Covid-19: Do’s and don’ts for contact tracing by employers

https://pixabay.com/illustrations/corona-smartphone-app-tracing-app-5323151/

From 1 June 2020, the whole of South Africa has moved to disaster alert level 3. As a result, most businesses that were prohibited from operating under alert levels 5 and 4 can re-open.

In developing and implementing their return to work strategies, employers must comply with certain legal obligations towards their employees.

This includes undertaking contact tracing and submitting to government the data of (1) employees who have tested positive for Covid-19, and (2) any other persons whom they may have exposed to the virus.

Sector-specific health protocols also exist and must be complied with, when applicable.

In tracing Covid-19 cases, employers must be careful not to infringe on employees’ right to privacy

In complying, employers must be careful not to infringe unlawfully on their employees’ constitutionally-entrenched right to privacy and should ensure that their procedures comply with relevant data protection and surveillance laws.

Do

  • Ensure minimal collection: Only collect data that is necessary to track and trace Covid-19 cases do not collect unnecessary data.
  • Keep employees informed: Let employees know what data may be collected, why collection is necessary, how it is being stored and if it could be shared with third parties.
  • Store information as securely as possible: Implement the highest security protections and ensure that these are kept up to date.
  • Only keep data for as long as necessary: Permanently delete data when it is no longer required for contact tracing activities. This is particularly important because the data collected will be of a sensitive nature.
  • Restrict access to data: Ensure that the data collected is only accessed by authorised individuals or those individuals that need to have access to the data.
  • De-identify data: Where possible, de-identify data in a way that prevents its reconstruction.
  • Conduct frequent reviews of data processing activities: Appoint an individual responsible for monitoring data collection activities and frequently reviewing the internal processes and procedures applicable to contact tracing.

Don’t

  • Collect unnecessary data: Do not collect or process data that is not necessary for Covid-19 tracing.
  • Unfairly discriminate: Do not use data that is collected to unfairly discriminate against an employee.
  • Neglect to review processes: Do not forget to frequently review data processing activities and develop mechanisms that provide for oversight of processes.
  • Repurpose data: Do not use data that is collected for tracing activities for any other purpose, even after the national state of disaster has ended.
  • Monetise the data: Do not sell or otherwise give the employee data to any marketers.
  • Engage in unlawful surveillance: Only conduct surveillance that is strictly necessary and in accordance with applicable law.
  • Share data with third parties unnecessarily: Do not share any employee data with authorities that is not strictly required by law to be shared.

When using tracing apps

There are also particular factors to note for implementing digital contact tracing (ie using contact tracing apps).

We have set out some of these factors in the guide below

  • Potential abuse and breaches: Apps should indicate who is responsible for managing the data and provide expedited avenues for users to enforce their rights in the event that their rights to data protection or privacy are violated.
  • Security: Try to use an app with stringent security measures aimed at preventing data leaks or third party access to data.
  • Targeted advertisements: No targeted advertisements should be allowed on the app.
  • Compliance: The app must demonstrate compliance with applicable data protection and privacy laws.
  • Opting-in: Try to implement an app that employs an opt-in mechanism and that allows users to withdraw consent to data collection that is not necessary for public health purposes.
  • Apps must have user terms: The app must walk users through what data is collected, how it will be stored, with whom it will be shared and also request consent of users.
  • Re-purposing: The data collected via the App should not be re-purposed.
  • Apps must have an end point: The app should be removed from phones and the data deleted as soon as it is no longer necessary for Covid-19 contact tracing.

Nozipho Mngomezulu is a partner at attorneys Webber Wentzel. Webber Wentzel associate Peter Grealy also contributed to this article.

Featured image: geralt via Pixabay

Nozipho Mngomezulu
More

News

Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Ventureburn

Sign up to our newsletter to get the latest in digital insights.