Appropriate steps are taken to protect data that could, either alone or when combined with other data, result in the identification of individuals or vulnerable groups within datasets used to tackle COVID-19

According to the draft guidance note issued by the Office of the Data Protection Commissioner regarding Covid-19, any person who has access to personal data shall be responsible for its protection and must demonstrate that they have put in place proactive mechanism to appropriately safeguard the personal data. Any personal data sharing between parties should also be approved by the Office of the Data Protection Commissioner and has to be guided by a valid agreement presumably with the data subject. This agreement must govern data protection (including the data destruction technique to be used) and contain a data protection impact statement. The Data Protection Act further requires that the person responsible for the data shall ensure that the personal data is de-identifiable.

Data collected for epidemiological purposes shall not be shared or used by other parts of government, such as police forces or Ministries of Interior

The Data Protection Act 24 of 2019 requires that the processing of the data must be necessary for reasons of public interest in the area of public health or be carried out by a person who, in the circumstances, owes a legal duty of confidentiality. This may arguably include processing by persons in other parts of government

Protocols shall be established to respond to potential data breaches of datasets containing sensitive data

When any breach occurs, the Data Protection Act of 2019 obliges data controllers to notify the Data Protection Commissioner within 72 hours of becoming aware of a breach and to notify the data subject without undue delay. Data processors are also required to inform data controllers of any breach within 48 hours of becoming aware of such a breach. The Act further empowers the Data Protection Commissioner to investigate data breaches, including powers of entry and search, and enables the Data Protection Commissioner to issue an administrative fine.

Individuals or vulnerable groups who may be harmed by the misuse of their data in response to the COVID-19 pandemic – either intentionally or accidentally – shall have access to judicial redress and due process

Although such individuals and groups would formally have access to judicial redress to persue a civil claim, they may in fact experience difficulty in obtaining legal advice and representation.

Governments and public bodies shall retain all intellectual property rights over databases and all derivative data outputs produced using African citizens’ data as part of the COVID-19 response

After an extensive desktop search of online information, no information could be found to demonstrate that governments and public bodies have registered or asserted any such intellectual property rights.

Governments, private companies and other entities shall commit to engaging with civil society organisations and digital rights defenders in order to identify responsible and practicable ways of winding-down any emergency data collection, processing and use at the end of the pandemic, in accordance with local laws and in line with international best practices

After an extensive desktop search of online information, no information could be found to suggest that any such engagement has taken place.