Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates

South Africa

As part of the effort to combat and mitigate the impact of the COVID-19 pandemic, South Africa established an interim database, the COVID-19 Tracing Database, within the Department of Health. All health care professionals who test a person for COVID-19 must report the person’s identification and contact information, including cellphone number, for inclusion in the Database. All accommodation establishments must report similar information relating to anyone who uses their services during the national lockdown. The director-general of the Department is authorized to mandate electronic communications service providers to report to her the location and movements of persons known or suspected of having COVID-19 and anyone who is reasonably suspected to have come into contact with such persons. The director-general is not obligated to inform the persons whose location and movement is being tracked until after the end of the state of national disaster.

The authority of the director-general is subject to some restrictions and oversight. For instance, the director-general’s authority to track location and movement of persons is limited to the period from March 5, 2020, through the end of the national state of disaster. Such information may only be obtained, used, or disclosed by authorized persons and only for the purpose of combatting the spread of COVID-19. All information in the Database must be de-identified (anonymized) or destroyed within six-weeks after the expiration of the national state of disaster and this process is subject to judicial and parliamentary oversight. Significantly, the collection or use of tracking information for a purpose other than combating the spread of COVID-19, unauthorized disclosure of information in the Database, retention of such information beyond the period authorized by law, or failure to de-identify or destroy information as required by law is an offense punishable on conviction by a fine, custodial sentence, or both.

The collection, use, and disclosure of personal information in South Africa is governed under the 1996 Constitution, common law, and a number of statutes. One such law is the 2013 Protection of Personal Information Act. The Act imposes various conditions under which the lawful processing of personal information (including location information) may take place, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation, as further defined by statute. Although most parts of the Act have yet to take effect, a guidance note issued by the Information Regulator, an institution established under parts of the Act already in force, requires that processing of personal information done for the purpose of combatting COVID-19 must adhere to the conditions set under the Act.

I. Introduction

As of May 22, South Africa had conducted 543,032 tests and registered 20,125 confirmed COVID-19 cases.[1] On the same day, South Africa recorded 988 new cases.[2] Of the persons infected, so far 10,104 have recovered and 397 have died.[3]

As part of its effort to combat the spread of COVID-19, South Africa has put in place measures leveraging technology (described in Part III, below), mainly using location and movement data to conduct contact tracing of infected persons and persons who have come into contact with infected persons. The level of permeation of mobile and smartphones in the country, whose population is estimated at about 56.5 million,[4] is important in this regard. As of 2018, mobile cellular subscriptions stood at around 92.5 million, representing about 167 subscriptions per 100 residents in the country.[5] According to the Independent Communications Authority of South Africa (ICASA), the official regulator of the South African communications, broadcasting and postal services sectors, smartphone penetration nearly doubled in a span of two years, from 43.5% in 2016 to 81.7% in 2018.[6] According to the same report, in 2018, South Africa had 65.8 million mobile cellular data subscriptions, a 12.3% increase since 2015, and about 12.6 million LTE device subscriptions.[7]

However, this information must be read in context. According to one source, “[t]he penetration rate likely reflects that many South Africans have more than one smartphone, while a significant portion of citizens are still reliant on basic or feature phones.”[8] According to a Pew Research Centre report, based on a spring 2017 survey, 51% South Africans owned smartphones that could access the internet and apps.[9]

II. Legal Framework

A. Privacy and Data Protection

The collection, use, and disclosure of personal information in South Africa is governed under the 1996 Constitution, common law, and a number of statutes, including the Promotion of Access to Information Act, the Electronic Communications and Transactions Act, and the National Credit Act.[10] In 2013, South Africa enacted the Protection of Personal Information Act, which is considered a codification of privacy protections under the country’s common law; however, most parts of the Act have yet to take effect.[11] Nevertheless, the Information Regulator (the Regulator), an entity established under the parts of the Act already in force, recently issued a guidance document requiring responsible parties to follow the requirements under the Act (see Part II(B)(1), below) and the Guidance when processing personal information. Other laws relevant to privacy issues include the Regulation of Interception of Communications and Provision of Communication-Related Information Act and the National Health Act. Relevant parts of these laws are discussed below.

1. The Constitution

The right to privacy is guaranteed by the Bill of Rights chapter of the 1996 Constitution, which states that

[e]veryone has the right to privacy, which includes the right not to have ­

a.      their person or home searched;

b.      their property searched;

c.      their possessions seized; or

d.      the privacy of their communications infringed.[12]

Limitations may be imposed on the right to privacy, but “only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors.”[13] Among the factors that must be considered when imposing a limitation are the importance of the purpose for which the limitation is proposed, the nature and extent of the proposed limitation, the relationship between the proposed limitation and its purpose, and the least restrictive means of achieving the purpose.[14]

2. Protection of Personal Information Act

The Protection of Personal Information Act (POPIA) permits the processing of personal information in certain circumstances. It defines “personal information” as “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including but not limited to . . . any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person.”[15] The term “processing” includes “the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use” of personal information.[16]

POPIA puts in place general conditions under which the lawful processing of personal information may take place, including accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation, as further defined by statute.[17] As noted above, the term “personal information” includes location information. The “purpose specification” clause of POPIA requires that the collection of personal information be limited to “a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.”[18] It also requires that further processing of personal information be compatible with the purpose of collection.[19] Significantly, it provides that further processing of personal information is considered compatible with the purpose of collection if “it is necessary to prevent or mitigate a serious and imminent threat to– (i) public health or public safety; or (ii) the life or health of the data subject or another individual.”[20]

POPIA bars the processing of special information[21] except in certain limited instances, including when the data subject consents or it is “necessary for the establishment, exercise or defence of a right or obligation in law.”[22] In this situation, additional conditions relating to the specific information in question apply.[23]

As noted above, POPIA makes putting in place security safeguards one of the conditions for processing personal information. The Act states that “[a] responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent– (a) loss of, damage to or unauthorized destruction of personal information; and (b) unlawful access to or processing of personal information.”[24] In order to effectively meet this requirement, the party must take reasonable steps to

(a)    identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;

(b)    establish and maintain appropriate safeguards against the risks identified;

(c)    regularly verify that the safeguards are effectively implemented; and

(d)    ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.[25]

POPIA does not apply to instances of processing of personal information by or for a public body involving “national security, including activities that are aimed at assisting in the identification of the financing of terrorist and related activities, defence or public safety.”[26] Nevertheless, as noted above, the Regulator’s recent Guidance (see Part II(B)(1), below) requires that responsible parties, including relevant government entities, adhere to rules under the Act when processing personal information of data subjects as part of the effort to curb COVID-19.

3. Electronic Communications and Transactions Act

Application of the Electronic Communications and Transactions Act (ECTA) is limited to instances in which personal information is collected through electronic transactions.[27] A data controller “may voluntarily subscribe” to the principles for electronically collecting personal information stipulated in the Act by recording such fact in an agreement with a data subject; however, the data controller must subscribe to all the applicable principles and not just parts thereof.[28] Once POPIA takes effect, it will amend the definition of the term “personal information” under ECTA to include location information.[29] In addition, application of the provisions of ECTA relating to the protection of personal information will be limited to instances where they are more extensive than the principles and protections afforded under POPIA.[30] ECTA includes nine principles for electronically collecting personal information:

(1)    A data controller must have the express written permission of the data subject for the collection, collation, processing or disclosure of any personal information on that data subject unless he or she is permitted or required to do so by law.

(2)    A data controller may not electronically request, collect, collate, process or store personal information on a data subject which is not necessary for the lawful purpose for which the personal information is required.

(3)    The data controller must disclose in writing to the data subject the specific purpose for which any personal information is being requested, collected, collated, processed or stored.

(4)    The data controller may not use the personal information for any other purpose than the disclosed purpose without the express written permission of the data subject, unless he or she is permitted or required to do so by law.

(5)    The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of the personal information and the specific purpose for which the personal information was collected.

(6)    A data controller may not disclose any of the personal information held by it to a third party, unless required or permitted by law or specifically authorised to do so in writing by the data subject.

(7)    The data controller must, for as long as the personal information is used and for a period of at least one year thereafter, keep a record of any third party to whom the personal information was disclosed and of the date on which and the purpose for which it was disclosed.

(8)    The data controller must delete or destroy all personal information which has become obsolete.

(9)    A party controlling personal information may use that personal information to compile profiles for statistical purposes and may freely trade with such profiles and statistical data, as long as the profiles or statistical data cannot be linked to any specific data subject by a third party.[31]

4. Promotion of Access to Information Act

Aimed at implementing the access to information clause of the Constitution, the Promotion of Access to Information Act (PAIA) includes some key data protection provisions. PAIA accords a person the right to access records held by public or private bodies containing his or her personal information.[32] As in the case of ECTA, when POPIA takes effect, the definition of the term “personal information” under PAIA will be amended to include location information.[33] In addition, it bars a public or a private body from disclosing records if doing so “would involve the unreasonable disclosure of personal information about a third party, including a deceased individual.”[34] The Act further requires that public and private bodies take reasonable steps to put in place internal measures for correcting personal information.[35]

5. Regulation of Interception of Communications and Provision of Communication-Related Information Act

As a general rule, the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA) bars interception of communication, stating that “no person may intentionally intercept or attempt to intercept, or authorise or procure any other person to intercept or attempt to intercept, at any place in the Republic, any communication in the course of its occurrence or transmission.”[36] However, there are exceptions in which RICA permits the interception and monitoring of direct and indirect communications with an interception direction issued by a designated judge.[37]

B. Data Retention and Location Tracking

1. POPIA 

As noted above, the definition of the term “personal information” under POPIA includes location information. POPIA bars the retention of personal information for a longer period than is necessary to achieve the purpose for which it was collected and processed.[38] However, personal information may be retained beyond that period if the law or a contract between the parties involved authorizes or requires it, “the responsible party reasonably requires the record for lawful purposes related to its functions or activities,” or the data subject consents to it.[39] Further retention is also permitted for “historical, statistical or research purposes if the responsible party has established appropriate safeguards against the records being used for any other purposes.”[40]

After the period for authorized retention of a record of personal information lapses, the responsible party “must destroy or delete a record of personal information or de-identify[[41]] it as soon as reasonably practicable.”[42] Destruction or deletion of a record of personal information “must be done in a manner that prevents its reconstruction in an intelligible form.”[43]

On April 3, 2020, the Regulator issued a guidance note on processing of personal information. Noting that not all the sections of POPIA have come into effect, the Regulator encouraged responsible parties to proactively comply with its provisions “when processing personal information of data subjects who have tested or are infected with COVID-19, or who have been in contact with such data subjects.”[44] The Guidance states that, when processing personal information, responsible parties must adhere to a number of conditions.[45]

The Guidance requires electronic communications providers to provide the South African government with location-based data of their customers in certain circumstances and authorizes the government to use such information in managing the spread of COVID-19, if

a)      processing complies with an obligation imposed by law on the responsible party; or

b)     processing protects the legitimate interest of a data subject; or

c)      processing is necessary for the proper performance of a public law duty by a public body; or

d)     processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.

However, the Government must still comply with all the applicable conditions for the lawful processing as set out in this Guidance Note.[46]

The Guidance further notes that communication service providers may provide to the government location-based data for “the purpose of conducting mass surveillance of data subjects if the personal information is anonymised or de-identified in a way that prevents its reconstruction in an intelligible form.”[47]

The Guidance concludes that all regulations issued to combat the spread of COVID-19 “should be implemented in conjunction with the applicable conditions for the lawful processing of personal provided for in POPIA to ensure respect for the right to privacy.”[48]

2. RICA

RICA requires that telecommunication service providers “(a) provide a telecommunication service which has the capability to be intercepted;[[49]] and (b) store communication-related information” for three to five years.[50] An interception direction,[51] a direction for gathering real-time communication related information,[52] or a direction for gathering  archived communication may be issued for a number of reasons, including if the judge before whom the application for an interception direction is made finds that there are reasonable grounds to believe that “the gathering of information concerning an actual [or potential] threat to the public health or safety, national security or compelling national economic interests of the Republic is necessary.”[53]

RICA expressly bars notification of the subjects of the interception of their communication including after the conclusion of the surveillance.[54]

In September 2019, the Gauteng Division of the High Court of South Africa at Pretoria declared a number of RICA’s provisions unconstitutional. These include the provisions of RICA that bar notification of subjects of interception; the provision that allows for the appointment of a judge responsible for hearing applications for and issuing directions allowing surveillance, to the extent it fails to guarantee the independence of the judge; and the provisions that allow application for and obtaining a surveillance direction to the extent that they fail to “address expressly the circumstances where a subject of surveillance is either a practicing lawyer or a journalist.”[55] However, as required under the South African Constitution, the High Court’s decision will only take effect if it is confirmed by the Constitutional Court.[56]

3. ECTA

As noted above, ECTA allows data controllers to voluntarily subscribe to a number of data privacy principles under the umbrella of which they may process data subjects’ personal information, which will include location information once a law amending POPIA takes effect. A data controller that subscribes to these principles may store personal information of the data subject.[57] The applicable principles require that the data controller keep a record of the personal information in question and the record of a third party to whom the record was disclosed, if any, for as long as the personal information is used and for a period of one year afterwards.[58]

4. Public Health Act

The Public Health Act permits health workers and health care providers who have access to the health records of a user to disclose the user’s personal information, as defined under POPIA, “to any other person, health care provider or health establishment as is necessary for any legitimate purpose within the ordinary course and scope of his or her duties where such access or disclosure is in the interests of the user.”[59] The Act also requires that a healthcare facility in possession of healthcare records “set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept.”[60]

III. Electronic Measures to Fight COVID-19 Spread

On March 15, 2020, South Africa declared a national state of disaster under the 2002 Disaster Management Act due to the coronavirus pandemic.[61] During a state of disaster, the Disaster Management Act allows the government to issue regulations relating to, inter alia, “the movement of persons and goods to, from or within the disaster-stricken or threatened area,” “the dissemination of information required for dealing with the disaster,” and “other steps that may be necessary to prevent an escalation of the disaster, or to alleviate, contain and minimise the effects of the disaster.”[62] Similarly, the 2004 Disaster Management Regulations (as amended) state that any minister “may issue and vary directions, as required, within his or her mandate, to address, prevent and combat the spread of COVID-19, from time to time, as may be required,” including “steps that may be necessary to prevent an escalation of the national state of disaster, or to alleviate, contain and minimise the effects of the national state of disaster.”[63] Based on these authorities, the Department of Communications and Postal Services and the Department of Cooperative Governance and Traditional Affairs issued directions and regulations relating to location tracking for the purpose of combating the spread of COVID-19.

A. Department of Communications and Postal Services Direction

On March 26, 2020, the Minister of Communications and Postal Services issued a direction that includes the following “individual track and trace” (contact tracing) clause:

The Electronic Communication Network Service (ENCS) and Electronic Communication Service (ECS) Licensee, internet ad digital sector in general, must provide location-based services in collaboration with the relevant authorities identified to support designated departments to assist and combat the spread of COVID-19.[64]

Responding to concerns of government intrusion into citizens’ lives, the Minister sought to reassure the public in a statement stating that,

[w]hen we say we are going to use cell phone numbers, it doesn’t meant we are going take anybody’s number. Those that test and are found to be positive . . . it is those people that the Department of Health will seek permission from the Electronic Communications Network Service (ECNS) licence[e]s to access their geolocation.[65]

On May 8, 2020, the contact tracing clause was repealed.[66]

The direction also requires the South African Post Office to participate in individual tracking and tracing efforts:

The South African Post Office must make available its national address system and any applicable database to assist the relevant authorities identified to track and trace individuals that have been infected and such other persons that may have been in direct contact with such infected persons. A database may be correlated with other sources from government and private sector.[67]

This clause appears to be in force to date.

B. Department of Cooperative Governance ad Traditional Affairs Regulations

The Regulations issued by the Minister of Cooperative Governance and Traditional Affairs include provisions on leveraging technology for contract tracing.[68] The Regulations mandate the Department of Health to develop a national database (COVID-19 Tracing Database) “to enable the tracing of persons who are known or reasonably suspected to have come into contact with any person known to or reasonably suspected to have contacted COVID-19.”[69] The Database must include various pieces of information, including

(a)    the first name and surname, identity or passport numbers, residential address and other address where such person could be located, and cellular phone numbers of all persons who have been tested for COVID-19;

(b)    the COVID-19 test results of all such persons; and

(c)    the details of the known or suspected contacts of any person who tested positive for COVID-19.[70]

In addition to the restrictions and oversight discussed below, housing the COVID-19 Tracing Database within the Department of Health probably makes it less likely that the information collected for and stored in the Database will be used for purposes other than contact tracing as compared to those countries where national security agencies are involved in contact tracing.[71]

1. Testing and Collection of Information

When a person is tested for COVID-19, the following information is collected for submission to the director-general of the Department of Health and inclusion in the COVID-19 Tracing Database:

(a)    the first name and surname, identity or passport number, residential address, and cellular phone numbers of the person concerned [tested]; and

(b)    a copy or photograph of the passport, driver’s licence, identity card or identity book of the person tested.[72]

Any laboratory that tests a sample for COVID-19 is also required to report to the director-general the information of the person whose sample it tested and the test results.[73] Similarly, the National Institute for Communicable Diseases (NICD) must report to the director-general similar information in its possession and any information regarding the persons with whom a COVID-19 patient may have come into contact.[74]

In addition, accommodation establishments are required to report to the director-general, for the purpose of inclusion in the COVID-19 Tracing Database, the contact information, such as phone number, address, and identification information, of every person who stays in the establishment during the lockdown.[75]

2. Location Tracking

The Regulations authorize the director-general to direct electronic communications service providers to report to him or her the following information:

(a)    the location or movements of any person known or reasonably suspected to have contracted COVID-19; and

(b)    the location or movements of any person known or reasonably suspected to have come into contact, during the period 5 March 2020 to the date on which the national state of disaster has lapsed or has been terminated, with a person contemplated in subparagraph (a).[76]

Upon receiving the directive, the electronic communication services provider in question “must promptly comply.”[77] The director-general is not under an obligation to inform the person whose information is being obtained, used, or disclosed during such activities, but must do so within six weeks from the date of expiration of the national disaster declaration.[78] A national state of disaster lapses three months after the date of declaration; however, it may be terminated before that time or extended beyond the three-month window.[79]

3. Restrictions and Oversight

The information relating to the location and movements of persons described above may only obtained for the period of March 5 through the expiration of the national state of disaster declaration,[80] and may only be “obtained, used or disclosed” by authorized persons for the limited purpose of “addressing, preventing or combatting the spread of COVID-19 through contact tracing process.”[81] Information relating to the location and movement of such persons must be included in the COVID-19 Tracing Database to the extent it is relevant for the purpose of conducting contact tracing; however, information not included in the Database may only be retained by the director-general for a maximum of six weeks after it was acquired at which time it must be destroyed.[82]

The director-general must provide a weekly report to the COVID-19 designated judge (a Constitutional Court judge designated to perform this oversight role) “the names and details of all persons whose location or movements were obtained.”[83] The designated judge’s oversight authority does not appear to be meaningful while the collection of information and tracking is in progress; however, he or she may make recommendations for changing the applicable regulation or its enforcement to the relevant cabinet members.[84] Once the program for collection of information and tracking of persons concludes, the designated judge’s oversight role with regard to the fate of the information collected for the Database is more significant (see below).

The Regulations require that information in the COVID-19 Tracing Database be de-identified within six-weeks of the expiration of the national state of disaster declaration and that all information not de-identified be destroyed.[85] De-identified information on the Database may be used for research, study, and teaching purposes only.[86]

The de-identification process, destruction process relating to the information on the Database, and notification of data subjects is subject to judicial and legislative oversight. The director-general must file a report on the de-identification and destruction process of the information in the Database, as well as the notification of data subjects, to the designated judge.[87] The designated judge may “give directions as to any further steps to be taken to protect the right to privacy of those persons whose data has been collected, which directions must be complied with.”[88] The director general’s report must also be considered in Parliament.[89]

4. Penalties

The Regulations bar unauthorized disclosure of information stored in the Database; a violation of this bar is an offense punishable by a fine, custodial sentence not exceeding six-months, or both.[90] The following conduct is also criminalized and subject to the same penalties:

  • Failure of accommodation establishments to collect and transmit to the director-general all the required information described above
  • Obtaining, using, or disclosing relevant information for a purpose other than addressing, preventing, or combating the spread of COVID-19
  • Retention of such information for a period longer than authorized by the Regulations
  • Failure to de-identify or destroy information on the Database as required by the Regulations
  • Failure of a communications service provider to follow the director-general’s direction to collect and make available location and movement information of persons suspected of having contracted COVID-19 and anyone  suspected of having come into contact with such persons
  • Failure to adhere to directions of the designated judge regarding the steps that must be taken to ensure the privacy of persons whose information has been collected for the Database[91]

Back to Top

Prepared by Hanibal Goitom
Chief, FCIL I
June 2020


[1] Press Release, Department of Health, Republic of South Africa, Update on Covid-19 (May 22, 2020), https://perma.cc/5U6V-DKQF.

[2] Id. Press Release, Department of Health, Republic of South Africa, Update on Covid-19 (21st May), https://perma.cc/VFF5-R57X.

[3] Press Release (May 22, 2020), supra note 1.

[4] South Africa, CIA World Factbook (last updated Mar. 16, 2020), https://perma.cc/23UB-9MP6.

[5] Id.

[6] Independent Communications Authority of South Africa, The State of the ICT Sector Report in South Africa 25-26 (Mar. 19, 2019), https://perma.cc/2ZLR-N28P.

[7] Id. at 31. LTE is “the latest generation of mobile technology. A step up from 3G technology, LTE offers faster network download and upload speeds.” All about LTE: Everything You Need to Know about TE and Wireless Broadband, Telekom, https://perma.cc/A2ZK-L69Y.

[8] Paula Gilbert, SA Smartphone Penetration Now at over 80%, Says ICASA, ITWeb (Apr. 3, 2019), https://perma.cc/CGS8-4HMQ.

[9] Laura Silver & Courtney Johnson, Internet Connectivity Seen as Having Positive Impact on Life in Sub-Saharan Africa, Pew Research Center (Oct. 9, 2018), https://perma.cc/RFM3-LDJW.

[10] Adrian Naude, Data Protection in South Africa: The Impact of Protection of Personal Information Act and Recent International Developments (unpublished LLM Thesis, University of Pretoria) (Dec. 2014), https://perma.cc/S5LP-WEPC.

[11] Data Protection Laws of the World: South Africa, DLA Piper (last modified Jan. 27, 2020), https://perma.cc/AA99-5Q72.

[12] South Afr. Const., 1996, § 14, https://perma.cc/K5MU-5LLH

[13] Id. § 36.

[14] Id.

[15] Protection of Personal Information Act No. 4 of 2003 (POPIA) § 1 (Nov. 19, 2013), https://perma.cc/ZN2A-PFBN. Once implemented, POPIA will introduce the same definition of the term “personal information” to the Promotion of Access to Information Act No. 2 of 2000 (PAIA), § 1 (Feb. 2, 2000), https://perma.cc/56Z5-PWH3, and the Electronic Communications and Transactions Act No. 25 of 2002 (ECTA), § 1 (July 31, 2002), https://perma.cc/A5TF-3MU9. POPIA § 110.

[16] POPIA § 1.

[17] Id. § 4.

[18] Id. § 13.

[19] Id. § 15.

[20] Id. § 15(d).

[21] Id. § 26. This is information relating to

the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject; or

the criminal behaviour of a data subject to the extent that such information relates to—

the alleged commission by a data subject of any offence; or

any proceedings in respect of any offence allegedly committed by a data subject or the disposal of such proceedings. Id.

[22] Id. § 27(1)(b).

[23] Id. §§ 28 & 33.

[24] Id. § 19(1).

[25] Id. § 19(2).

[26] Id. § 6.

[27] ECTA § 50.

[28] Id.

[29] POPIA § 110.

[30] Id. 3(2)(b).

[31] ECTA § 51.

[32] PAIA §§ 11 & 50.

[33] POPIA § 110.

[34] PAIA §§ 34 & 63.

[35] Id. § 88.

[36] Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RICA), § 2 (Sept. 2005), https://perma.cc/K6RN-8AVH.

[37] Id. § 16.

[38] POPIA § 14.

[39] Id. § 14.

[40] Id.

[41] This means deleting information that: (a) identifies the data subject; (b) can be used or manipulated by a reasonably foreseeable method to identify the data subject; or (c) can be linked by a reasonably foreseeable method to other information that identifies the data subject. Id. § 1.

[42] Id. § 14.

[43] Id.

[44] Information Regulator, Guidance Note on the Processing of Personal Information in the Management of COVID-19 Pandemic in Terms of the Protection of Personal Information Act 4 of 2013 (POPIA), § 2 (Apr. 3, 2020), https://perma.cc/3TW2-5K24.  Section 3.7 of the Guidance note defines the term “responsible party” as

a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information. The following are examples of responsible parties in the context of the management of COVID-19 and include but not limited to, the NCC, National Department of Health, Provincial Department, Local Government, National Institute of Communicable Disease (NICD), National Health Laboratories Services (NHLS), Independent laboratories, Mobile Network Operators, Voluntary Organizations.

[45] Id. § 4.

[46] Id. § 5.1.

[47] Id. § 5.2.

[48] Id. § 9.

[49] The terms “intercept” and “interception” are defined by section 1 of RICA as

the aural or other acquisition of the contents of any communication through the use of any means, including an interception device, so as to make some or all of the contents of a communication available to a person other than the sender or recipient or intended recipient of that communication, and includes the –

(a)   monitoring of any such communication by means of a monitoring device;

(b)   viewing, examination or inspection of the contents of any indirect communication; and

(c)   diversion of any indirect communication from its intended destination to any other destination.

[50]Id. § 30(1). RICA section 1 defines “communication related information” as

any information relating to an indirect communication which is available in the records of a telecommunication service provider, and includes switching, dialling or signalling information that identifies the origin, destination, termination, duration, and equipment used in respect, of each indirect communication generated or received by a customer or user of any equipment, facility or service provided by such a telecommunication service provider and, where applicable, the location of the user within the telecommunication system.

[51] This is a written or oral direction issued by an authorized judge permitting interception of any communication in the country “in the course of its occurrence or transmission. RICA § 1.

[52] “Real-time communication related information” is “communication-related information which is immediately available to a telecommunication service provider– (a) before, during, or for a period of 90 days after, the transmission of an indirect communication; and (b) in a manner that allows the communication-related information to be associated with the indirect communication to which it relates.” Id. 

[53] Id. §§ 16–19.

[54] Id. §§ 16, 17(6), 18(3)(a), 20(6), 21(6) & 22(7).

[55] Amabhungane Centre for Investigative Journalism NPC and Another v. Minister of Justice and Correctional Services and Others, 2020 (1) SA 90 (GP) 64-68, https://perma.cc/6QUX-XBJF.

[56] South Afr. Const. § 167(5).

[57] ECTA § 51.

[58] Id.

[59] National Health Act No. 61 of 2003, § 15 (July 18, 2004), https://perma.cc/HF3A-PCG3.

[60] Id. § 17.

[61] Declaration of a National State of Disaster, Government Notice 313 (Mar. 15, 2020), https://perma.cc/6HCG-3P7J.

[62] Disaster Management Act No. 57 of 2002, § 27(2)(f), (k), (n) (Apr. 1, 2004), https://perma.cc/4LAU-YMJ2.

[63] Regulations Issued in terms of Section 27(2) of the Disaster Management Act, 2002, § 4(10)(c) (Apr. 29, 2020), https://perma.cc/9ZP3-AUF8.

[64] Disaster Management Act (57/2002): Electronic Communications, Postal and Broadcasting Directions Issued Under Regulation 10(8) of the Act, Government Gazette (GG) No. 43164, § 8.1 (Mar. 26, 2020), https://perma.cc/GCB6-W5VE.

[65] Contact Tracing Will Not Be Used to Spy on Citizens, South Africa Government News Agency (Apr. 2, 2020), https://perma.cc/RJ9A-M7LA.

[66] Disaster Management Act (57/2002): Electronic Communications, Postal and Broadcasting Directions Issued Under Regulation 10(8) of the Act, § 8.

[67] Id.

[68] Regulations Issued in terms of Section 27(2) of the Disaster Management Act, 2002, § 8.

[69] Id.

[70] Id.

[71] Sara Wild, Antipoaching Tech Tracks COVID-19 Flare-Ups in South Africa, Scientific American (May 12, 2020), https://perma.cc/GK3J-ZP9C.

[72] Regulations Issued in terms of Section 27(2) of the Disaster Management Act § 8(6).

[73] Id. § 8(7).

[74] Id. § 8(8).

[75] Id. The lockdown covers the time period from March 26 through April 30, 2020. Id. § 1.

[76] Id. § 8(10).

[77] Id.

[78] Id. § 8(16).

[79] Disaster Management Act No. 57 of 2002, § 27(5).

[80] Regulations Issued in terms of Section 27(2) of the Disaster Management Act, 2002, § 8(11).

[81] Id. § 8(11).

[82] Id.

[83] Id. §§ 8(13) & (14).

[84] Id. § 8(15).

[85] Id. § 8(17)(a) & (c).

[86] Id. § 8(17)(b).

[87] Id. § 8(17)(d).

[88] Id. § 8(18).

[89] Id. § 8(19).

[90] Id. § 14.

[91] Id.

Last Updated: 12/30/2020