Request a call back

How the National Disaster Legislation affects the Protection of Personal Information Act (POPI)

/, Medical Law, Medical Litigation/How the National Disaster Legislation affects the Protection of Personal Information Act (POPI)

How the National Disaster Legislation affects the Protection of Personal Information Act (POPI)

We are fortunate there are many non-profit and communal organisations around South Africa who would like to assist national Government, and also make a difference within their own communities, by investigating and collating information relating to COVID-19 infections.

The purpose of this is to monitor and prevent the spread of the COVID-19 virus in order to protect their immediate community and also the larger broad-based community within which these organisations function. The question is: to what extent can private bodies collect this information? And further, and perhaps more importantly, once this information is collected, how are these organisations able to effectively analyse the data and act on the data which they have collected?

Under the umbrella of the National Disaster Legislation little known directives were promulgated as far back as 3 March 2020 relaxing some of the provisions surrounding the protection of information as enshrined in the Protection of Personal Information Act (POPI). 

The purpose of the note issued on 3 March 2020 by the information regulator is to encourage proactive compliance by the responsible parties when processing personal information of data subjects.

These are data subjects who have been tested and who are infected with COVID-19 or who have been in contact with anyone who is. The current state of disaster legislation and directives override the Protection of Personal Information Act when related to consent.

In essence, the purpose is to manage or prevent the spread of COVID-19. It is recognised that in order to effectively manage the spread of COVID-19 constitutional rights will be limited. This does not mean that the constitutional rights are dispensed with but only that certain limitations will be uplifted in these current circumstances.


The directives define a data subject as a person, and the personal information to which the directive relates includes but is not limited to:

  1. Information relating to race, gender, sex, religion, conscious belief, culture, etc.;
  2. Information relating to the education, medical, financial criminal  or employment history;
  3. Any identifying or similar email address for the person;
  4. Biometric information;
  5. Personal opinions of that person;
  6. Correspondence sent and/ or received; and
  7. The name of that person if it appears with other personal information

For our purposes, the important inclusion in the definition of personal information relates to medical history. The further definitions that would be applicable is that of a private body which includes a former or existing juristic person.

Processing of information is defined as:

  1. Collecting, recording, organising and collating;
  2. Disseminating by means of transmission or distribution or making available; and
  3. Merging, linking as well as restriction or degradation of this personal information.

A responsible party includes voluntary organisations. Even though the directive allows for the collection of this information, there is still an obligation on a responsible party as to how that information is to be processed.

The directive stipulates the following :

  1. Accountability – the information must be processed in a responsible manner during the management of COVID-19;
  2. The processing must be lawful meaning to detect, contain and prevent the spread of COVID-19;
  3. It is not necessary to obtain consent to process the information provided it complies with the obligations proposed by law on the responsible parties (see above); and
  4. It is to further a legitimate interest of the person from whom the data is collected, in other words, that person’s health or the health of those parties immediately around him;
  5. It is necessary for the performance of a public duty by a public body i.e. in this instance notifying others of likely COVID-19 infection and reducing the spread of COVID- 19; and
  6. It is necessary to pursue the legitimate interests of the responsible party to whom the information is supplied (see above)

In addition, in order for the information to be correctly processed, it must be for a specific purpose namely contain, protect and prevent the spread of COVID- 19

How long can the documents be retained for?

The documents cannot be retained for longer than it is necessary to achieve the purpose of detecting, containing and preventing the spread of COVID-19.

Once the need to retain the information passes these records will be destroyed and the information de-identified as soon as reasonably practical to the extent that it prevents reconstruction in any tangible form.

Can the information be used for other purposes?

The responsible party can process personal information even if not compatible with the original purpose stipulated above if it is necessary to prevent a serious and imminent threat to public safety or health.

What should the quality of the information be like?

The information should be complete and accurate and not be misleading.

How should my personal information be stored?

A responsible party needs to have the appropriate or reasonable technical or organisational structures to prevent loss or damage to this personal information. This information should only be disclosed if required to by law or in the course of proper performance of the responsible bodies duties.

In addition, the responsible party must enter into a written contract with the operator to ensure that it has the appropriate reasonable technical measures to secure the personal information. If there is any unauthorized access to this information it must be immediately reported. The reporting should take place with the information regulator.



National Government has called on public organisations to assist with this endeavour. It is compulsory for an organisation to hand over information which it has on-demand by our National Government or its lawfully deputised organisations. Employers can ask their employees to be tested and what their status is. A person who has been tested must submit themselves for treatment.

The debate about constitutional rights, freedom of democracy, freedom movement and right to dignity looms large. These measures may seem draconian by some but others would view these as measures fitting the current pandemic.

A retired Judge of the Constitutional Court Judge Kate O’ Regan has been appointed by National Government to oversee the implementation of these directives and to assess whether any organisation or government body has overstepped the mark and further that the collection of the information as set out above is for legitimate purposes as envisaged by the directives.

2020-04-16T23:16:15+02:00April 16th, 2020|eHealth, Medical Law, Medical Litigation|