CompliNEWS | Financial Service Intelligence Watch
Information Regulator refers National Department of Health to the Enforcement Committee regarding personal information collected during Covid-19
The Information Regulator has decided to refer the National Department of Health (NDoH) to the Enforcement Committee over the issue of certain personal information that the NDoH had collected as part of the management of the spread of the coronavirus during the Covid-19 pandemic. This decision follows numerous unsuccessful requests for information to the NDoH made by the Regulator. Referral to the Enforcement Committee can culminate in issuing an enforcement notice which has the same effect as a court order.
The Regulator had sought to obtain confirmation and guarantees from the NDoH that personal information that had been collected during Covid-19 had been de-identified or destroyed after the lifting of the national state of disaster.
Since May 2022, the Regulator has been demanding from the NDoH a report indicating how the department is complying with the lawful processing of personal information collected during the Covid-19 response. Specifically, the Regulator wanted the NDoH to advise whether it (NDoH) had destroyed and/or de-identified the information that had been transferred to it during the national state of disaster in accordance with the procedure set out in the Disaster Management Regulations and provide the Regulator with evidence of such action. Additionally, the Regulator wanted the NDoH to confirm that it had obtained a report from an expert third-party IT security firm as to the reliability and suitability of the IT security safeguards in place in relation to personal, location and health data held by or on behalf of the government in relation to Covid-19. The Regulator wanted access to this report. This report was recommended to the Minister of Health by the retired Justice Kate O’regan, who had served as the designated judge to monitor the implementation of the track and trace programme to protect people’s privacy.
Despite acknowledging receipt of the Regulator’s letters, the NDoH failed to accede to the Regulator’s requests or explicitly refused to comply. This is despite a formal Information Notice in terms of section 90 of POPIA that the Regulator issued in November 2022.
Deidentifying personal information is an important aspect of protecting individuals’ privacy under the Protection of Personal Information Act (POPIA) in South Africa, notes Compli-Serve. Deidentification involves the removal or alteration of identifying information from personal information, such that the information can no longer be linked to a specific individual.
Under POPIA, personal information is defined as any information that can be used to identify an individual, either on its own or in combination with other information. Examples of personal information include names, addresses, phone numbers, email addresses, identification numbers, and biometric data.
To deidentify personal information, the following steps can be taken:
- Remove identifying information: The first step is to remove any identifying information from the personal information. This includes names, addresses, identification numbers, and any other information that can be used to link the information to a specific individual.
- Anonymize the information: The next step is to anonymize the information so that it cannot be linked to an individual even if it is combined with other information. This can be done by removing any details that could be used to identify an individual, such as age, gender, and occupation.
- Use aggregation: Another way to deidentify personal information is by aggregating it with other information. Aggregation involves combining personal information from different individuals to create a larger data set. This makes it more difficult to identify individual data subjects.
- Implement technical measures: Technical measures such as data masking, data encryption, and data anonymization can also be used to deidentify personal information.
It’s important to note that deidentification must be done in a way that ensures the personal information can no longer be linked to a specific individual. Otherwise, the information is still considered personal information and subject to POPIA’s protection requirements.