In Tuesday night’s update on the Covid-19 coronavirus pandemic, President Cyril Ramaphosa announced: “Using mobile technology, an extensive tracing system will be rapidly deployed to trace those who have been in contact with confirmed coronavirus cases and to monitor the geographical location of new cases in real time.”
You may ask: “What about my right to privacy? What about the Protection of Personal Information Act (Popia) and the protection it gives me? After all, my geographical location data is personal information that obliges others to protect it. So why is the state suddenly allowed to track my every move?”
Well, Popia does protect your personal information, which includes location data.
But there are certain conditions that exempt a situation from Popia.
One of those instances is where a public body, such as the health department or the police, is involved in activities such as public safety.
This means that Popia’s protections, such as obtaining your consent, will not apply.
All is not lost, however. Popia does say that, where it does not apply and therefore does not protect your personal information, your location data must be protected by another law.
But even if there is another law that protects the way in which location data is processed, it is still a draconian approach.
So why is it permitted?
The reality is that because a pandemic like Covid-19 is such a serious threat, even countries that uphold the strongest democratic principles believe that such measures are necessary.
The EU probably has the most stringent data protection laws in the world.
Its European Data Protection Board (EDPB) said the following regarding using technology to fight Covid-19: “It is in the interest of humanity to curb the spread of diseases and to use modern techniques in the fight against scourges affecting great parts of the world ... Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data. In all cases, it should be recalled that any measure taken in this context must respect the general principles of law and must not be irreversible.
“Emergency is a legal condition which may legitimise restrictions of freedoms, provided that these restrictions are proportionate and limited to the emergency period.”
What is clear, however, is that government did not wake up on Monday morning and decide that it was going to start tracking and tracing people, it was clearly planning this from the week before.
On March 26, it published directions – a sort of lesser law – that oblige telecommunications service providers such as MTN, Vodacom and Cell C to provide assistance with the tracking and tracing of people.
The directions, called the Electronic Communications, Postal and Broadcasting Directions, say that “telecommunications service providers and the internet and digital sector in general must provide location-based services in collaboration with the relevant authorities identified to support designated departments to combat the spread of Covid-19”.
What is important, though, is that the state cannot simply implement this directive without considering best practice that has been developed in other jurisdictions.
The EDPB gives a good example of what is probably best practice.
It highlights three important principles:
. Personal data that is used to achieve the directive’s objectives should be processed for specific and explicit purposes, that is fighting the Covid-19 pandemic;
. People should be given transparent information on how their data is being processed, such as how long their personal data will be kept and what it will be used for; and
. Crucially, because of the immense harm that can happen to people if personal data, such as their location, is leaked, adequate security measures and confidentiality policies must be adopted to ensure that personal information is not disclosed to unauthorised parties.
The EDPB concludes by saying that it is important that measures that are implemented to manage emergencies such as the Covid-19, and the decisions on which the measures are based, should be appropriately documented.
This is not rocket science and is not new to our government.
In a recent court ruling involving the state’s collection of personal information using the Regulation of Interception of Communications and Provision of Communication Related Information Act (Rica) –Amabhungane v Minister of Justice and Correctional Services – the judge held that the manner in which the state collected and held personal information, usage and accessibility controls, as well as its integrity oversight model were inadequate.
For example, Amabhungane argued that there were inadequacies in where intercepted information was stored and who may have access to it.
The judge agreed that Rica did not prescribe sufficient procedures to follow when state officials are examining, copying, sharing, sorting through, using, destroying and/or storing the data obtained from interceptions.
In dire circumstances such as these, even the most ardent proponent of privacy rights will concede that the appropriate use of location data to combat Covid-19 is justified.
The state just needs to assure us that the way it will collect the location data, what it will do with it, how long it will keep it, and how securely it will be kept will be in accordance with international best practice.
Of course, if we all stay home, stay safe and avoid contracting Covid-19 then there may not be any need for the state to collect our location data … we hope.
Pierce is a director at PPM Attorneys, a media and technology-focused law firm. He specialises in privacy and information security law
Get in touch
|Rise above the clutter | Choose your news | City Press in your inbox|
|City Press is an agenda-setting South African news brand that publishes across platforms. Its flagship print edition is distributed on a Sunday.|