Data protection in the age of technology-based disease surveillance

Author: 
Amanda Manyame
Publisher: 
APC

Principle 8 of the African Declaration on Internet Rights and Freedoms provides for the right to online privacy, including the protection of every person’s personal data. Such a right and such protection have become necessary because of the uses of personal data and data in general. It used to be that a person’s personal space was limited. However, emerging technologies have allowed for entities to make use of data and personal data in a manner that provides strategic advantages.

This has been particularly true in the health sector and during the COVID-19 pandemic, during which technology-based surveillance has been used to curb the spread of the virus. The most popular measure being adopted by countries to curb the spread of COVID-19 has been the use of personal and health data to trace and predict the spread of the disease. This is being done by making use of technology-based disease surveillance which has resulted in the over-disclosure of personal and health data about persons infected with COVID-19 and those they have come in contact with.

This approach has resulted in the mass collection of personal data and the limitation of the right to privacy of individuals. It is, however, generally accepted that human rights may be limited, if such limitation is reasonable and proportional to the reason for the limitation. This was reiterated in the United Nations Policy Brief titled “COVID-19 and Human Rights: We are all in this together”.

It has also been generally accepted that the use of technology in response to COVID-19 must adhere to the principles of processing personal data, which include transparency, accountability, confidentiality and security. Without data protection regulations or COVID-19 regulations that provide for these principles and enforcement thereof, the personal and health databases that are being created may be susceptible to abuse – and more so in instances where there is not adequate regulation of the destiny of these databases after the COVID-19 pandemic. This is the predicament that South Africa faces, with the recent announcement that the provisions in the 2013 Protection of Personal Information Act (POPIA) for the processing of personal data are only effective from 1 July 2020, with a 12-month grace period for compliance.

Accordingly, this paper explores the adequacy of the COVID-19 regulations enacted in South Africa as they pertain to protection of the personal and health data being collected in an attempt to curb the spread of COVID-19.

Read the full paper here.
« Retourner