Notably, both the Information Commissioner’s Office (ICO) in the United Kingdom and the Data Protection Commission (DPC) in Ireland have issued statements in order to clarify the position on data protection in the context of the COVID-19 pandemic. These statements stress that European data protection laws are not crafted to prohibit the sharing of personal information in order to protect against serious threats to public health – such as COVID-19. Accordingly, organisations to which European data protection laws apply should not restrict themselves from taking the necessary action in response to the COVID-19 pandemic, provided that they continue to comply with data protection principles – particularly those in relation to ensuring that the personal information being processed is secure (i.e. by taking reasonable technical and organisational measures to prevent such personal information from being unlawfully accessed, lost or damaged).
Similarly, South African organisations are going to be required to balance common law and constitutional rights to privacy in the current circumstances by taking into account the provisions of the South African Protection of Personal Information Act, 2013 (POPI), which is relevant, although not yet fully in force, in regard to how they will lawfully process COVID-19-related personal information. POPIA provides for the legal basis on which personal information may be processed. The best solution is to obtain the person’s consent and, given the sensitive nature of this information, to take the necessary steps to ensure that the personal information is safeguarded and kept secure, is not used for any other unrelated purpose and that it is not retained for longer than such information is required. Where it is not possible or practical to obtain consent, POPIA provides for instances of specific authorisation for the processing of health data which include that it allows for “processing by…medical professionals, healthcare institutions or facilities or social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned”. Other organisations who are required to process COVID-19-related personal information could also potentially rely on the general authorisation that the processing of such health-related personal information is “necessary for the establishment, exercise or defence of a right or obligation in law” – provided that the organisation in question can show that the processing in question took place in accordance with a specific law.
While it will generally be lawful for relevant South African organisations to carry out reasonable processing of COVID-19-related personal information in the current circumstances, considering the increased cyber security risks that are presenting themselves during the COVID-19 pandemic, organisations processing COVID-19-related personal information (e.g. of their employees) should take necessary steps to ensure that the relevant COVID-19-related personal information is kept secure and that the privacy rights of individuals impacted by the virus are protected.