On 12 May 2020 the Portfolio Committee on Justice and Correctional Services decried the fact that the Protection of Personal Information Act has not been implemented and stated that this leaves South Africans’ personal information at risk of being intercepted and exposed, writes Ahmore Burger-Smidt.
Just a year ago there would have been a massive outcry if anyone contemplated for governments to track individuals via mobile phones - but the coronavirus pandemic has resulted in re-aligning the debate.
Techniques that were once seen as intrusive, like collecting location and health data, are now part of government’s plan to contain the virus.
And with it, privacy concerns have risen in South Africa as we lack robust data protection legislation.
The tracking of individuals through mobile phone data or apps, means that the associate metadata potentially tells a very revealing story of what individuals do, where they go and with whom.
Regulations issued in terms of the Disaster Management Act as published on 30 April 2020 (the Regulations), provide for "contact tracing" and a "Covid-19 Tracing Database" established by the National Department of Health which will enable it to trace people who are known or reasonably suspected to have come into contact with any person known or reasonably suspected to have contracted Covid-19.
But more importantly, the Director-General: Health may, in writing and without prior notice to the person concerned, direct an electronic communications services provider to hand over to the Health Department, for inclusion in the Covid-19 Tracing Database, information regarding:
- The location or movements of any person known or reasonably suspected to have contracted Covid-19; and
- The location or movements of any person known or reasonably suspected to have come into contact, during the period 5 March 2020 to the date on which the national state of disaster has lapsed or has been terminated.
As citizens, every individual should have the assurance that data collated will not be shared across various governments without a clear rationale or requirement underlining the sharing, and measures to secure the information.
Through mobile tracking, we are left wondering whether a backdoor of vulnerability exists, enabling data leakage or misuse, or other use that is contrary to the interests of individuals being traced.
In Germany a model for a contact tracing app that protects personal data has been developed by a team at the Technical University of Munich.
The researchers have created an encryption process that enables people who have come into close contact with a Covid-19-positive individual to be warned without their phones recognising the infected person’s temporary contact number.
Apple and Google are focusing on the development of an "Exposure Notification” tool.
The tool is to be launched mid-May 2020 and adds technology to the iOS and Android smartphone operating systems that alerts users, notably anonymously, if they have come into contact with a person with Covid-19.
In terms of the encryption specification, daily "tracing keys" will be randomly generated by the tool rather than mathematically derived from a user’s private key.
Crucially, the daily "tracing key" is shared with the central database if users decide to report their positive diagnosis.
But in South Africa, no consent is sought from an individual nor is collected data anonymous.
Also, the decision to partake and voluntarily disclose our personal information, let alone the extent thereof, is not that of a citizen but enforced by government.
As citizens we do not know what mechanism to delete data are in place or even considered. We do not know how personal information is being secured and how and if employees and vendors are being supervised.
We do not even know if and where we can inquire or complain about our personal data being incorporated and held in terms of the Covid-19 Tracing Database.
It is important from a data protection perspective that the Department of Health’s responsibilities should include managing the shared risk that other departments, to whom the Department of Health entrusts the Covid-19 Tracing Database information, to safely and securely manage that data.
The required levels of digital trust across a broad and diverse community, that the Covid-19 Tracing Database will only be used in the control and management of Covid-19, cannot be built only upon statements of good intent and regulations not addressing security measures.
Reassurance of good intent and legislated constraints are necessary, but insufficient steps to demonstrate safe and secure management of Covid-19 Tracing Database, cannot be a silent feature.
On 12 May 2020 the Portfolio Committee on Justice and Correctional Services decried the fact that the Protection of Personal Information Act has not been implemented and stated that this leaves South Africans’ personal information at risk of being intercepted and exposed.
- Ahmore Burger-Smidt, Director and Head of the Data Privacy practice at Werksmans Attorneys