Contact
Data privacy | Data Protection | Information and data protection | POPI | POPI Act | POPIA

What to consider when processing personal health data during COVID-19

As lockdown regulations ease and more businesses begin to open their doors, here are some key points to consider regarding the collection and use of personal data as required by government for health tracing purposes. This is particularly important given that the Protection of Personal Information Act (POPI Act) commenced on 1 July 2020.

There is a responsibility that comes with the processing of personal information during a pandemic, and although data protection does not stop organisations asking their employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, organisations must still ensure that the principles of the law such as transparency, reasonableness, fairness, minimalism and proportionality are applied when collecting additional personal information to provide a safe environment for their staff.

Consider these 6 key data protection points when collecting personal health information:

1. Only collect what is absolutely necessary

To assist in your organisation’s decision to collect and use people’s health information to keep your staff safe, you should ask yourself a few questions:

  1. How will collecting personal information (which your organisation may not be inclined to do under normal circumstances) help keep your workplace safe?
  2. Do you really need the information?
  3. Will the testing measures, e.g. taking temperatures, actually help you provide a safe environment?
  4. Could you achieve the same result without collecting personal information?

If your organisation is able to show that its approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection red flags.

2. Keep it to a minimum

When collecting personal health information, including people’s symptoms or any related test results, organisations should collect only the information needed to implement health and safety measures appropriately and effectively. The POPI Act requires that personal information be collected for a specific, explicitly defined and lawful purpose – therefore the personal information requested must be limited to what is required for the organisation’s lawful operation, or as may be required by the law (in this case the lockdown regulations). Don’t collect personal data that you don’t need. Some information only needs to be stored momentarily, and there is no need to create a permanent record.

3. Be clear, open and honest with staff about their personal information

Some people may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy policy. 

4. Treat people fairly

If you’re making decisions about your employees based on the health information you collect, you should make sure your approach is fair. Think carefully about any disadvantage they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination which may be detrimental to the organisation.

5. Keep people’s information secure

Any personal information you hold must be kept securely and only held for as long as is necessary. Security safeguards are one of the POPI Act’s conditions for the lawful processing of personal data. It’s also good practise to have a retention policy in place that sets out when and how personal information needs to be reviewed, deleted or de-identified. A retention policy may form part of your organisation’s privacy policy or be a stand-alone document.

6. Employees must be able to exercise their information rights

As with any data collection process, organisations should be transparent and inform individuals about their rights in relation to their personal information, such as the right of access or rectification. Employees must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have. It should also be clear who they can approach in such event and, therefore, knowing who the organisation’s Information Officer is, is vital.

 

If you have decided to implement COVID-19 symptom checking or testing, there are additional requirements you need to follow. These include identifying a lawful basis for using the information you collect. Here are answers to a few common questions we’ve been asked surrounding the processing of personal information during COVID-19.

Ultimately a fair, transparent and lawful approach to handling people’s personal information will reaffirm the trust of colleagues and clients in this exceptional time, ensure that people’s information rights are not set aside, and also encourage innovation and compliance in the long term, specifically with the POPI Act’s grace period running its course.

For more information or assistance regarding how to comply with the POPI Act, contact PR De Wet or Hayley Levey. www.popipack.co.za | info@vdt.co.za |012 452 1300

July 23, 2020
Section 8C explained: Tax tips for employee share schemes

Section 8C explained: Tax tips for employee share schemes

by | Nov 24, 2025 | , , ,

Employee share schemes are often introduced to reward, retain, or align employees with long-term business growth. However, under section 8C of the Income Tax Act 58 of 1962 (the “Income Tax Act”), these arrangements can create significant and unexpected tax liabilities for employees when equity instruments vest. This article explains how section 8C operates, what qualifies as an “equity instrument,” and why careful structuring of share schemes is essential to avoid punitive tax outcomes.

The costly consequences of backdated share transactions

The costly consequences of backdated share transactions

by | Nov 24, 2025 | , , , ,

The South African legislative framework regards backdated shares as a suspicious and illegal practice, as it arises when a share issue or transfer is recorded as having occurred on an earlier date than the actual transaction. While backdating may be viewed as an administrative oversight, the consequences may constitute compliance risk, serious misconduct on directors, beneficial owners and compliance officers who authorise the backdating of share transactions. This is because backdated shares may manipulate the timing of funds, obscure the source of funds, and distort a company’s beneficial ownership structure.

Tax transparency matters: Are your deals reportable?

Tax transparency matters: Are your deals reportable?

by | Nov 24, 2025 | , , , , ,

Some deals come with hidden reporting duties. Find out when your transactions could trigger SARS disclosure rules, and how to stay compliant. You may have heard the term “reportable arrangement” in tax conversations around commercial transactions. It sounds technical, and it is, but at its core, it’s about transparency. The South African Revenue Service (“SARS”) seeks information on certain transactions that could be used to avoid or reduce tax. If you enter a reportable arrangement, you may be legally required to report it. Failure to comply can result in significant penalties.

Sign up to our newsletter

Pin It on Pinterest