On 3 April 2020, the Information Regulator (“the Regulator”) published a Guidance Note on the processing of personal information in terms of the Protection of Personal Information Act, 2013 (“POPIA”) in the context of the Covid-19 pandemic.
The Guidance Note records that not all the sections of POPIA have come into effect. However, the Regulator has urged responsible parties to comply with the provisions of POPIA on a proactive basis, when processing the personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects.
The Guidance Note was issued to give effect to the right to privacy as it relates to the protection of personal information and to balance the right to privacy with the need to process personal information of data subjects in order to curb the spread of COVID-19. It is noted that the Regulator supports the need to process personal information of data subjects in order to curb the spread of Covid-19.
Responsible parties must process personal information of data subjects in a responsible manner, which complies with the conditions for lawful processing, during the management of COVID-19.
In terms of the Employment provisions of the Guidance Note, it is stated that:
- Employers are obliged to maintain a safe and hazardous free working environment in terms of the Occupation Health and Safety Act 85 of 1993.In order to maintain a safe working environment, employers may request specific information on the health status of an employee in the context of COVID-19.
- The disclosed information should not be used to unfairly discriminate against such an employee.
- Employers can also force an employee to undergo mandatory testing in order to manage the spread of COVID-19.