South Africa: will the creation of a Coronavirus (COVID-19) contact tracing database pose any security concerns?

Published on Apr 15, 2020

A recent government notice amended the regulations published in terms of the Disaster Management Act, 2002 to provide for the mandatory establishment of the COVID‑19 Tracing Database by the National Department of Health. This database will trace people who are known or reasonably suspected to have come into contact with any person known or reasonably suspected to have contracted COVID-19.

The database must include all information necessary for the contact tracing process to be effective, including:

  • first name and surname;
  • identity/passport numbers;
  • residential address and other address where such person could be located;
  • cellular phone numbers of all persons who have been tested for COVID-19;
  • the COVID-19 test results of all such persons; and
  • the details of the known or suspected contacts of any person who tested positive for COVID-19.

All of the above information constitutes personal information, as defined in the Protection of Personal Information Act, 2013 (“POPIA”), South Africa’s upcoming data protection legislation. As established by the Disaster Regulations, all such information will be kept confidential, should not be disclosed without authorisation or if the disclosure is necessary in addressing, preventing or combatting the spread of COVID-19.

The Disaster Regulations also allow the Director-General: Health, in writing and without prior notice to the person concerned, to direct an electronic communications service provider licensed under the Electronic Communications Act, 2005 to provide the location or movements of persons known or reasonably suspected of having contracted COVID-19 or come into contact with COVID-19.

The Director-General: Health is only obligated to notify every person whose information is obtained through an electronic communications service provider within six weeks after the national state of disaster has lapsed or has been terminated.

Also, within six weeks after the national state of disaster has lapsed or has been terminated:

  • the information in the database must be de-identified;
  • the de-identified information in the database must be retained and used only for research, study and teaching purposes;
  • all information in the database that has not been de-identified must be destroyed; and
  • the Director-General: Health must file a report with the COVID-19 Designated Judge recording the steps taken in this regard. Once received, the COVID-19 Designated Judge will also be entitled to give directions as to any further steps to be taken to protect the right to privacy of those persons whose data has been collected.

Notably, the Information Regulator, established in terms of POPIA, on 3 April 2020, issued a guidance note on the processing of personal information of data subjects in the management and containment of COVID-19. In terms of this guidance note, electronic communication service providers must provide location-based data to the government and the government can use such data for the purpose of tracking data subjects to manage the spread of COVID-19, if, among other things, processing complies with an obligation imposed by law on the responsible party.

The sharing of data between electronic communication service providers and the Department of Health (and use thereof) for purposes relating to the establishment of the database under the Disaster Regulations, would clearly constitute an obligation imposed by law on the Department of Health and electronic communication service providers.

However, the guidance note emphasises that government must still comply with all the applicable conditions for the lawful processing of the information as set out in the guidance note. This would include the obligation to implement security safeguards.

According to Co-Pierre Georg, an associate professor at the University of Cape Town, the data contained on the database may not be as secure as the state would hope. “If you collect all of this data in a central database, you create a massive cybersecurity risk. You will make it a very appealing target for any hacker out there.”

A company processing personal information during COVID-19 and even after the pandemic has been controlled, must ensure that all personal information processed is in accordance with POPIA, which means that the personal information is kept sufficiently secure.

A strong security compromises policy should establish a team of people who are responsible for handling a security compromise, set out the procedures and protocols that should be followed in the event of a security compromise, communicate to all members of the company what steps must be taken if they suspect or are aware of a security compromise, determine the parameters to classify the risks, address who should be notified, and ensure that the privacy of all data subjects continues to be upheld.

For assistance with your security compromises policy, please feel free to contact us.

Era Gunning
Executive | Banking and Finance
egunning@ENSafrica.com
+27 82 788 0827

Rakhee Dullabh
Senior Associate | Corporate Commercial
rdullabh@ENSafrica.com
+27 82 509 6565