You may wonder how contact tracing affects you and your loved ones. You may feel unsafe with the government surveilling you. What about your privacy rights?

We offer some insights into contact tracing, surveillance, and data privacy within the context of COVID-19. By becoming comfortable with these trending topics, you may get some peace of mind.

What is contact tracing?

Contact tracing is a public-health strategy that governments use to combat disease. For instance, over the past three decades, the SA government has been using contact tracing to combat the spread of TB and HIV/AIDS. Similarly, most governments are using contact tracing as a strategy to reduce and control the spread of COVID-19.

How does this work? Well, traditionally, contact tracing is an analogue activity consisting of in-person interviews. A contact tracer interviews the infected person to assess how many people they have been in contact with. The tracer also identifies who these people are to warn them that they may have been exposed to the COVID-19. The aim is to reduce the chain of transmission.

With the advances in technology, governments can use digital technologies to innovate contact tracing. Examples include geolocation, GPS, Bluetooth, credit card transactions, and IP-address tracking.

The decision on which technology to use depends on a number of factors. For instance, factors can include the politics of a particular country, as well as the privacy rights enjoyed by individuals within that country. Consequently, the SA government has opted for a hybrid approach: in-person interviews and geolocation tracking. They are also exploring a third tactic – the use of immunity passports via contact-tracing apps. Recently, the South African government launched its contact-tracing app.

The next thought surrounds how the interviews and geolocation data will help fight COVID-19. The government will accumulate the information gathered from the interviews and the geolocation data to form a centralised database. The database will help researchers and policymakers to see how people move around their communities. When considered with other relevant data, such as the number of new infections or mortality rates, the combined data will guide policymakers as they decide whether to relax, sustain, or tighten lockdown restrictions. Using geolocation data, for instance, will help the government manage virus transmission and improve supply-chain efficiencies for food distribution.

What are the sources for the database?

Regulation 8 of the COVID-19 regulations articulates the sources of the database. They are:

  1. Contact tracers;
  2. Public and private labs;
  3. The National Institute for Communicable Diseases;
  4. Accommodation establishments e.g. community schemes, Airbnb; and
  5. Mobile operators e.g. Vodacom, MTN.

What information will the database contain?

The government has limited the scope of the database to any information that is necessary for contact tracing to be effective. The wording of regulation 8 of the COVID-19 regulations is open-ended, so they can include any relevant information in the database.

However, the government has listed what types of information it will record about infected persons or persons with whom infected persons have come into contact:

  • first name and surname;
  • identity or passport number;
  • residential address and other address where persons could be located;
  • test results and cellphone numbers of all the persons who have been tested;
  • photographs of persons, passports, and driver’s licences; and
  • geolocation data.

Is contact tracing a surveillance activity?

Contact tracing is a surveillance activity: from the interviews to the geolocation tracking. Should you be infected with COVID-19 or you are at risk of being infected, the government will trace and track your movement behaviour. However, within the context of COVID-19 regulations, surveillance doesn’t include the interception and monitoring of communications.

Fair enough, but what about your health and location data? What’s in place to prevent the government from overreaching?

Privacy safeguards

The government added privacy safeguards under regulation 8 of the COVID-19 regulations. The Director-General for Health (D-G) is the government representative responsible for implementing these safeguards. The safeguards are listed below.

  1. The information in the database is confidential.
  2. No person may obtain, use, or disclose information in the database. The only exception is where necessary for the purpose of addressing, preventing or combating the spread of COVID-19.
  3. The government has limited the period for geolocation tracking. The D-G may only use geolocation tracking from 5 March 2020 to the date when the national state of disaster lapses or terminates. Also, the D-G may only keep geolocation data for 6 weeks from the date she obtains it. After this period, she must destroy it.
  4. The regulations don’t empower anyone to intercept communications.
  5. The D-G appointed Judge Kate O’Regan to oversee the geolocation-tracking process. The D-G must file a report with Judge O’Regan every week. The report must list the names and details of all the people that the D-G has tracked. The Judge may recommend more privacy safeguards.
  6. The D-G must notify all tracked persons, within 6 weeks from when the national state of disaster lapses or terminates, that the D-G tracked their location or movements. The D-G must report to Judge O’Regan on the steps taken by the D-G to notify the tracked persons. The Judge may recommend more privacy safeguards.
  7. Within 6 weeks from when the national state of disaster lapses or terminates, the D-G must de-identify all the information on the database. The de-identified data can be used for research, study, and teaching purposes only. Any information that the D-G has not de-identified must be destroyed.

Are these safeguards enough?

So, we have privacy safeguards. They reveal that the government drafted the regulations with privacy in mind. But, are they enough to keep us meaningfully safe? We believe that the government can enhance the safeguards so that you can have some more peace of mind. Below, we suggest how the government can do so based on the thoughts of leading privacy practitioners.

  1. The D-G should notify a person as soon as they are tracked, but no later than 6 weeks after the national state of disaster ends.
  2. The D-G should notify a person immediately if someone has compromised the security of the database.
  3. Judge O’Regan should have the power to appoint data experts to help her review how the government has used the data and to advise her on whether the database needs further security measures.
  4. The D-G should give Judge O’Regan direct access to the database and the data from mobile operators so that the Judge can verify independently whether they match the D-G’s reports.
  5. The government should amend the regulations to include data-processing standards.

Next steps

  • Find out more about geolocation laws by attending our workshop.
  • Manage your geolocation and monitoring activities with a policy by asking us to draft one for you.
  • Check if you are monitoring communications lawfully by getting us to do a monitoring audit.
  • Prepare yourself for data breaches by asking us to draft an incident response policy for you.