Demystifying “Draconian, Irrational and Infringement of Privacy” Laws

Demystifying “Draconian, Irrational and Infringement of Privacy” Laws

This month’s guest is Lebogang George, a legal consultant specialising in Information, Communications and Technology (ICT) Law, IT Governance as well as Data Protection and Privacy Law. Her passion for Human Rights stems from her first job as a Legal Intern at ProBono. Org from 2011 to 2012.

Pandemics have a way of elevating economic inequalities and revealing the injustices occurring in marginalised communities. There is no doubt that what COVID-19 has revealed, amongst other things, is how it is disproportionately impacting disadvantaged communities. While laws and regulations are put in place to mitigate the damage that the pandemic will cause and to protect and save as many lives as possible, there are some laws and regulations that seem arbitrary, counterintuitive and even draconian. For the most part, these laws seem irrational and infringing on certain rights simply because they are not explained thoroughly, and information is not easily accessible and elucidated to those that it impacts the most. What this article hopes to achieve is to demystify the so-called “draconian, irrational and infringement of privacy” laws brought about as a reaction to the COVID-19 pandemic.

As the spread of COVID-19 became more rampant it was apparent that the Government had to act decisively in curbing the spread of the virus, especially in the more vulnerable and marginalised communities. Managing the spread of the virus and flattening the curve meant the introduction of contact tracing, another uncharted legal territory that had to be resorted to. In the amended Disaster Management Regulations gazetted in April 2020, contact tracing would be used to trace people who are known or reasonably suspected to have come into contact with anyone known or reasonably suspected to have contracted COVID-19. The Disaster Management Regulations would allow the Government to set up a COVID-19 tracing database which would assist the Department of Health to track persons who are reasonably suspected to have come into contact with Covid-19 infected persons. This meant that information such as identity numbers, passport numbers, full names, phone numbers, physical residential addresses, COVID-19 test results and full details of persons they had come into contact with would be needed and therefore collected. This also meant that Government would need to galvanise mobile networks to assist them as the use of cell phone data would be imperative in contact tracing. The sharing of location data would allow the location of data subjects to be traced, electronic communication service providers would process collected data for the government to use for the purpose of tracking subjects to combat the spread of COVID-19.

It is important to note and reiterate that there are laws and regulations that have come into effect specifically to control and contain the spread of COVID-19. Where, on the face of it, it appears as if these laws exist to limit certain rights, such as the right to privacy and protection of personal information, what is key to also note and reiterate is that the apparent limitation is justified and these laws and regulations are by no means in contravention of any rights. In terms of section 36 (1) of the Constitution of the Republic of South Africa, No. 108 of 1996 the general requirement for the limitation of any right is that it may be limited only in terms of the law of general application “to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom”.

While prima facie it may seem as though contact tracing is in contravention of the Protection of Personal Information Act, No. 4 of 2013 known as POPIA, the Information Regulator, who is the authority appointed to enforce and ensure compliance with POPIA once the Act becomes fully effective, issued a Guidance Note on 3 April 2020 to assure the public that contact tracing and the Disaster Management Regulations were not in conflict with POPIA and that public and private bodies, in the attempt to contain and reduce the spread of COVID-19, should be proactive in their compliance with POPIA when processing personal information of data subjects who have tested or are infected with COVID-19 or have been in contact with such data subjects.

Below are some salient questions and points with regards to contact tracing and POPIA.

    1. Your rights in terms of POPIA
      The right of privacy is enshrined in the Constitution which expressly states that everyone has the right to privacy. POPIA is aimed at facilitating the protection of privacy. The lawful processing and collecting as well as sharing of personal information is regulated by POPIA and persons collecting, processing and sharing any personal information will need to seek consent first from the data subject i.e. the person to whom the personal information relates.
      Sections 9 – 11 of POPIA go further to protect the data subject’s rights by providing conditions for processing personal information, which are that it must be lawful, minimal – in that it must only be collected for the purpose it is supposed to serve – and the collection and processing of such personal information is justified and meets the objectives for which it was collected in the first place.
    2. Have your rights changed due to COVID-19 and the Disaster Management Act Regulations?
      This is important. The answer is, No. The Disaster Management Act regulations have not impacted on the privacy of the South African people, their rights have not been infringed or taken away. Where processing and collection of personal information is imposed by law and/or protects the legitimate interest of the data subject or where the processing and collection of personal information is necessary for performance of a public law duty by a public body, or processing is necessary for pursuing legitimate interests, the collection and processing is lawful and justified. The objective of contact tracing is to prevent a serious and imminent threat to public safety and/or a public health, health of data subject or other individuals that the data subject has come into contact with. Contact tracing therefore passes the lawful, minimality, justification and legitimate test provided for in POPIA.Consent is therefore not necessary where the collection of data and personal information is to detect, contain and prevent the spread of COVID-19, where the collection of personal information is done to exercise public duty to pursue a legitimate purpose – that of curbing the spread of COVID-19 and saving lives. Having said that, under the Guidance Note issued by the Information Regulator in April, consent in the context of COVID-19 cannot be withheld by a data subject.
    3. The Impact of contact tracing on your rights in terms of POPIA.
      Covid-19 has not impacted on the rights of any individual in terms of POPIA. It has only limited them in a reasonable and justifiable manner. When personal information is collected from a data subject it must still meet the requirements of POPIA, in that it must be lawful, justifiable, reasonable, there is a legitimate interest, minimality, and the purpose has to be clearly specified. The collection of personal information is for purposes of contact tracing which tracing seeks to detect, contain and prevent the spread of COVID-19 as well as prevent deaths and save lives.Personal information and data collection for purposes of contact tracing must not be retained longer than authorised to achieve the purpose of detecting, containing and preventing the spread of COVID-19 unless the information required is for historical, statistical or research purposes and adequate safeguards are in place. Further, destruction and deletion must be done in a manner that prevents reconstruction.
    4. What are your personal information and data privacy rights post-level 4?
      As the country cautiously enters into level 3 and more industries, churches and places of work reopen as well as schools, contact tracing will become more important and necessary. A reopening of most businesses means more interactions and increased movement, which is how the virus spreads. Contact tracing will be used to detect and record these movements. Employers will be allowed to request specific information on the health status of an employee in the context of COVID-19 as the movement of an employee under level 3 will no longer be limited to grocery stores for essentials but will be increased to churches and other places. In terms of the Guidance Note an employee can be forced to undergo testing, the data subject cannot refuse to give consent and a person who has tested positive has a duty to disclose his/her status for the safety of others and for the purpose of enabling the government to take appropriate measures to address, combat and prevent the spread COVID-19.

    We are living in unprecedented times and every day we are entering into uncharted waters. There will be laws that are confusing, that look like they are designed to infringe on our rights to freedom and to privacy. It falls upon us as legal practitioners to demystify these laws and where in fact they infringe upon human rights or have the potential to infringe on human rights and/or on the rights to privacy, we must challenge them in a responsible manner, bearing in mind the balancing act between constitutional rights and saving and preserving life.

     

    Click here for our complete June 2020 Newsletter

FOLLOW US!

SIGN UP FOR OUR NEWSLETTER: