Response from South Africa’s health department says sensitive data have been deleted and blames “miscommunication”
South Africa’s Department of Health has hit back against allegations that it failed to account for the safe disposal of personal data collected as part of the country’s track-and-trace Covid-19 response.
On 20 February, the country’s Information Regulator announced that it had referred the department to the privacy law Enforcement Committee over failures to account for information collected as part of the management of the spread of coronavirus while the country was in a declared ‘state of disaster’.
The state of disaster lapsed on 5 April 2022. As the custodian of the database of personal data, the health department should have destroyed or de-identified the information within six weeks after that, the regulator says.
According to the regulator, the data included information such as the first name, surname, passport number, address and Covid test results of people who were known or suspected to have come into contact with Covid-infected individuals.
Compliance ‘not optional’
Since May 2022, the regulator has been demanding information about the fate of the data collected by the health department.
It has also been asking the department to confirm that it obtained a report from an expert third-party IT security firm validating the safeguards in place to avoid privacy breaches in the data collected during the crisis. This report was a recommendation to the health minister by retired judge Kate O’Regan, who had been tasked with monitoring the track-and-trace programme.
“Compliance is not optional…We have been lenient with the department on this point, but we would be failing the data subjects if we, as the regulator, do not take action to ensure that there is compliance and accountability,” said Information Regulator chair Pansy Tlakula.
The regulator says that after numerous unsuccessful requests to the department for information about what happened to the data, it has no choice but to escalate the matter. Reporting the department to the Enforcement Committee “can culminate in issuing an enforcement notice, which has the same effect as a court order”.
In a written response to Research Professional News, a department spokesperson said the data had been destroyed. The department had “noted and will respond to all issues raised by the Information Regulator with regards to collection and protection of personal information gathered during Covid-19 contact tracing”.
“The department will reach out to the regulator to clarify miscommunication with regards to the request,” the spokesperson said, adding: “The department recognises the role of the regulator to protect data subjects from harm and ensure that their personal information is protected by responsible parties.”