Privacy is Protected, Even During a PandemicPublished on: 2020-05-12
Many South Africans have expressed valid concerns about the potential for abuse of personal information collected by government as part of tracking and tracing those exposed to COVID-19 infection.
The approach taken, however, appears to be well-balanced, even though the Protection of Personal Information Act of 2013 (POPI) is not yet properly in force. Electronic communication service providers (ECSPs) like ISPs can only provide personal information required to combat COVID-19 to the Director-General of the Department of Health for inclusion in a database which is subject to several restrictions.
That’s the word from the Internet Service Providers’ Association of South Africa (ISPA), which says ECSPs – which includes the mobile network operators (MNOs) – may only be directed to provide the location or movements of any person known or reasonably suspected to have contracted COVID-19 and the location or movements of any person known or reasonably suspected to have come into contact with such a person.
ISPA’s regulatory advisor Dominic Cull explains that “the declaration of a State of National Disaster does not suspend the operation of the laws of the land and the privacy of individual citizens must be preserved. However, tracking and tracing infected persons and those they have been in contact with is globally accepted as a key element of successfully fighting the COVID-19 epidemic.
“Restrictions on the use of personal information in the database include compulsory deletion of data not required for tracing as well as a requirement to anonymise the data in the database at the end of the national disaster. This anonymised data can then be used for public health research,” he says.
A former Constitutional Court justice has been appointed as the COVID-19 Designated Judge, required to oversee processes, issue a weekly report, make recommendations to improve protections and issue a final report to be tabled in Parliament. Any person whose movements were traced must be notified within six weeks of the end of the national state of disaster.
“The balances achieved, and oversight mechanisms provided for the collection and storage of personal information under the COVID-19 national disaster are a substantial improvement on those in place for interception and monitoring under RICA. Government has clearly taken note of the High Court decision in the Amabhungane matter that certain provisions of RICA are unconstitutional,” says Cull.
ISPA, however, cautions that these measures are not perfect, and the security of the database is a particular concern given the highly sensitive nature of the information it contains (i.e. the details of persons who have tested positive for or who may have been exposed to COVID-19).
According to Cull: “There is also a danger that we accept tracking through our mobile phones as a ‘new normal’, opening ourselves up to less benign monitoring than is currently taking place to combat COVID-19.”
More generally, ISPA urges all users of the Internet to make sure that they are protecting sensitive information as they work and socialise using electronic communications and digital platforms.
A sudden, forced migration to everyone working and collaborating online is the perfect environment for cybercriminals and fraudsters. Your personal information is now more valuable than ever, and you need to understand how to take basic precautions.
“Ultimately South Africa needs a strong legal framework around privacy to ensure that current and future tracking and tracing of people is developed against the background of a developed right to privacy. POPI needs to come fully into play as soon as possible,” concludes Cull.
For further information, please contact the ISPA secretariat on the Contact ISPA page.