Purpose of POPI:
The Protection of Personal Information Act[1] (POPI) was promulgated and sets out guidelines for the lawful collection and processing of individuals’ personal information. This includes, amongst other any information relating to an individual’s well-being, medical status or whereabouts.
COVID-19 Pandemic:
On 15 March 2020, the president declared the COVID-19 pandemic a national disaster and a public health emergency which poses a risk to the well-being of each and every individual and the South African community at large.[2] As such, several extraordinary measures were announced to combat the public health emergency which calls on all citizens to help curb and prevent the spread of the COVID-19 outbreak. One such measure is to report an individual who has or is suspected of having the COVID-19 virus to the nearest Department of Health, or by contacting the coronavirus hotline.
However, regardless of the president’s announcement, each and every individual’s COVID-19 status will be regarded as his/her special personal information and businesses are advised to take the POPI act into consideration when dealing with such information.[3] As such, the information regulator of South Africa has publishing guidelines for the management and containment of COVID-19 in terms of POPIA and provides clarity on the collection and processing of individual’s special personal information in line with POPIA.[4]
Due to the classified nature of an individual’s special personal information, the Act prohibits the collection and processing thereof without reasonable cause. It is, therefore, important for all responsible parties/employers to ensure their compliance with the POPI Act before collecting and processing any individual’s COVID-19 status, suspected status or whereabouts in any shape or form.[5]
Collection and Processing of Personal Information:
POPI prohibits, amongst other, the collection and processing of individuals’ special personal information concerning their health unless the collection and processing thereof is carried out with the individual’s explicit consent or is justifiable in terms of the Act.[6]
All individuals’ COVID-19 status will be regarded as their special personal information which may only be collected and processed for a specific purpose. It is, therefore, best to ensure appropriate and proper consent is obtained directly from the individual regarding his/her COVID-19 status before processing this information in any shape or form.
However, the regulator recognised the need to effectively manage COVID-19 and supports the collection and processing thereof to curb the spread of the outbreak. Therefore, due to the special nature of the status quo, an individual’s consent is not mandatory should he/she refuse to give consent to the collection and processing of their COVID-19 status.
Section 15(3)(d) of the Act[7] will, in addition, justify the collection and further processing of any individual’s COVID-19 status with or without their consent in as far as the information is necessary to prevent or mitigate the serious and imminent threat to (i) public health or public safety; or (ii) the life or health of the individual or another individual.
Furthermore, by virtue of the Employment Equity Act[8] and the Occupation Health and Safety Act[9], an employer is obliged to maintain a safe and hazardous free working environment. As such and in order to ensure a safe working environment, the employer may force an employee to undergo COVID-19 testing with or without his/her consent whereby the special personal information may be processed in order to enable the government to take appropriate measure to combat the spread of the COVID-19 outbreak.
Importantly, as set out in the information regulator’s published guidelines, the responsible party collecting and processing an individual’s special personal information must adhere to the following:[10]
- The personal information must be collected for the specific purpose of detecting, containing and preventing the spread of COVID-19;
- The responsible party must ensure the personal information is accurate, not misleading and updated where necessary;
- The personal information must be processed responsibly in a lawful and reasonable manner in order to detect, contain and prevent the spread of COVID-19;
- The personal information may only be processed subject to an obligation of confidentiality by virtue of office, employment, profession or legal provision, or established by a written agreement between a responsible party and an individual and may only be processed in the context of COVID-19 without the consent of the individual in a far as the:
- processing complies with the obligation imposed by law;
- the processing protects a legitimate interest of the individual;
- processing is necessary for the proper performance of a public law duty by a public body; or
- processing is necessary for pursuing the legitimate interest of a party collecting and processing the information or to whom the information is supplied;
- The personal information may only be further processed within the scope of Section 15(3)(d) as mentioned above;
- All processing operations of personal information relating to the detection, containment and prevention of COVID-19 must be maintained and documented;
- The personal information collected and processed must be adequately secured to prevent the loss, damage or unauthorised access thereof; and
- The personal information must not be retained for longer than authorised to achieve the purpose of detecting, containing and preventing the spread of COVID-19 and must de-identify such information as soon as reasonably possible after the responsible party is no longer authorised to retain such information.
Conclusion:
In the light of the above and the unforeseeable COVID-19 global pandemic and declared a national disaster, a responsible party collecting and processing an individual’s COVID-19 status with or without their consent may only do so within the scope and ambit of the Act[11] and published guidelines[12] and will only then be safeguarded against any remedy the individual may have in terms of POPI legislation.
ABOUT THE AUTHOR
Vernon Harms obtained his BCom (Law) degree and LLB degree in 2014 and 2016 respectively from the University of the Free State. After graduating he commenced his LLM degree with a specialisation in private law in 2017 as well as with his Articles at Symington De Kok Attorneys in Bloemfontein. His LLM degree was conferred upon him in July 2019 and he was admitted as an Attorney in the High Court of South Africa in September 2019, whereafter he joined the SEESA team as a Legal Advisor in Labour, Consumer Protection and POPI.
[1] Protection of Personal Information Act 4 of 2013.
[2] Government Gazette No. 43161, 26 March 2020.
[3] Protection of Personal Information Act 4 of 2013.
[4] Information Regulator of South Africa: Guidance note on the processing of personal information in the management and containment of COVID-19 pandemic in terms of the protection of personal information Act 4 of 2013 (POPIA), 03 April 2020.
[5] Protection of Personal Information Act 4 of 2013.
[6] Section 26 & 27 of the Protection of Personal Information Act 4 of 2013.
[7] Protection of Personal Information Act 4 of 2013.
[8] Employment Equity Act 55 of 1998.
[9] Occupation Health and Safety Act 85 of 1993.
[10] Information Regulator of South Africa: Guidance note on the processing of personal information in the management and containment of COVID-19 pandemic in terms of the protection of personal information Act 4 of 2013 (POPIA), 03 April 2020.
[11] Protection of Personal Information Act 4 of 2013.
[12] Information Regulator of South Africa: Guidance note on the processing of personal information in the management and containment of COVID-19 pandemic in terms of the protection of personal information Act 4 of 2013 (POPIA), 03 April 2020.