FAQs on processing personal data during COVID-19
The Information Regulator
published a Guidance
Note on 3 April 2020 to assist organisations in their processing of
personal information in the management and containment of the COVID-19 pandemic.
This Guidance Note is largely based on the conditions for the lawful processing
of personal data as described in the POPI Act.
A lot has happened in South
Africa since April though; with lockdown regulations continuing to ease, the
majority of businesses operating again and staff members also returning to
work. However, by no means is the pandemic over and, in addition, the big news
is that the Protection of Personal Information Act (POPI Act) commenced on 1 July
2020 which means that your organisation only has a one-year grace period to
ensure that it adopts and implements measures to ensure compliance with the
Act’s provisions by the time it becomes effective.
With all of this happening it is
easy to feel overwhelmed. VDT Attorneys
has put together these FAQs to provide answers to a few common questions raised
about the processing of personal information during the COVID-19 pandemic and
the ever-changing lockdown regulations.
Bear in mind that your business
may have unique circumstances or operating requirements which require
additional protocols to be put in place. Therefore, the questions and answers
provided here are intended as a general overview about what organisations
should be considering and potentially implementing, when they process personal
information during COVID-19.
1. When our
staff return to work, we want to carry out tests to check whether our staff have COVID-19 symptoms or the virus itself. Do we need to consider data protection
Yes. You will be processing personal
information that relates to an identified or identifiable individual, so, you
need to comply with the POPI Act. That means handling it lawfully, fairly
and transparently. Personal data that relates to health is more sensitive and
is classed as special personal information so it must be even more carefully
The POPI Act does not prevent you
from taking the necessary steps to keep your staff and the public safe and
supported during the present public health emergency. It does require you to be
responsible with people’s personal data and ensure it is handled with care.
can I show that our approach to testing is compliant with data protection law?
To show that your processing of COVID-19
test data is compliant, you will need to use the POPI Act’s accountability
condition which makes you responsible for complying with the Act and says that
you must be able to demonstrate your compliance, for example additional record
keeping requirements when processing sensitive data. One way of
demonstrating accountability is through a data protection impact
assessment (DPIA). If your organisation is going to undertake testing and
process health information (information which your organisation may not be
inclined to process under normal circumstances), then we recommend conducting a
DPIA focussing on the new risk areas.
do I decide if symptom checking, testing and the processing of health data of
employees is necessary?
As lockdown eases and workplaces
and other locations begin to reopen, employers and organisations will need to
put appropriate measures in place to keep people safe.
To help you decide whether
measures such as collecting employee’s health information or asking staff to be
tested for COVID-19 are necessary, you should consider the specific
circumstances of your organisation and workplace, including:
the type of work you do;
the type of premises you have; and
whether working from home is possible.
You should also consider any
specific regulations or health and safety requirements that apply to your
organisation or professional staff and any duty of care that you owe to them.
Keep in mind that, due to its sensitivity,
health data has the protected status of special personal information under the
You should be clear about what
you are trying to achieve and whether personal information is necessary for
that purpose. The POPI Act provides you with flexibility if you can demonstrate
that you need to process personal information for a specific purpose.
Once you’ve considered your
circumstances, ask yourself these questions:
Do you really need the information?
Will these steps actually help you provide a safe
Could you achieve the same result without collecting
personal information; in particular, health information?
If your organisation can show
that your approach is reasonable, fair and proportionate to the circumstances,
then it’s unlikely that data protection would be a barrier to your organisation’s
continued operation. If staff proactively ask you to collect information or to
undertake testing, this could be used to demonstrate that your measures are
proportionate for those employees.
If your organisation has decided
that it is necessary to test staff, you need to make sure you hold and use the
information appropriately. When considering if your organisation’s approach can
be less intrusive, the following examples may be useful:
the collection of health information be confined to the highest-risk roles?
access to health information be limited so that it will only be seen by
medically qualified staff, those working under specific confidentiality
agreements or those in appropriate positions of responsibility?
there reasonable alternative measures which don’t rely on personal information,
such as strict social distancing or working from home?
do I decide what type of tests are necessary?
As part of the measures you are
taking in response to COVID-19 you will need to make a decision on what tests
are necessary for fulfilling your health and safety obligations as an employer.
You will need to consider how
these measures will meet your intended purpose of keeping the workplace safe
and how effective these measures are at providing accurate results. You will
need to be mindful of the latest government advice about what tests are
considered to be the most effective and reliable indicators that an employee
may have contracted COVID-19.
lawful basis can I use for testing employees?
As long as there is a good reason
for doing so, you should be able to process health data about
COVID-19. For public authorities carrying out their function, ‘in the
public interest’ is likely to be applicable. For other public or private
employers, ‘legitimate interests’ is likely to be appropriate, but you should
make your own assessment for your organisation.
For example, an employer is obliged to maintain a safe and hazardous
free working environment in terms of the Occupational Health and Safety Act 85
of 1993 read together with the Employment Equity Act 55 of 1998, but the
disclosed information should not be used to unfairly discriminate against such
Due to its sensitivity, health data
has the protected status of ‘special’ personal information under the POPI Act.
As such, employers must ensure that its processing of any health information
meets the required standards explained in the Act and not use the information
shared for any other purposes other than to mitigate the spread of the virus
(or as required by the law) unless the person to whom the health information
relates, consents thereto.
do I need to tell my staff?
Transparency is vital.
“Openness” is a condition for the lawful processing of personal data in terms
of the POPI Act. As an employer, you should therefore be clear, open and honest
with employees from the start about how and why you wish to use their personal
data. This is crucial when processing health information. If you are
testing employees for COVID-19 or checking for symptoms, you should be clear
about what decisions you will make with that information. Employers should have a clear and
data is processed.
Before carrying out any tests,
you should at least let your staff know what personal data is required, what it
will be used for, and who you will share it with. You should also let them know
how long you intend to keep the data for. It would also be helpful for you to
provide employees with the opportunity to discuss the collection of such data
if they have any concerns.
7. Can I
make it mandatory that my staff are checked for COVID-19 symptoms or tested?
Making testing mandatory is not
simply a question of data protection. You can actively encourage members of
staff to be checked for symptoms or to be tested, but there are many other
factors to consider such as employment law and your contracts with employees,
health and safety requirements and equality issues. You should consider other
regulations applicable to your industry and the latest government guidance, if
any, for your sector.
The POPI Act applies to any
personal information that you collect and use. This must be necessary, lawful,
fair and transparent. If you make checks and tests mandatory, you must
carefully consider whether your use of the data is fair and proportionate. You
should take into account any potential negative consequences for individuals
and whether using a voluntary approach could achieve the same or similar
results. Before you put such measures in place, we recommend doing a data
protection impact assessment.
often should I check for symptoms or test employees?
This will depend on the safety
measures that your organisation needs to put in place. Any checking or testing
of your staff, and subsequent processing of their health information, should be
reasonable and proportionate to the specific circumstances including, in some
cases, the role which staff fulfil.
As an employer, and a responsible
party for your employees’ health information, you will need to decide the
appropriate timescale between tests. For example, in some sectors such as
health and social care, where interactions with vulnerable individuals are
common, repeat testing may be required more often.
You also have a responsibility to
take reasonable steps to ensure that you hold up to date and accurate
Individuals’ health status may
change over time, so if you do decide to make any record of test results, you
should ensure its accuracy by indicating the date of the result where
appropriate. Any decisions you take must be based on factually correct information.
organisation provides or has commissioned a testing service for its employees.
What information do I have to provide to employees about results?
If your organisation is providing
a service for testing employees, you must process personal information
lawfully, fairly and transparently.
Before carrying out any tests,
you must tell your staff what personal information is required, what it will be
used for, and who you will share it with. You should also tell them how long
you intend to keep the data for. It would also be helpful for you to provide
the opportunity for employees to discuss the collection of their data with you
if they have any concerns. You should consider any potential negative
consequences for staff and whether this will mean your use of their data could
be unfair. Employees should also be informed about their rights they may
have in relation to this data, such as their right of access.
10. Some staff already have the results of
tests that they have arranged for themselves. If they disclose these results to
me, what are the data protection considerations?
For any test results that are voluntarily
disclosed to you as an employer, you should have due regard for the security of
that data, and consider any duty of confidentiality owed to those individuals
who have provided test results. Your focus should be on making sure your use of
the data is necessary and relevant, and you do not collect or share
irrelevant or excessive data to authorities if this is not required.
11. Can I keep lists of employees who either
have symptoms or have been tested as positive?
Yes. If you need to collect
specific health data about employees, you need to ensure the use of the data is
actually necessary and relevant for your stated purposes. You should also
ensure that the data processing is secure, and consider any duty of
confidentiality owed to employees.
As an employer, you must also
ensure that such lists do not result in any unfair or harmful treatment of
employees. For example, this could be due to inaccurate information being
recorded, or a failure to acknowledge an individual’s health status changing
over time. It would also not be fair to use, or retain, information you have
collected about the number of staff who have reported symptoms of COVID-19 for
purposes they would not reasonably expect.
12. How do I ensure I don’t collect too much
For special personal information,
such as health data, it is particularly important to only collect and retain
the minimum amount of information you need to fulfil your purpose.
In order to not collect too much
data, you must ensure that it is:
· adequate – enough to properly fulfil
your stated purpose;
· relevant – has a rational link to
that purpose; and
to what is necessary – you do not hold more than you need for that
In the context of test results,
you need to ensure you do not collect unnecessary or excessive information from
people. For example, you will probably only require information about the
result of a test, rather than additional details about underlying conditions.
Consider which testing options are available to ensure that you are only
collecting results that are necessary and proportionate. As an employer you
should be able to demonstrate the reason for testing individuals or obtaining
the results from tests.
The POPI Act also requires that
any personal data you hold is accurate. As such, you should record the date of
any test results, because the health status of individuals may change over time
and the test result may no longer be valid.
13. Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?
You should keep staff informed
about potential or confirmed COVID-19 cases amongst their colleagues. However,
you should avoid naming individuals if possible, and you should not
provide more information than is necessary.
As an employer, it’s your duty to
ensure the health and safety of all your employees. Data
protection doesn’t prevent you doing this, and should not be viewed as a
barrier to sharing data with authorities for public health purposes, or the
police where necessary and proportionate. There are many routes available to
share data, using some of the conditions and exemptions in the POPI Act. You
also need to take into account the risks to the wider public which may be
caused by failing to share information, and take a proportionate and sensible
14. How do I ensure that staff are able to exercise their information rights as part of this process?
In order for individuals to
exercise their rights, they need to understand what personal data you hold, and
what you are using it for. As such, transparency is crucial and you should
let your staff know how you will use their data in a way that is accessible and
easy to understand. An in-house privacy
policy is a good example of this.
You should also ensure that staff
are able to exercise their information rights. To make this easier you may wish
to put processes or systems in place that will help your staff exercise their
rights during the COVID-19 crisis. Other applicable laws may need to be
considered in this regard such as the Promotion to Access Information Act 2 of
2000 (PAIA) that requires organisations to have a PAIA Manual in place when it
comes to accessing records of an organisation.
In relation to the right of
access you might, depending on the organisation’s resources, circumstances and
needs, consider setting up secure portals or self-service systems that allow
staff to manage and update their personal data where appropriate. This may also
allow individuals to exercise other rights such as the right to rectification
or erasure of their data. Where this is not possible, you should make sure that
basic legal policies and procedures are in place to allow employee data to be
readily available when needed.
For more information or
assistance regarding how to comply with the POPI Act, contact PR De Wet or
Hayley Levey. www.popipack.co.za
| email@example.com |012 452 1300
Our POPI Act services include assistance with:
- Legal compliance documents such as privacy policies, website terms and conditions, PAIA manuals, third-party operator agreements, cookie policies, employee/ in-house processing policies, incident breach management reporting procedure and policy and high-level POPI Act guide
- High level POPI Act compliance impact assessments
- POPI Act training
- Development of a compliance framework and implementation thereof
- A protocol list to guide employees and management on what to do and what not to do when processing personal information day-to-day
- POPI Act business self-auditing questionnaires
- Updating of existing customer and operator agreements
- Guidance on the role of the Information Officer including appointment letter, required duties and need to register with the Information Regulator
- Information concerning the Information Regulator, points of contact and processes to follow