Pursuant to the Regulations published in terms of section 27(2) of the Disaster Management Act 57 of 2002 (Regulations) and the subsequent amendments thereto, the Information Regulator, established in terms of The Protection of Personal Information Act 4 of 2013 (POPI Act) has issued a Guidance Note on the processing of personal information of data subjects in the management and containment of COVID-19. (Guidance Note)
The long awaited POPI Act remains partially in effect, meaning that only certain provisions of the statute are in full force and effective. These provisions include the definitions section as well as the sections required to establish the Information Regulator, however, these sections do not create any substantive obligations.
In January 2020, the Chairperson of the Information Regulator, Advocate Pansy Tlakula, confirmed that her office requested that President Ramaphosa proclaim the remaining provisions of the POPI Act to be effective from 1 April 2020. In light of the national state of disaster that was declared on 15 March 2020, the President did not act on this request and the commencement date of the POPI Act is yet to be announced.
According to the Regulator, the purpose of the Guidance Note is to give effect to the right to privacy as it relates to the protection of personal information and provide guidance to public and private bodies and their operators on the reasonable limitation of the right to privacy when they process personal information of data subjects for the purpose of managing the spread of COVID19.
The Guidance Note outlines the conditions for the lawful processing of personal information in order to detect, contain and prevent the spread of COVID-19.
These conditions include the following obligations: to ensure that personal information is collected for a specific purpose only, namely: to manage the spread of COVID 19; to put adequate security measures in place to ensure the integrity and confidentiality of personal information of data subjects; and to destroy or delete the information when no longer authorised to retain it.
The Guidance Note also confirms that a responsible party is not required to obtain the consent of a data subject prior to the processing of person information in the context of COVID-19.
As the POPI Act is not yet fully in force, the Guidance Note itself is not binding and merely encourages proactive compliance with the POPI Act in order to give effect to the right to privacy as it relates to the protection of personal information.
Despite its limited enforceability, it is advisable for all responsible parties engaging in the processing of personal information to move towards achieving compliance with the requirements of the POPI Act. However, once all of the provisions of the POPI Act have come into force, a 12- month grace period is provided in order to afford affected persons the opportunity to achieve compliance.