A Guidance Note on the processing of personal information of data subjects in the management and containment of COVID-19 has been drawn up.
The Information Regulator published the Guidance Note in terms of the Protection of Personal Information Act (POPIA).
In a statement, the Information Regulator declared that the aim of the Guidance Note is to “guide public and private bodies and their operators on the reasonable limitation of the right to privacy when they process personal information of data subjects for the purpose of managing the spread of COVID-19”.
Conditions for the lawful processing of personal information that public and private bodies must comply with when processing personal information of data subjects are set down.
“These conditions include the following obligations: to ensure that personal information is collected for a specific purpose only, namely, to manage the spread of COVID-19, to put adequate security measures in place to ensure the integrity and confidentiality of personal information of data subjects and to destroy or delete the information when no longer authorised to retain it.”
The Information Regulator confirmed that it supports the need to process the personal information of data subjects in order to curb the spread of COVID-19.
The Guidance Note also addresses the issue of the provision of location based data by Electronic Communication Service Providers (ECSPs) to the government in order to track data subjects in the management of COVID-19.
ECSPs are expected to provide the government with the location based data of data subjects as long as such provision complies with, inter alia, an obligation imposed by law.
Government is also expected to comply with all other applicable conditions for the lawful processing of personal information outlined in the Guidance Note.
According to the Guidance Note, the Information Regulator, despite not all the sections of POPIA having come into effect, “encourages proactive compliance by responsible parties when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects”.
The Guidance Note focuses on conditions when processing the personal information of data subjects; the sharing of location based data; employment; consent and general.
In conclusion, the Information Regulator indicated that the Disaster Management Act regulations to combat the spread of COVID-19 should be “implemented in conjunction with the applicable conditions for the lawful processing of personal information provided for in POPIA to ensure respect for the right to privacy”.