Covid-19 - Dos and Don’ts for Contact Tracing by Employers

Written by: Teresa Settas Save to Instapaper

FROM 1 JUNE 2020, the whole of South Africa has moved to disaster alert level 3. As a result, most businesses that were prohibited from operating under alert levels 5 and 4 can re-open.

In developing and implementing their return to work strategies, employers must comply with certain legal obligations towards their employees. This includes undertaking contact tracing and submitting to government the data of (1) employees who have tested positive for Covid-19, and (2) any other persons whom they may have exposed to the virus. Sector-specific health protocols also exist and must be complied with, when applicable.

In complying, employers must be careful not to infringe unlawfully on their employees’ constitutionally-entrenched right to privacy and should ensure that their procedures comply with relevant data protection and surveillance laws.

BELOW IS A GUIDE THAT ILLUSTRATES THE ISSUES WHICH EMPLOYERS OUGHT TO BEAR IN MIND when undertaking any contact tracing, particularly relating to collecting and processing personal data.

DO	DON'T
ENSURE MINIMAL COLLECTIONOnly collect data that is necessary to track and trace Covid-19 cases do not collect unnecessary data. KEEP EMPLOYEES INFORMEDLet employees know what data may be collected, why collection is necessary, how it is being stored and if it could be shared with third parties. STORE INFORMATION AS SECURELY AS POSSIBLEImplement the highest security protections and ensure that these are kept up to date. ONLY KEEP DATA FOR AS LONG AS NECESSARYPermanently delete data when it is no longer required for contact tracing activities. This is particularly important because the data collected will be of a sensitive nature. RESTRICT ACCESS TO DATAEnsure that the data collected is only accessed by authorised individuals or those individuals that need to have access to the data. DE-IDENTIFY DATAWhere possible, de-identify data in a way that prevents its reconstruction. CONDUCT FREQUENT REVIEWS OF DATA PROCESSING ACTIVITIESAppoint an individual responsible for monitoring data collection activities and frequently reviewing the internal processes and procedures applicable to contact tracing.	COLLECT UNNECESSARY DATADo not collect or process data that is not necessary for Covid-19 tracing. UNFAIRLY DISCRIMINATEDo not use data that is collected to unfairly discriminate against an employee. NEGLECT TO REVIEW PROCESSESDo not forget to frequently review data processing activities and develop mechanisms that provide for oversight of processes. REPURPOSE DATADo not use data that is collected for tracing activities for any other purpose, even after the national state of disaster has ended.e. MONETISE THE DATADo not sell or otherwise give the employee data to any marketers. ENGAGE IN UNLAWFUL SURVEILLANCEOnly conduct surveillance that is strictly necessary and in accordance with applicable law. SHARE DATA WITH THIRD PARTIES UNNECESSARILYDo not share any employee data with authorities that is not strictly required by law to be shared.

DON'T

ENSURE MINIMAL COLLECTIONOnly collect data that is necessary to track and trace Covid-19 cases do not collect unnecessary data.

KEEP EMPLOYEES INFORMEDLet employees know what data may be collected, why collection is necessary, how it is being stored and if it could be shared with third parties.

STORE INFORMATION AS SECURELY AS POSSIBLEImplement the highest security protections and ensure that these are kept up to date.

ONLY KEEP DATA FOR AS LONG AS NECESSARYPermanently delete data when it is no longer required for contact tracing activities. This is particularly important because the data collected will be of a sensitive nature.

RESTRICT ACCESS TO DATAEnsure that the data collected is only accessed by authorised individuals or those individuals that need to have access to the data.

DE-IDENTIFY DATAWhere possible, de-identify data in a way that prevents its reconstruction.

CONDUCT FREQUENT REVIEWS OF DATA PROCESSING ACTIVITIESAppoint an individual responsible for monitoring data collection activities and frequently reviewing the internal processes and procedures applicable to contact tracing.

COLLECT UNNECESSARY DATADo not collect or process data that is not necessary for Covid-19 tracing.

UNFAIRLY DISCRIMINATEDo not use data that is collected to unfairly discriminate against an employee.

NEGLECT TO REVIEW PROCESSESDo not forget to frequently review data processing activities and develop mechanisms that provide for oversight of processes.

REPURPOSE DATADo not use data that is collected for tracing activities for any other purpose, even after the national state of disaster has ended.e.

MONETISE THE DATADo not sell or otherwise give the employee data to any marketers.

ENGAGE IN UNLAWFUL SURVEILLANCEOnly conduct surveillance that is strictly necessary and in accordance with applicable law.

SHARE DATA WITH THIRD PARTIES UNNECESSARILYDo not share any employee data with authorities that is not strictly required by law to be shared.

There are also particular factors to note for implementing digital contact tracing (i.e. using contact tracing apps).

We have set out some of these factors in the guide below WHEN USING TRACING APPS

POTENTIAL ABUSE AND BREACHESApps should indicate who is responsible for managing the data and provide expedited avenues for users to enforce their rights in the event that their rights to data protection or privacy are violated.
SECURITYTry to use an App with stringent security measures aimed at preventing data leaks or third party access to data.
TARGETED ADVERTISEMENTSNo targeted advertisements should be allowed on the App.
COMPLIANCEThe App must demonstrate compliance with applicable data protection and privacy laws.
OPTING-INTry to implement an App that employs an opt-in mechanism and that allows users to withdraw consent to data collection that is not necessary for public health purposes.
APPS MUST HAVE USER TERMSThe App must walk users through what data is collected, how it will be stored, with whom it will be shared and also request consent of users.
RE-PURPOSINGThe data collected via the App should not be re-purposed.
APPS MUST HAVE AN END POINTThe App should be removed from phones and the data deleted as soon as it is no longer necessary for Covid-19 contact tracing.

WE RECOMMEND BUSINESSES ENSURE THEY ARE AWARE OF THE LEGAL ISSUES...

that touch on contact tracing and the further disclosure of contact tracing information and implement systems and procedures to address these legal issues. This will enable businesses to carry out their obligations on contact tracing without fear of their actions being called into question.