Mar 19,2020 / News / Firms News
by Ahmore Burger-Smidt, Director and head of Data Privacy
Without a process to monitor, understand and prevent the spread of COVID-19 by all stakeholders, the global challenge we are confronted with will not be manageable.
At the same time, on 1 April 2020, POPIA will be fully enacted and we are reminded that POPIA and privacy laws, internationally, will inform actions undertaken by Governments and all stakeholders, including companies, alike.
Many of the actions undertaken to understand and prevent the spread of COVID-19 will involve the processing, as well as further processing, of personal information (such as name, address, workplace, travel details) of individuals, including in many cases sensitive, ‘special personal information’ (such as data relating to health).
POPIA provides that the processing of special personal information is prohibited, but also provides that the processing of special personal information without consent is lawful where it is necessary for compliance with a legal obligation or an obligation in terms of international public law. Furthermore, if it is for amongst others, statistical or research purposes, to the extent that the purpose serves a public interest and the processing is necessary for the purpose concerned, consent from an individual is not required.
Many questions by companies during this uncertain time, relate to what can and cannot be done, taking into consideration privacy laws –
In short –
It is inevitable that the processing of special categories of personal information without consent may be necessary for public health reasons. However, such processing should not result in the personal information being processed for other purposes by third parties, such as employers or insurance companies.
The same applies to personal data processed by companies as part of operational and organisational measures aimed at preventing contamination. At the least when the threat of the current coronavirus pandemic has ceased to exist, the personal health information must be completely deleted.
It is clear that companies might need to share information quickly or adapt the way they work. Privacy legislation and POPIA in particular will not stop companies from doing that. It is all about being proportionate – if something feels excessive, then it probably is. If the process feels as if it could result in a data breach, then it probably can. If it feels that personal health information is being processed for any other purpose than to prevent and manage the coronavirus from spreading, it probably is.
We live in uncertain times. At least be certain when processing personal health information in terms of POPIA post 1 April 2020.
Written by
Ahmore Burger-Smidt
Director, Head of the Data Privacy Practice Group