Up Again South Africa: Privacy and Data

The South African government developed a five-level approach for a phased reopening of the economy, and implemented measures to curb the transmission of COVID-19. Accordingly, certain businesses (other than those providing essential services) are permitted to reopen and operate, depending on the alert level. South Africa is currently at alert level 4, and is due to move to alert level 3 from 1 June 2020. We will provide more details when once available.

Intellectual Property and Technology

1. Can an employer carry out temperature monitoring and other health checks on employees and visitors prior to them entering work premises?

Yes. The Directive requires employers to take measures to screen employees and contractors when they report for duty to determine whether they have any observable COVID-19 symptoms, such as fever, shortness of breath, cough, sore throat and redness of eyes. However, the Directive does not state this screening must be done by means of temperature testing.

Though temperature testing would generally require consent, the Information Regulator issued a Guidance Note allowing an employer to compel an employee to undergo a COVID-19 test, and we believe this would extend to a temperature test. There are also certain sector-specific guidelines requiring an employer to deny entry to the premises if the employee or visitor refuses to undergo a temperature test. We would nevertheless recommend employers obtain the informed consent of the employee or visitor, but if the employee or visitor refuses to consent then a negative inference could be drawn and access denied.

The Directive also provides that if the employee has COVID-19 symptoms or informs the employer of such symptoms, then the employer may not permit entry into the workplace and must ensure the employee is tested or referred to a testing site. The Regulations provide that employers with more than 500 employees must have testing facilities on site. In the mining sector, a rigorous screening and testing program must be implemented, and data collected during the screening and testing programme must be submitted to the relevant authority.

2. Can an employer ask employees and visitors to complete a questionnaire on whether they are experiencing typical COVID-19 symptoms, have been in contact with an infected individual, or recently travelled to high risk countries?

Yes. The Directive provides that the employee or contractor must disclose whether they are presenting with symptoms before the employer allows them entry to the workplace. Certain sector-specific guidelines extend this to visitors. Employers should have a policy requiring employees to disclose if they are presenting with symptoms or if there is a reasonable apprehension they may have contracted COVID-19 (i.e. they have travelled to a high-risk area or been in contact with persons infected with COVID-19).

3. Can an employer require their employees to notify them if they or a member of their household has contracted COVID-19, or that they have the antigen?

Yes. The Directive provides that if an employee has been diagnosed with COVID-19, the employer must inform the Department of Health and the Department of Employment and Labour. Moreover, the employer is required to investigate the possible cause of the infection and review its risk assessment policy to ensure the necessary controls and PPE are in place.

The employer must also give administrative support to any contact-tracing measures implemented by the Department of Health. If an employee has contracted COVID-19, then the employer may not permit the employee to return to work until a medical evaluation certifies the employee is negative for COVID-19. As such, employees are required to disclose if they have had COVID-19 or have been exposed to COVID-19 before returning to work.

4. Can an employer tell their employees that a colleague may have potentially contracted COVID-19?

Yes. The Directive provides that if an employee tests positive for COVID-19 and has been on the employer's premises, the employer is obliged to alert all employees who came into contact with the sick employee so they can be screened for COVID-19. However, an employer is not required to inform other employees if the individual has been working from home and there has been no contact with other employees.

5. Can an employer share information with a health authority about COVID-19 cases they become aware of?

Yes. Employers have a reporting obligation under the Directive to inform the Department of Health and the Department of Employment and Labour if any employee has been diagnosed with COVID-19. Moreover, the employer is required to investigate the cause of infection and review its risk assessment policy to ensure the necessary controls and PPE are in place. The employer must also give administrative support to any contact-tracing measures implemented by the Department of Health.

6. Can an employer send employees’ health data to one of their affiliates outside the EEA or otherwise in another jurisdiction?

The Protection of Personal Information Act, 2013 (POPIA) is not yet fully in force and effect, but companies are encouraged to comply with POPIA insofar as reasonably practicable. The Information Regulator has also, in a guidance note, encouraged proactive compliance with POPIA for the lawful processing of personal information of employees who have tested positive for COVID-19.

Under POPIA and the guidance note, employers have an obligation to use the information of employees only for the purposes for which it was collected, and to ensure the privacy of the employee is maintained. Thus, there would need to be a legitimate purpose to send the health data of an employee to affiliates of the employer and appropriate security measures must be in place to protect the health data from unauthorised access or disclosure.

Currently, there is no limitation on transborder sharing of personal information, but when POPIA is fully in effect, personal information may not be shared if the recipient country does not have adequate data protection laws similar to POPIA. As such, when POPIA is fully in effect, health data of employees may not be sent to countries that do not have adequate data protection laws without prior authorisation from the Information Regulator.

7. Can an employer monitor how employees move around the workplace to help keep social distancing rules?

Yes. The Regulations provide that employers must adopt measures to promote physical distancing of employees and we believe an employer would be permitted to monitor the movement of employees to ensure compliance with social distancing measures.

8. Does an employer need to comply with any other GDPR principles or local privacy laws, when collecting data for the purpose of tackling COVID-19?

Yes. Medical testing is generally prohibited in the absence of consent. The Employment Equity Act, 1998 provides that medical testing of an employee is prohibited, unless other legislation permits or requires the testing; or if it is justifiable in the light of medical facts, employment conditions, social policy, the fair distribution of employee benefits, or the inherent requirements of a job.

Given the COVID-19 pandemic, the testing of employees would be justifiable and necessary for purposes of complying with the Occupational Health and Safety Act.

9. What are the risks if I am in breach of the GDPR or local privacy laws?

Given that POPIA is not yet in force, penalties in terms of POPIA may not be imposed. However, the employee would be able to institute a damages claim and seek compensation if the employee suffered harm as a result of a breach of their right to privacy.

To succeed in such a claim, the employee would need to prove all the elements of a delict (tort): wrongful conduct, causation, fault (intent/negligence) and harm. The employee would also need to prove the quantum of the damages sought. As such, employers should take reasonable steps to safeguard the results of the COVID-19 tests and to guard against data breaches.

An employer may suffer reputational harm if there is a data breach.