As lockdown regulations ease and more businesses begin to open their doors, here are some key points to consider regarding the collection and use of personal data as required by government for health tracing purposes. This is particularly important given that the Protection of Personal Information Act (POPI Act) commenced on 1 July 2020.
There is a responsibility that comes with the processing of personal information during a pandemic, and although data protection does not stop organisations asking their employees whether they are experiencing any COVID-19 symptoms or introducing appropriate testing, organisations must still ensure that the principles of the law such as transparency, reasonableness, fairness, minimalism and proportionality are applied when collecting additional personal information to provide a safe environment for their staff.
Consider these 6 key data protection points when collecting personal health information:
1. Only collect what is absolutely necessary
To assist in your organisation’s decision to collect and use people’s health information to keep your staff safe, you should ask yourself a few questions:
- How will collecting personal information (which your organisation may not be inclined to do under normal circumstances) help keep your workplace safe?
- Do you really need the information?
- Will the testing measures, e.g. taking temperatures, actually help you provide a safe environment?
- Could you achieve the same result without collecting personal information?
If your organisation is able to show that its approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection red flags.
2. Keep it to a minimum
When collecting personal health information, including people’s symptoms or any related test results, organisations should collect only the information needed to implement health and safety measures appropriately and effectively. The POPI Act requires that personal information be collected for a specific, explicitly defined and lawful purpose – therefore the personal information requested must be limited to what is required for the organisation’s lawful operation, or as may be required by the law (in this case the lockdown regulations). Don’t collect personal data that you don’t need. Some information only needs to be stored momentarily, and there is no need to create a permanent record.
3. Be clear, open and honest with staff about their personal information
4. Treat people fairly
If you’re making decisions about your employees based on the health information you collect, you should make sure your approach is fair. Think carefully about any disadvantage they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination which may be detrimental to the organisation.
5. Keep people’s information secure
6. Employees must be able to exercise their information rights
As with any data collection process, organisations should be transparent and inform individuals about their rights in relation to their personal information, such as the right of access or rectification. Employees must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have. It should also be clear who they can approach in such event and, therefore, knowing who the organisation’s Information Officer is, is vital.
If you have decided to implement COVID-19 symptom checking or testing, there are additional requirements you need to follow. These include identifying a lawful basis for using the information you collect. Here are answers to a few common questions we’ve been asked surrounding the processing of personal information during COVID-19.
Ultimately a fair, transparent and lawful approach to handling people’s personal information will reaffirm the trust of colleagues and clients in this exceptional time, ensure that people’s information rights are not set aside, and also encourage innovation and compliance in the long term, specifically with the POPI Act’s grace period running its course.