A lot has happened in South Africa since April though; with lockdown regulations continuing to ease, the majority of businesses operating again and staff members also returning to work. However, by no means is the pandemic over and, in addition, the big news is that the Protection of Personal Information Act (POPI Act) commenced on 1 July 2020 which means that your organisation only has a one-year grace period to ensure that it adopts and implements measures to ensure compliance with the Act’s provisions by the time it becomes effective.
With all of this happening it is easy to feel overwhelmed. VDT Attorneys has put together these FAQs to provide answers to a few common questions raised about the processing of personal information during the COVID-19 pandemic and the ever-changing lockdown regulations.
Bear in mind that your business may have unique circumstances or operating requirements which require additional protocols to be put in place. Therefore, the questions and answers provided here are intended as a general overview about what organisations should be considering and potentially implementing, when they process personal information during COVID-19.
1. When our staff return to work, we want to carry out tests to check whether our staff have COVID-19 symptoms or the virus itself. Do we need to consider data protection law?
Yes. You will be processing personal information that relates to an identified or identifiable individual, so, you need to comply with the POPI Act. That means handling it lawfully, fairly and transparently. Personal data that relates to health is more sensitive and is classed as special personal information so it must be even more carefully protected.
The POPI Act does not prevent you from taking the necessary steps to keep your staff and the public safe and supported during the present public health emergency. It does require you to be responsible with people’s personal data and ensure it is handled with care.
- How can I show that our approach to testing is compliant with data protection law?
To show that your processing of COVID-19 test data is compliant, you will need to use the POPI Act’s accountability condition which makes you responsible for complying with the Act and says that you must be able to demonstrate your compliance, for example additional record keeping requirements when processing sensitive data. One way of demonstrating accountability is through a data protection impact assessment (DPIA). If your organisation is going to undertake testing and process health information (information which your organisation may not be inclined to process under normal circumstances), then we recommend conducting a DPIA focussing on the new risk areas.
3. How do I decide if symptom checking, testing and the processing of health data of employees is necessary?
As lockdown eases and workplaces and other locations begin to reopen, employers and organisations will need to put appropriate measures in place to keep people safe.
To help you decide whether measures such as collecting employee’s health information or asking staff to be tested for COVID-19 are necessary, you should consider the specific circumstances of your organisation and workplace, including:
- the type of work you do;
- the type of premises you have; and
- whether working from home is possible.
You should also consider any specific regulations or health and safety requirements that apply to your organisation or professional staff and any duty of care that you owe to them.
Keep in mind that, due to its sensitivity, health data has the protected status of special personal information under the POPI Act.
You should be clear about what you are trying to achieve and whether personal information is necessary for that purpose. The POPI Act provides you with flexibility if you can demonstrate that you need to process personal information for a specific purpose.
Once you’ve considered your circumstances, ask yourself these questions:
- Do you really need the information?
- Will these steps actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information; in particular, health information?
If your organisation can show that your approach is reasonable, fair and proportionate to the circumstances, then it’s unlikely that data protection would be a barrier to your organisation’s continued operation. If staff proactively ask you to collect information or to undertake testing, this could be used to demonstrate that your measures are proportionate for those employees.
If your organisation has decided that it is necessary to test staff, you need to make sure you hold and use the information appropriately. When considering if your organisation’s approach can be less intrusive, the following examples may be useful:
· Can the collection of health information be confined to the highest-risk roles?
· Can access to health information be limited so that it will only be seen by medically qualified staff, those working under specific confidentiality agreements or those in appropriate positions of responsibility?
· Are there reasonable alternative measures which don’t rely on personal information, such as strict social distancing or working from home?
- How do I decide what type of tests are necessary?
As part of the measures you are taking in response to COVID-19 you will need to make a decision on what tests are necessary for fulfilling your health and safety obligations as an employer.
You will need to consider how these measures will meet your intended purpose of keeping the workplace safe and how effective these measures are at providing accurate results. You will need to be mindful of the latest government advice about what tests are considered to be the most effective and reliable indicators that an employee may have contracted COVID-19.
- Which lawful basis can I use for testing employees?
As long as there is a good reason for doing so, you should be able to process health data about COVID-19. For public authorities carrying out their function, ‘in the public interest’ is likely to be applicable. For other public or private employers, ‘legitimate interests’ is likely to be appropriate, but you should make your own assessment for your organisation. For example, an employer is obliged to maintain a safe and hazardous free working environment in terms of the Occupational Health and Safety Act 85 of 1993 read together with the Employment Equity Act 55 of 1998, but the disclosed information should not be used to unfairly discriminate against such an employee.
Due to its sensitivity, health data has the protected status of ‘special’ personal information under the POPI Act. As such, employers must ensure that its processing of any health information meets the required standards explained in the Act and not use the information shared for any other purposes other than to mitigate the spread of the virus (or as required by the law) unless the person to whom the health information relates, consents thereto.
- What do I need to tell my staff?
Before carrying out any tests, you should at least let your staff know what personal data is required, what it will be used for, and who you will share it with. You should also let them know how long you intend to keep the data for. It would also be helpful for you to provide employees with the opportunity to discuss the collection of such data if they have any concerns.
- Can I make it mandatory that my staff are checked for COVID-19 symptoms or tested?
Making testing mandatory is not simply a question of data protection. You can actively encourage members of staff to be checked for symptoms or to be tested, but there are many other factors to consider such as employment law and your contracts with employees, health and safety requirements and equality issues. You should consider other regulations applicable to your industry and the latest government guidance, if any, for your sector.
The POPI Act applies to any personal information that you collect and use. This must be necessary, lawful, fair and transparent. If you make checks and tests mandatory, you must carefully consider whether your use of the data is fair and proportionate. You should take into account any potential negative consequences for individuals and whether using a voluntary approach could achieve the same or similar results. Before you put such measures in place, we recommend doing a data protection impact assessment.
- How often should I check for symptoms or test employees?
This will depend on the safety measures that your organisation needs to put in place. Any checking or testing of your staff, and subsequent processing of their health information, should be reasonable and proportionate to the specific circumstances including, in some cases, the role which staff fulfil.
As an employer, and a responsible party for your employees’ health information, you will need to decide the appropriate timescale between tests. For example, in some sectors such as health and social care, where interactions with vulnerable individuals are common, repeat testing may be required more often.
You also have a responsibility to take reasonable steps to ensure that you hold up to date and accurate data.
Individuals’ health status may change over time, so if you do decide to make any record of test results, you should ensure its accuracy by indicating the date of the result where appropriate. Any decisions you take must be based on factually correct information.
9. My organisation provides or has commissioned a testing service for its employees. What information do I have to provide to employees about results?
If your organisation is providing a service for testing employees, you must process personal information lawfully, fairly and transparently.
Before carrying out any tests, you must tell your staff what personal information is required, what it will be used for, and who you will share it with. You should also tell them how long you intend to keep the data for. It would also be helpful for you to provide the opportunity for employees to discuss the collection of their data with you if they have any concerns. You should consider any potential negative consequences for staff and whether this will mean your use of their data could be unfair. Employees should also be informed about their rights they may have in relation to this data, such as their right of access.
10. Some staff already have the results of tests that they have arranged for themselves. If they disclose these results to me, what are the data protection considerations?
For any test results that are voluntarily disclosed to you as an employer, you should have due regard for the security of that data, and consider any duty of confidentiality owed to those individuals who have provided test results. Your focus should be on making sure your use of the data is necessary and relevant, and you do not collect or share irrelevant or excessive data to authorities if this is not required.
- Can I keep lists of employees who either have symptoms or have been tested as positive?
Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purposes. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.
As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time. It would also not be fair to use, or retain, information you have collected about the number of staff who have reported symptoms of COVID-19 for purposes they would not reasonably expect.
- How do I ensure I don’t collect too much data?
For special personal information, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.
In order to not collect too much data, you must ensure that it is:
- adequate – enough to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
In the context of test results, you need to ensure you do not collect unnecessary or excessive information from people. For example, you will probably only require information about the result of a test, rather than additional details about underlying conditions. Consider which testing options are available to ensure that you are only collecting results that are necessary and proportionate. As an employer you should be able to demonstrate the reason for testing individuals or obtaining the results from tests.
The POPI Act also requires that any personal data you hold is accurate. As such, you should record the date of any test results, because the health status of individuals may change over time and the test result may no longer be valid.
- Can I share the fact that someone has tested positive with other employees? What do I need to consider if I am planning to disclose this information to third parties?
You should keep staff informed about potential or confirmed COVID-19 cases amongst their colleagues. However, you should avoid naming individuals if possible, and you should not provide more information than is necessary.
As an employer, it’s your duty to ensure the health and safety of all your employees. Data protection doesn’t prevent you doing this, and should not be viewed as a barrier to sharing data with authorities for public health purposes, or the police where necessary and proportionate. There are many routes available to share data, using some of the conditions and exemptions in the POPI Act. You also need to take into account the risks to the wider public which may be caused by failing to share information, and take a proportionate and sensible approach.
- How do I ensure that staff are able to exercise their information rights as part of this process?
You should also ensure that staff are able to exercise their information rights. To make this easier you may wish to put processes or systems in place that will help your staff exercise their rights during the COVID-19 crisis. Other applicable laws may need to be considered in this regard such as the Promotion to Access Information Act 2 of 2000 (PAIA) that requires organisations to have a PAIA Manual in place when it comes to accessing records of an organisation.
In relation to the right of access you might, depending on the organisation’s resources, circumstances and needs, consider setting up secure portals or self-service systems that allow staff to manage and update their personal data where appropriate. This may also allow individuals to exercise other rights such as the right to rectification or erasure of their data. Where this is not possible, you should make sure that basic legal policies and procedures are in place to allow employee data to be readily available when needed.
Our POPI Act services include assistance with:
- Legal compliance documents such as privacy policies, website terms and conditions, PAIA manuals, third-party operator agreements, cookie policies, employee/ in-house processing policies, incident breach management reporting procedure and policy and high-level POPI Act guide
- High level POPI Act compliance impact assessments
- POPI Act training
- Development of a compliance framework and implementation thereof
- A protocol list to guide employees and management on what to do and what not to do when processing personal information day-to-day
- POPI Act business self-auditing questionnaires
- Updating of existing customer and operator agreements
- Guidance on the role of the Information Officer including appointment letter, required duties and need to register with the Information Regulator
- Information concerning the Information Regulator, points of contact and processes to follow