SA’s information regulator has referred the department of health to its enforcement committee over its failure to report on how it has dealt with the data it collected for contact tracing during the pandemic. Referral to the enforcement committee can culminate in an enforcement notice, which has the same effect as a court order.

SA’s information regulator has referred the department of health to its enforcement committee for failing to report on how it dealt with data it collected for contact tracing during the coronavirus pandemic.

Referral to the enforcement committee can culminate in an enforcement notice, which has the same effect as a court order.

The regulator is a statutory body responsible for ensuring organisations take appropriate steps to protect the privacy of data they hold on individuals in terms of the Protection of Personal Information Act (Popia).

The department should have destroyed or anonymised data it collected under the national state of disaster declared in response to Covid-19, but it failed to respond to the regulator’s repeated requests for information about whether it had done so, it said on Monday.

“The health department has not [reported to us] as far as our records show,” said the regulator’s chair, Pansy Tlakula. “We’ve been very patient. We never received a response from the director-general or someone he delegated to.”

In April 2020, the government issued regulations in terms of the Disaster Management Act authorising compilation of a contact-tracing database containing information on people known or suspected to have caught Covid-19 and all their contacts. This included names, identity or passport numbers, residential addresses and test results. The regulations said the department had to destroy or deidentify the database within six weeks of the termination of the state of disaster, which ended on April 5 2022.

The regulator said it had been asking the department since May 2022 to detail its compliance with these regulations, including a report from an independent IT security firm. “Despite acknowledging receipt of the regulator’s letters, the [department] failed to accede to the regulator’s requests or explicitly refused to comply. This is despite a formal information notice in terms of section 90 of Popia issued in November 2022. There was no response to the information notice … the regulator is left with no other option than to refer the matter to the enforcement committee,” it said.

Tlakula said the regulator was obliged to monitor the extent to which the department and the National Institute of Communicable Diseases (NICD) complied with the detailed guidance it issued on processing personal information in the management of Covid-19. “Compliance is not optional. We would be failing the data subjects if we [did] not take action to ensure there is compliance and accountability,” she said.

The department’s deputy director-general for National Health Insurance Nicholas Crisp, who played a big role in its response to Covid-19, said the information in question was

THE HEALTH DEPARTMENT HAS NOT [REPORTED TO US] AS FAR AS OUR RECORDS SHOW COMPLIANCE IS NOT OPTIONAL

destroyed and officials reported in full to justice Kate O’Regan in May 2022. Tlakula said O’Regan, appointed by justice & correctional services minister Ronald Lamola to safeguard the privacy of personal information gathered during the pandemic, is not part of the information regulator so the department was required to report to it separately. The NICD complied with its reporting requests, she said.