What are some of the data protection implications of COVID-19 in South Africa?

In order to mitigate the spread of COVID-19 in South Africa, both public and private organisations will be required to implement data-sharing strategies and procedures in respect of COVID-19-related personal information. Organisations in the European Union – the current epicentre of the COVID-19 pandemic – are already in a position to implement such data-sharing strategies after having received guidance from European data protection regulators.

30 Mar 2020 2 min read Technology, Media & Telecommunications Alert Article

Notably, both the Information Commissioner’s Office (ICO) in the United Kingdom and the Data Protection Commission (DPC) in Ireland have issued statements in order to clarify the position on data protection in the context of the COVID-19 pandemic. These statements stress that European data protection laws are not crafted to prohibit the sharing of personal information in order to protect against serious threats to public health – such as COVID-19. Accordingly, organisations to which European data protection laws apply should not restrict themselves from taking the necessary action in response to the COVID-19 pandemic, provided that they continue to comply with data protection principles – particularly those in relation to ensuring that the personal information being processed is secure (i.e. by taking reasonable technical and organisational measures to prevent such personal information from being unlawfully accessed, lost or damaged).

Similarly, South African organisations are going to be required to balance common law and constitutional rights to privacy in the current circumstances by taking into account the provisions of the South African Protection of Personal Information Act, 2013 (POPI), which is relevant, although not yet fully in force, in regard to how they will lawfully process COVID-19-related personal information. POPIA provides for the legal basis on which personal information may be processed. The best solution is to obtain the person’s consent and, given the sensitive nature of this information, to take the necessary steps to ensure that the personal information is safeguarded and kept secure, is not used for any other unrelated purpose and that it is not retained for longer than such information is required. Where it is not possible or practical to obtain consent, POPIA provides for instances of specific authorisation for the processing of health data which include that it allows for “processing by…medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned”. Other organisations who are required to process COVID-19-related personal information could also potentially rely on the general authorisation that the processing of such health-related personal information is “necessary for the establishment, exercise or defence of a right or obligation in law” – provided that the organisation in question can show that the processing in question took place in accordance with a specific law.

While it will generally be lawful for relevant South African organisations to carry out reasonable  processing of COVID-19-related personal information in the current circumstances, considering the increased cyber security risks that are presenting themselves during the COVID-19 pandemic, organisations processing COVID-19-related personal information (e.g. of their employees) should take necessary steps to ensure that the relevant COVID-19-related personal information is kept secure and that the privacy rights of individuals impacted by the virus are protected.


The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.