On 22 April 2022, the Information Regulator (“the Regulator”) issued a media statement calling upon the National Department of Health (“the Health Department”) to provide it with information demonstrating the Health Department’s compliance with the Protection of Personal Information Act, 3 of 2014 (“POPIA”).
Covid-19 and personal information
Reflecting on the Covid-19 pandemic, following the recent lifting of the National State of Disaster, the Regulator recognised that Covid-19 testing, vaccination and track-and-tracing have been instrumental measures in assisting Government to identify the prevalence and containment of the SARS-Cov-2 virus. The Regulator also recognised that these measures required, and continue to require, the collection of vast amounts of personal information, bringing forth the potential for large-scale invasions of privacy during and after the National State of Disaster.
In response to these concerns, the Regulator issued a guidance note on the processing of personal information in the management and containment of the Covid-19 Pandemic in terms of POPIA. The guidance note emphasises the importance of compliance with all eight conditions for lawful processing of personal information.
Keeping to its regulatory promise
On 15 September 2020, the Regulator expressed its intention to Parliament to monitor compliance by the Health Department with POPIA in general, and with the Guidance Note in particular, at the end of the National State of Disaster.
De-identification and destruction of personal information
Of importance to the Regulator was the de-identification of personal information on the Covid-19 Tracing Database. The Regulator wanted to ensure that the information that has been de-identified is used strictly for research, study and teaching purposes.
In its monitoring exercises, the Regulator also wanted to ensure that processes are in place for destroying personal information on the Covid-19 Tracing Database which had not been de-identified.
The Regulator’s section 89 powers
Section 89 of POPIA grants the Regulator the power to make assessments on its own initiative, into whether an instance of processing of personal information complies with the provisions of POPIA.
It is against this power that the Regulator has requested that the Health Department provide a report, no later than 29 April 2022, on how the Health Department and/or the National Institute for Communicable Diseases (“NICD”) will comply with the applicable conditions for the lawful processing of personal information.
The Regulator has requested that the report include demonstration of compliance with the following –
- the requirements relating to the de-identification of personal information;
- the requirements relating to retention periods for personal information collected for track-and-trace purposes;
- the method(s) or manner(s) to be applied in destroying or deleting the records of personal information;
- whether the NICD or the Health Department intends to transfer or has transferred the personal information to a third party who is in a foreign country and the level of protection afforded to the information by the foreign country; and
- details from the NICD and the Health Department about the nature or category of the special personal information and personal information of children held by or under control of these institutions.
What we are seeing here is the Regulator acting on its mandate as stated on its website in respect of being “empowered to monitor and enforce compliance by public and private bodies with the provisions of the promotion of access to information act, 2000 (act 2 of 2000), and the protection of personal information act, 2013 (act 4 of 2013)”.
Given the extensive data (largely consisting of both personal information and special personal information) shared and processed due to the Covid-19 pandemic, it is interesting to note how the Regulator is proactively ensuring compliance with POPIA. We will continue to monitor the Regulator’s advances in this space.
This bulletin was prepared by partner Venolan Naidoo and candidate attorney Giscard Kotelo.