SA’s information regulator has referred the national Department of Health to its enforcement committee over its failure to report on how it has dealt with the data it collected for contact tracing during the pandemic.
The regulator is a statutory body responsible for ensuring organisations take appropriate steps to protect the privacy of data they hold on individuals, under the Protection of Personal Information Act (Popia), reports Business Day.
The department should have destroyed or anonymised data it collected under the national State of Disaster during the pandemic, but it failed to respond to the regulator’s repeated requests for information about whether it had done so, it said on Monday, adding that it had been very patient thus far.
“It has not (reported to us) as far as our records show,” said the regulator’s chair, Pansy Tlakula. “We never received a response from the director-general or anyone he delegated to.”
In April 2020, the government issued regulations under the Disaster Management Act authorising compilation of a contact-tracing database containing information on people known or suspected to have caught Covid-19, as well as all of their contacts. This included names, identity or passport numbers, residential addresses and test results.
The regulations said the department had to destroy or de-identify the database within six weeks of the termination of the State of Disaster, which ended on 5 April 2022.
Since May 2022, the regulator has been asking the department to detail its compliance with these regulations, including a report from an independent IT security firm.
“Despite acknowledging receipt of the letters, the (department) failed to accede to requests or explicitly refused to comply. This is despite a formal information notice under section 90 of Popia issued in November 2022. The regulator is left with no other option than to refer the matter to the enforcement committee,” it said.
Tlakula said compliance “is not optional”.
“We would be failing the data subjects if we (did) not take action to ensure there is compliance and accountability,” she added.
The department’s deputy director-general for NHI, Dr Nicholas Crisp, said the information was destroyed and officials reported in full to Judge Kate O’Regan in May 2022.
However, said Tlakula, O’Regan, appointed by Justice & Correctional Services Minister Ronald Lamola to safeguard the privacy of personal information gathered during the pandemic, is not part of the Information Regulator so the department was required to report to it separately. The NICD had complied with its reporting requests, she said.
Business Day PressReader article – Dealing with Covid-19 data (Open access)
See more from MedicalBrief archives:
Court orders release of State of Disaster decisions
Retired ConCourt judge to oversee state tracking of COVID-19 patients
SA’s strategy to track the virus using cellphones