Ensuring data privacy when reporting on COVID-19 cases
By Dhruv Sodha and Jeni John
With a global pandemic comes a lot of uncertainty. What will the impact be on our economy? What about our healthcare systems? With this uncertainty, it is reasonable for the South African government to focus its efforts on ‘flattening the curve’. Accurate reporting of cases in organisations is critical in managing potential hot spots.
In April, the Minister of Employment and Labour issued a directive to ensure this by requiring employers to disclose positive cases to both the Health and Labour departments. This is intended to enable investigation and risk assessments, and to ensure the necessary safety and risk controls are in place.
Employers are required to report positive COVID-19 cases to both the Health and Labour departments
While the need for accurate reporting of cases is clear, this comes at a time in South Africa when processing and treatment of personal information is increasingly regulated. The Protection of Personal Information Act (POPIA) came into effect in July this year. The resulting challenge for employers lies in balancing the rigorous COVID-19 reporting requirements with the need to treat employee information in line with POPIA. An employee’s constitutional right to privacy can’t be unlawfully overstepped. Offsetting that against government’s strict reporting requirements, while building trust with employees is a tricky balancing act.
Balancing POPI with COVID-19 reporting requirements is delicate
We’ve put together three practical steps to help you manage this balancing act.
1. Collect only necessary data
Collect and process only the necessary personal employee information required for the tracking and tracing COVID-19 cases, including:
- Employee contact details
- Symptoms experienced
- Recent travel or contact with travellers
Data collection must be purposeful to avoid the misuse of information collected.
2. Be transparent with your employees
Transparency is key in building trust needed between employees and organisations. Employers can build trust by:
- Creating awareness and understanding around the data collection and COVID-19 reporting processes
- Highlighting in privacy policies third parties to whom data is disclosed to ensure that employee consent is granted
- Communicating anonymised high-level company COVID-19 statistics to help employees feel informed and empowered
3. Implement necessary information security measures
There is no doubt that the highest security protections and controls are needed when dealing with sensitive employee health data. It is paramount that technical measures and response plans be in place. Employers should have a dedicated data officer/team managing and reviewing the controls required to avoid data beaches or misuse. Some of which include:
- Ensure the COVID-19 compliance team is adequately trained on the organisation’s data privacy policies and guidelines
- Data should be deleted or anonymised once it no longer serves a specific purpose
- Use digital tools (e.g. Microsoft PowerApps) that can be linked to employee master data records and existing security controls, e.g. authentication to avoid data breaches
COVID-19 is expected to be around for some time. That means employers have an opportunity to ensure they are fully equipped to strike a fair and transparent balance and have the appropriate measures in place.
Data collection must be fair and transparent
The collection and processing of employees’ personal information must be purposeful in scope and the appropriate security measures must be applied to protect it.
Get in Touch
Is your organisation’s data privacy strategy adequately balancing the legislative compliance requirements with the ethical obligation it has to its employees? BSG can work with you to tailor the best solutions for your needs and put in place an effective COVID-19 Response Programme. To find out more about how BSG can partner with you to enable your response programme, get in touch.