Contact

What are some of the data protection implications of COVID-19 in South Africa?

Back to top

What are some of the data protection implications of COVID-19 in South Africa?

In order to mitigate the spread of COVID-19 in South Africa, both public and private organisations will be required to implement data-sharing strategies and procedures in respect of COVID-19-related personal information. Organisations in the European Union – the current epicentre of the COVID-19 pandemic – are already in a position to implement such data-sharing strategies after having received guidance from European data protection regulators.

30 Mar 2020 2 min read Technology, Media & Telecommunications Alert Article

Notably, both the Information Commissioner’s Office (ICO) in the United Kingdom and the Data Protection Commission (DPC) in Ireland have issued statements in order to clarify the position on data protection in the context of the COVID-19 pandemic. These statements stress that European data protection laws are not crafted to prohibit the sharing of personal information in order to protect against serious threats to public health – such as COVID-19. Accordingly, organisations to which European data protection laws apply should not restrict themselves from taking the necessary action in response to the COVID-19 pandemic, provided that they continue to comply with data protection principles – particularly those in relation to ensuring that the personal information being processed is secure (i.e. by taking reasonable technical and organisational measures to prevent such personal information from being unlawfully accessed, lost or damaged).

Similarly, South African organisations are going to be required to balance common law and constitutional rights to privacy in the current circumstances by taking into account the provisions of the South African Protection of Personal Information Act, 2013 (POPI), which is relevant, although not yet fully in force, in regard to how they will lawfully process COVID-19-related personal information. POPIA provides for the legal basis on which personal information may be processed. The best solution is to obtain the person’s consent and, given the sensitive nature of this information, to take the necessary steps to ensure that the personal information is safeguarded and kept secure, is not used for any other unrelated purpose and that it is not retained for longer than such information is required. Where it is not possible or practical to obtain consent, POPIA provides for instances of specific authorisation for the processing of health data which include that it allows for “processing by…medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned”. Other organisations who are required to process COVID-19-related personal information could also potentially rely on the general authorisation that the processing of such health-related personal information is “necessary for the establishment, exercise or defence of a right or obligation in law” – provided that the organisation in question can show that the processing in question took place in accordance with a specific law.

While it will generally be lawful for relevant South African organisations to carry out reasonable  processing of COVID-19-related personal information in the current circumstances, considering the increased cyber security risks that are presenting themselves during the COVID-19 pandemic, organisations processing COVID-19-related personal information (e.g. of their employees) should take necessary steps to ensure that the relevant COVID-19-related personal information is kept secure and that the privacy rights of individuals impacted by the virus are protected.

 

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

1 Feb 2024

by Gerhard Badenhorst

VAT agency and principals

The terms “ agent ” and “ agency ” are not defined in the Value Added Tax Act 89 of 1991 (VAT Act). The South African Revenue Service (SARS) has indicated in Interpretation Note 42 (IN 42) that it accepts that the common law relationship between the principal and the agent prescribes the value-added tax (VAT) consequences of this legal relationship. The general VAT rule is that where a person, acting as agent, supplies goods or services on behalf of a principal to a third party, the supply is deemed to be made by the principal and not the agent (section 54(1) of the VAT Act). Conversely, where a third-party supplier makes a supply to an agent acting on behalf of a principal, that supply is deemed to be made to the principal (section 54(2) of the VAT Act). In these instances, the principal and not the agent must account for VAT on the supplies.

Tax & Exchange Control

6 min read

10 Oct 2023

by Claudette Dutilleux and Gabby Schafer

Agreement ‘in principle’? Unpacking the enforceability of agreements to agree

An agreement only gives rise to legally enforceable and reciprocal rights when certain requirements are met; certainty being one such important requirement. For an agreement to be certain, the material terms of the agreement have to be clear, defined and unambiguous.

Dispute Resolution

3 min read

12 Oct 2023

by Alex Kanyi

Comments on the Draft Medium-Term Revenue Strategy (MTRS)

CDH Kenay Partner Alex Kanyi discusses the Draft Medium-Term Revenue Strategy.

Tax & Exchange Control

1:00:59 Minutes

2 Aug 2023

by Hilary Chapfuwa and Tendai Jangara

Addressing unauthorised, irregular, fruitless and wasteful expenditure (UIFW) in municipalities

On 31 May 2023, the Auditor-General, Tsakani Maluleke, released the Consolidated General Report on Local Government Audit outcomes for the 2021-22 financial year. Unauthorised, irregular, fruitless and wasteful expenditure (UIFW) continues to be a challenge in municipalities, with only 38 out of 257 obtaining clean audits. Officials with the requisite financial skills as well as effective budgeting and controls are required to address this ongoing issue.

Corporate & White Collar Investigations

9 min read

7 Feb 2024

by Lara Granville and Mmakgabo Makgabo

Extensive changes to COMESA competition laws out for comment

Changes to the existing regulations governing the enforcement of competition law in the Common Market for Eastern and Southern Africa (COMESA) have been proposed and shared for comment by the COMESA Competition Commission (CCC). The proposed changes are extensive and were apparently prompted by challenges experienced by the CCC arising from the existing 2004 regulations.

Competition Law

6 min read

20 Mar 2024

by Andrew van Niekerk, Tsele Moloi and Khutso Mongadi

Eskom clarifies the issue of “curtailment” for IPPs

In January 2024 Eskom published the much-anticipated addendum to the Generation Connection Capacity Assessment (GCCA) (Addendum). The Addendum was first mooted in the GCCA 2025 published in October 2023 (GCCA 2025). It is intended to provide clarity in respect of Eskom’s proposal in the GCCA 2025 to use “ curtailment ” to address the challenges of limited available grid capacity faced by independent power producer (IPP) projects in the Eastern, Western and Northern Cape (the provinces). 

Corporate & Commercial Law

3 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline