communication from the South African government and there is no information in the public domain as to whether any data subjects have filed any requests with the DOH, NICD, or the Regulator as to how such data subjects' rights have been protected. One can only speculate as to the reasons for this but many commentators point to the fact that the Regulator is not functioning optimally and despite the Regulator making various media statements in relation to a wide range of topics and instances of alleged non-compliance, there has been no enforcement action taken to date against any contravening party that is of public knowledge.

Ridwaan Boda Executive
[email protected]
ENSafrica, Johannesburg