What to consider when processing personal health data during COVID-19

As lockdown regulations ease and more businesses begin to open their doors, here are some key points to consider regarding the collection and use of personal data as required by government for health tracing purposes. This is particularly important given that the Protection of Personal Information Act (POPI Act) commenced on 1 July 2020.

There is a responsibility that comes with the processing of personal information during a pandemic, and although data protection does not stop organisations asking their employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, organisations must still ensure that the principles of the law such as transparency, reasonableness, fairness, minimalism and proportionality are applied when collecting additional personal information to provide a safe environment for their staff.

Consider these 6 key data protection points when collecting personal health information:

1. Only collect what is absolutely necessary

To assist in your organisation’s decision to collect and use people’s health information to keep your staff safe, you should ask yourself a few questions:

  1. How will collecting personal information (which your organisation may not be inclined to do under normal circumstances) help keep your workplace safe?
  2. Do you really need the information?
  3. Will the testing measures, e.g. taking temperatures, actually help you provide a safe environment?
  4. Could you achieve the same result without collecting personal information?

If your organisation is able to show that its approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection red flags.

2. Keep it to a minimum

When collecting personal health information, including people’s symptoms or any related test results, organisations should collect only the information needed to implement health and safety measures appropriately and effectively. The POPI Act requires that personal information be collected for a specific, explicitly defined and lawful purpose – therefore the personal information requested must be limited to what is required for the organisation’s lawful operation, or as may be required by the law (in this case the lockdown regulations). Don’t collect personal data that you don’t need. Some information only needs to be stored momentarily, and there is no need to create a permanent record.

3. Be clear, open and honest with staff about their personal information

Some people may be affected by some of the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it. You can do this through a clear, accessible privacy policy. 

4. Treat people fairly

If you’re making decisions about your employees based on the health information you collect, you should make sure your approach is fair. Think carefully about any disadvantage they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination which may be detrimental to the organisation.

5. Keep people’s information secure

Any personal information you hold must be kept securely and only held for as long as is necessary. Security safeguards are one of the POPI Act’s conditions for the lawful processing of personal data. It’s also good practise to have a retention policy in place that sets out when and how personal information needs to be reviewed, deleted or de-identified. A retention policy may form part of your organisation’s privacy policy or be a stand-alone document.

6. Employees must be able to exercise their information rights

As with any data collection process, organisations should be transparent and inform individuals about their rights in relation to their personal information, such as the right of access or rectification. Employees must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have. It should also be clear who they can approach in such event and, therefore, knowing who the organisation’s Information Officer is, is vital.


If you have decided to implement COVID-19 symptom checking or testing, there are additional requirements you need to follow. These include identifying a lawful basis for using the information you collect. Here are answers to a few common questions we’ve been asked surrounding the processing of personal information during COVID-19.

Ultimately a fair, transparent and lawful approach to handling people’s personal information will reaffirm the trust of colleagues and clients in this exceptional time, ensure that people’s information rights are not set aside, and also encourage innovation and compliance in the long term, specifically with the POPI Act’s grace period running its course.

For more information or assistance regarding how to comply with the POPI Act, contact PR De Wet or Hayley Levey. www.popipack.co.za | info@vdt.co.za |012 452 1300

July 23, 2020
International: Privacy by Design – prioritizing security in business

International: Privacy by Design – prioritizing security in business

In today’s current digital space, safeguarding privacy and ensuring that your business is compliant with the various cyber laws and data privacy regulations is crucial to ensure that business operations are well protected. In this article, PR de Wet and Mishka Cassim, from VDT Attorneys Inc., seek to address some of the most important issues companies face and need to consider on a global scale when addressing privacy concerns.

South Africa: POPIA and prior authorisation to process personal information

South Africa: POPIA and prior authorisation to process personal information

The Protection of Personal Information Act, 2013 (Act 4 of 2013) (‘POPIA’) requires a responsible party to apply for and obtain authorisation prior to processing certain identified categories of personal information. With POPIA compliance deadlines fast approaching PR de Wet and Hayley Levey, from VDT Attorneys Inc, analyse the POPIA prior authorisation regime.

Sign up to our newsletter

Pin It on Pinterest