Principles should guide intrusive use of location data, even in a pandemic
What the data collection rules would be if the Protection of Personal Information Act were fully in force
We awaited the full enactment of the Protection of Personal Information Act (Popia) scheduled for April 1, but it didn’t happen. With everyone getting to grips with the lockdown and uncertainty over the true effect of Covid-19 in SA, it is understandable that the government is occupied with considering all possible options to “flatten the curve”.
However, a huge amount of personal information is undoubtedly informing this process. As part of the attempt to combat the Covid-19 pandemic, on March 25 communications, telecommunications & postal services minister Stella Ndabeni-Abrahams announced that cellphone data would be used to help curb the spread of the virus.
The minister announced that cellular companies had agreed to give the government the location data of their subscribers to help fight Covid-19. It seems this data will be used to determine the approximate number of people an infected individual has been in contact with, though the minister did not provide detail on how this will be implemented.
This occurred in the context of various governments across the world revealing that they are planning to make use of location data to monitor the spread of Covid-19. Some have indicated that they will work with mobile network providers and make use of anonymous (in Popia terms “de-identified”) location data to create movement maps. In other instances governments are ensuring that Covid-19-positive individuals reveal both their movements as well as who they make contact with, through a cellphone application.
It is important to ask why these intrusive actions are required. It is clear from statements by our own government that it believes it is imperative to understand, at minimum, how the virus is spreading and identify risks to particularly vulnerable groups of people and emerging hot spots, and direct resources to those areas that are in greatest need.
Now imagine a world where personal information is protected in terms of data protection legislation, a world where Popia has been fully enacted. What would the legal position have been in SA under these circumstances?
Popia provides for the de-identification of personal information. In fact, the legislation clearly states that the provisions of the act do not apply to personal information that has been de-identified. More importantly, the legislation does not apply to the processing of de-identified personal information by or on behalf of a public body, such as the government, if this is carried out for a purpose that involves national security or public safety.
Popia provides that personal information held by mobile network operators, for instance location data, can be further processed if it is necessary to prevent or mitigate an imminent threat to public health or safety.
But what could be the concerns in relation to the government and mobile network operators processing location data for the purposes of Covid-19? There are certain fundamental principles that should be adhered to even if the processing of personal information is taking place in the middle of a pandemic.
Without a single database to gather and analyse collected data, decisionmakers will not be able to move as quickly as the required response demands; and information gathered could be duplicated and outdated as real-time updates will not take place seamlessly, leading to inaccurate information and situational analysis.
But who will be in control of the information and records, now and in future? Also, once the Covid-19 crisis has dissipated, will the personal information be destroyed, aggregated or de-identified?
If followed, the Popia principles would mean that personal information collected will only be used for Covid-19 and not for any other purpose. But still the necessary safeguards should be in place to provide for strict controls that meet the requirements of data protection legislation and ensure the personal data of individuals cannot be re-identified.
• Burger-Smidt is director and head of Werksmans Attorneys’ data privacy practice group.