23 June 2020

Covid-19: Dos and Don’ts for Contact Tracing by Employers

Submitted by: Teresa Settas
Covid-19: Dos and Don’ts for Contact Tracing by Employers

FROM 1 JUNE 2020, the whole of South Africa has moved to disaster alert level 3. As a result, most businesses that were prohibited from operating under alert levels 5 and 4 can re-open.

In developing and implementing their return to work strategies, employers must comply with certain legal obligations towards their employees. This includes undertaking contact tracing and submitting to government the data of (1) employees who have tested positive for Covid-19, and (2) any other persons whom they may have exposed to the virus. Sector-specific health protocols also exist and must be complied with, when applicable.

In complying, employers must be careful not to infringe unlawfully on their employees’ constitutionally-entrenched right to privacy and should ensure that their procedures comply with relevant data protection and surveillance laws.

BELOW IS A GUIDE THAT ILLUSTRATES THE ISSUES WHICH EMPLOYERS OUGHT TO BEAR IN MIND when undertaking any contact tracing, particularly relating to collecting and processing personal data.

DO

DON'T

ENSURE MINIMAL COLLECTION
Only collect data that is necessary to track and trace Covid-19 cases do not collect unnecessary data.

KEEP EMPLOYEES INFORMED
Let employees know what data may be collected, why collection is necessary, how it is being stored and if it could be shared with third parties.

STORE INFORMATION AS SECURELY AS POSSIBLE
Implement the highest security protections and ensure that these are kept up to date.

ONLY KEEP DATA FOR AS LONG AS NECESSARY
Permanently delete data when it is no longer required for contact tracing activities. This is particularly important because the data collected will be of a sensitive nature.

RESTRICT ACCESS TO DATA
Ensure that the data collected is only accessed by authorised individuals or those individuals that need to have access to the data.

DE-IDENTIFY DATA
Where possible, de-identify data in a way that prevents its reconstruction.

CONDUCT FREQUENT REVIEWS OF DATA PROCESSING ACTIVITIES
Appoint an individual responsible for monitoring data collection activities and frequently reviewing the internal processes and procedures applicable to contact tracing.

COLLECT UNNECESSARY DATA
Do not collect or process data that is not necessary for Covid-19 tracing.

UNFAIRLY DISCRIMINATE
Do not use data that is collected to unfairly discriminate against an employee.

NEGLECT TO REVIEW PROCESSES
Do not forget to frequently review data processing activities and develop mechanisms that provide for oversight of processes.

REPURPOSE DATA
Do not use data that is collected for tracing activities for any other purpose, even after the national state of disaster has ended.e.

MONETISE THE DATA
Do not sell or otherwise give the employee data to any marketers.

ENGAGE IN UNLAWFUL SURVEILLANCE
Only conduct surveillance that is strictly necessary and in accordance with applicable law.

SHARE DATA WITH THIRD PARTIES UNNECESSARILY
Do not share any employee data with authorities that is not strictly required by law to be shared.

 

There are also particular factors to note for implementing digital contact tracing (i.e. using contact tracing apps).

We have set out some of these factors in the guide below WHEN USING TRACING APPS

  • POTENTIAL ABUSE AND BREACHES
    Apps should indicate who is responsible for managing the data and provide expedited avenues for users to enforce their rights in the event that their rights to data protection or privacy are violated.

  • SECURITY
    Try to use an App with stringent security measures aimed at preventing data leaks or third party access to data.

  • TARGETED ADVERTISEMENTS
    No targeted advertisements should be allowed on the App.

  • COMPLIANCE
    The App must demonstrate compliance with applicable data protection and privacy laws.

  • OPTING-IN
    Try to implement an App that employs an opt-in mechanism and that allows users to withdraw consent to data collection that is not necessary for public health purposes.

  • APPS MUST HAVE USER TERMS
    The App must walk users through what data is collected, how it will be stored, with whom it will be shared and also request consent of users.

  • RE-PURPOSING
    The data collected via the App should not be re-purposed.

  • APPS MUST HAVE AN END POINT
    The App should be removed from phones and the data deleted as soon as it is no longer necessary for Covid-19 contact tracing.

WE RECOMMEND BUSINESSES ENSURE THEY ARE AWARE OF THE LEGAL ISSUES...

that touch on contact tracing and the further disclosure of contact tracing information and implement systems and procedures to address these legal issues. This will enable businesses to carry out their obligations on contact tracing without fear of their actions being called into question.

FOR FURTHER INFORMATION PLEASE CONTACT

Nozipho Mngomezulu
E-MAIL: This email address is being protected from spambots. You need JavaScript enabled to view it.
CALL: 011 530 5855

Peter Grealy
E-MAIL: This email address is being protected from spambots. You need JavaScript enabled to view it.
CALL: 011 530 5218