Avatar photo

By Faizel Patel

Senior Digital Journalist

Was South Africans’ personal information during Covid protected?

The regulator said it has been demanding a report from the Health Department to confirm how its handling South Africans' personal information.

The Information Regulator has referred the National Health Department to its Enforcement Committee after it failed to confirm whether South Africans’ personal information collected during the peak of the Covid-19 period was de-identified or destroyed.

The regulator said it took the decision following numerous unsuccessful requests for information from the Health Department.

Personal information

Spokesperson Nomzamo Zondi told The Citizen after the national state of disaster was declared in April 2020, it issued a Guidance Note on the processing of personal information in the management and containment of the Covid-19 pandemic.

“One of the very explicit matters that we had in the Guidance Note was that after the national state of disaster comes to an end, there needs to de-identification of personal information of people as it was collected during Covid.”

Demanding reports

Zondi said since May 2022, the regulator been demanding a report from the Health Department indicating how it is complying with the lawful processing of personal information collected during the Covid-19 response.

She said the Guidance Note was issued in terms of the Protection of Personal Information Act (Popia) and requires that the Health Department submit its report to Parliament.

“What they have not done is to respond to us as the information regulator which is a contravention of POPIA, which is why we now handing them over the Enforcement Committee for further investigation…  Referral to the Enforcement Committee can culminate in issuing an enforcement notice which has the same effect as a court order,” Zondi said.

ALSO READ: Sahpra green lights anti-viral meds to treat Covid


Zondi said the regulator also wanted to know if South Africans’ personal information was safeguarded.

“The regulator wanted the Health Department to confirm that it had obtained a report from an expert third-party IT security firm as to the reliability and suitability of the IT security safeguards in place in relation to personal, location and health data held by or on behalf of the government in relation to Covid-19.”

“The regulator wanted access to this report. This report was recommended to the Minister of Health by the retired Justice Kate O’regan, who had served as the designated judge to monitor the implementation of the track and trace programme to protect people’s privacy,” Zondi added.

Covid-19 contact tracing

In April 2020, the contact tracing regulations were issued in terms of the Disaster Management Act.

Zondi said these regulations authorised the compilation of an electronic Covid-19 contact tracing database for the purpose of managing the spread of COVID-19.

“The database was supposed to contain information such as the first name, surname, identity or passport number, residential address and Covid-19 test results of people who are known or suspected to have come into contact with persons known or suspected to have contracted the virus,” Zondi said.

Health Department

Health Department spokesperson Foster Mohale told The Citizen, the department will peruse the concerns raised by the Information Regulator. 

“We will go through the statement and issue a response accordingly,” Mohale said.

ALSO READ: ‘Declaring Eskom crisis a national state of disaster will reduce load shedding’ – DA