Appropriate steps are taken to protect data that could, either alone or when combined with other data, result in the identification of individuals or vulnerable groups within datasets used to tackle COVID-19

After an extensive desktop search of online information, no information could be found to demonstrate what any such appropriate steps are required or have been taken.

Data collected for epidemiological purposes shall not be shared or used by other parts of government, such as police forces or Ministries of Interior

As set out in the Regulations issued by the Minister of Cooperative Governance and Traditional Affairs in terms of section 27 (2) of the Disaster Management Act 57 of 2002, the information contained in the National Department of Health’s COVID-19 Database is confidential and may only be disclosed by authorized persons where necessary for the purpose of addressing, preventing or combatting the spread of COVID-19. This would include disclosures to authorized persons in other parts of government.

Protocols shall be established to respond to potential data breaches of datasets containing sensitive data

The Protection of Personal Information Act 4 of 2013 requires that when there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorized person, the person or business which processes personal information must notify the Information Regulator and the data subject as soon as reasonably possible after the discovery of the compromise. The notification must provide sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise. This must consider the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system.

Individuals or vulnerable groups who may be harmed by the misuse of their data in response to the COVID-19 pandemic – either intentionally or accidentally – shall have access to judicial redress and due process

Although such individuals and groups would formally have access to judicial redress to persue a civil claim, they may in fact experience difficulty in obtaining legal advice and representation.

Governments and public bodies shall retain all intellectual property rights over databases and all derivative data outputs produced using African citizens’ data as part of the COVID-19 response

After an extensive desktop search of online information, no information could be found to demonstrate that governments and public bodies have registered or asserted any such intellectual property rights.

Governments, private companies and other entities shall commit to engaging with civil society organisations and digital rights defenders in order to identify responsible and practicable ways of winding-down any emergency data collection, processing and use at the end of the pandemic, in accordance with local laws and in line with international best practices

After an extensive desktop search of online information, no information could be found to suggest that any such engagement has taken place.