Aggregated data and metadata are open to the public

“The National Institute for Communicable Diseases (NICD), which is a division of the National Health Laboratory Service, publishes daily, weekly and special COVID-19 surveillance reports on its website and on social media platforms. The NICD is an expert advisory body which provides specialist advice during outbreak situations and works in collaboration with the Provincial and National Departments of Health. The NICD’s COVID-19 Situation Summary presents aggregate national and provincial statistics regarding COVID-19 testing based on a national laboratory surveillance system. The NICD’s COVID-19 Hospital Surveillance Report also presents data collected using clinical information from admitted patients at selected hospitals to identify trends in the admissions and deaths of COVID-19 patients.

Information regarding the registration of mortality data, including of socio-demographic variables, is continuously collected. Notice of Death (DHA-1663) forms are administered by the Departments of Home Affairs and Health, and are processed by Statistics South Africa.
Aggregate information on causes of death is published annually in Statistics South Africa’s Mortality and causes of death release. Deaths recorded on the National Population Register are also provided to the South African Medical Research Council (SAMRC) on a weekly basis. After adjustment in terms of a its methodology, this data is published by the SAMRC on a weekly basis with full explanations for adjustments and analytical insights.

The National Institute for Occupational Health (NIOH) also publishes aggregated data regarding the admission of health care workers to hospitals and their health outcomes. The NIOH has also published aggregated data regarding COVID-19 Transmissions by occupations. Data is obtained by the NIOH from the NICD, employers and healthcare workers.”

Open source software and algorithms are used to analyse data

The NICD has publicly described the manner in which it sorts testing data using an algorithm. Testing data on province and district allocation was mapped by the NICD based on a geocoding algorithm using, in order of priority, the completeness of patient data, the submitting doctor’s address, the registering doctor’s address and, as final option, the guarantor’s address data. The geocoding algorithm used the most complete data for assigning data on province and district where adequate information was provided on the lab request form at the time of sample collection.

Information on what entities are collecting data, from what communities and for what purposes are made available to the public

“The National Department of Health operates a national database in order to guide appropriate responses in addressing, preventing or combatting the spread of COVID¬19, including contact tracing and geospatial hotspot mapping. The information contained in the COVID¬19 Database is confidential and may only be disclosed by authorized persons where necessary for the purpose of addressing, preventing or combatting the spread of COVID-19. The NICD began testing for Covid-19 on 28 January 2020. After the first case in South Africa was confirmed in early March 2020, the NICD expanded testing to a larger network of private and NHLS laboratories. Initially, testing was limited to individuals who had travelled to countries with COVID-19 transmission, but the criteria for testing has continued to evolve.

In April 2020, the National Department of Health implemented widespread community symptom screening and referral for PCR testing. These operations were in line with the National Department of Health’s adoption of a community-orientated primary care approach, which relies on teams of community health workers working in delineated vulnerable communities to prevent disease and provide early interventions for those at higher risk. This involved collaboration between health care facilities and community-based teams who worked under the supervision of professional nurses, the mapping of cases in highly vulnerable communities, targeted screening around cases, testing of those that screened positive by mobile testing centres, health education and linkage to primary care. The overall aim was to slow down transmission through the early identification and isolation of diagnosed cases. Key challenges included the designing of a screening tool with appropriate sensitivity and specificity, especially in light of numerous shifts in the case definition of Covid-19, the high risk of both type one and two errors, and the overlap between Covid-19 symptoms and tuberculosis which is highly prevalent in vulnerable South African communities. Data collection was paper-based, and data quality was reportedly poor. The strategy was, however, changed to a more targeted approach in May 2020. Community screening was largely discontinued and testing efforts then focussed on areas identified as hot spots and on investigating clusters. Contacts provided by persons who tested positive were traced and tested if they were symptomatic. In some provinces and in certain circumstances (closed settings and some workplaces), asymptomatic contacts were also tested. Testing has also been prioritised for healthcare workers and hospitalised patients.

The National Department of Health has also developed and implemented electronic systems or applications which can be used on mobile devices and computers to collect, on a voluntary basis, information from members of the public for inclusion in the COVID¬19 Database. The National Department of Health may also receive information regarding members of the public that is provided on a voluntary basis through electronic systems or applications operated by private entities for inclusion in the COVID-19 Database.

Every accommodation establishment is also required to transmit to the Director-General of the National Department of Health various personal information regarding every person staying at the accommodation establishment during the period of lockdown. This data is for included in the COVID¬19 Database. Employers are also required to make their COVID-19 risk plans available for inspection by an authorised inspector, representative trade union and any established health and safety committee or representative. If they employ more than 50 persons, an employer is also required to submit a record of their COVID-19 risk assessment to the Department of Employment and Labour and various information regarding COVID-19 screening and testing to the NIOH. Employees must be advised of any such submissions to the NIOH as well as the adherence to the Protection of Personal Information Act 4 of 2013. Every employer must take measures to screen workers when they report for work to ascertain whether they have any COVID-19 symptoms. Employers must also require their employees to disclose whether they have any health issues, comorbidities or conditions contemplated in the definition of vulnerable employees. Employers are required to notify the NIOH and the Compensation Commissioner if a worker has been diagnosed with COVID-19.”

Data sharing agreements and related documents are openly published

“Under South African law, a person must provide informed consent for all medical treatment, including diagnostics. This principle gives effect to the Constitutional right of everyone to bodily and psychological integrity, which includes the right to security in and control over their bodies. The National Health Act 61 of 2003 provides that a health service may not be provided to a user without the user’s informed consent. There are, however, certain exceptions including where a failure to treat the user, or a group of people which include the user, will result in serious risk to public health. A health provider must always take all reasonable steps to obtain the user’s informed consent. Every health care provider must inform a user of their health status (unless there is substantial evidence that such disclosure would be contrary to the best interests of the user), the range of diagnostic procedures and treatment options generally available to the user, the benefits and costs generally associated with each option, and the user’s right to refuse health services. Where possible, the health care provider must inform the user in a language that the user understands and in a manner which considers the user’s level of literacy.

Persons being tested for COVID-19 are informed in writing that COVID-19 cases are “Category 1 notifiable medical conditions.” Under South African law, category 1 notifiable medical conditions must be immediately reported by the most rapid means available upon diagnosis followed by a written or electronic notification to the Department of Health within 24 hours of diagnosis by health care providers, private health laboratories or public health laboratories. The ability of health care providers to seek informed consent may, however, be compromised by pandemic-mitigating measures such as lockdown and physical distancing policies, and by the nature of the patient’s illness. Taken together, there may be circumstances in which the consent that is sought is imperfect.

According to the guidance note issued by the Information Regulator of South Africa, it is not necessary to obtain consent from a data subject to process their personal information in the context of Covid-19 when processing complies with the obligation imposed by law on the responsible party, processing protects a legitimate interest of the data subject, processing is necessary for the proper performance of a public law duty by a public body or processing is necessary for pursuing the legitimate interests of a third party to whom the information is supplied. Parties which process personal information must, however, collect personal information of a data subject for a specific purpose, which in this context is to detect, contain and prevent the spread of Covid-19.

Data is also collected on a voluntary and opt-in basis through a range of digital interventions developed and deployed by government with private sector providers – including through the messaging platform known as CovidConnect and the Covid Alert Bluetooth-based app. In order to obtain the necessary consent from the user of the mobile device or computer, the terms and conditions of the electronic system or application must explain and request the user’s express consent regarding which information will be collected and stored via the electronic system or application, the means by which the information will be collected and stored, the purposes for which any information will be collected and used, the entities or persons to which that information will be transmitted, and under what conditions, whether the information will be kept on the user’s mobile device or a centralised server, the period for which the information will be retained, and the notice that will be given to users when the information has been destroyed. The National Department of Health may also receive, on a voluntary basis, information regarding members of the public from electronic systems or applications operated by private entities for inclusion in the COVID-19 Database subject to various requirements. Firstly, the information may only be received and used in order to guide appropriate responses in addressing, preventing and combatting the spread of COVID-19, including for the purposes of geospatial hotspot mapping. Secondly, the private entity concerned must have obtained the information concerned from users of mobile devices and computers on a voluntary and opt-in basis. Thirdly, the private entity concerned must have obtained the express consent of the user concerned to transmit the information to the National Department of Health for inclusion on the COVID-19 Database.”

Data ‘suppliers’ and other private sector actors are procured through open and competitive tender processes

“Section 217 of the Constitution provides that when any organ of state in the national, provincial or local sphere of government, or any other institution identified in national legislation, contracts for goods or services, it must do so in accordance with a system which is fair, equitable, transparent, competitive and cost-effective. Any public procurement that does not comply with these minimum requirements is unlawful and stands to be reviewed and set aside by a court under the principle of legality.

Government responded to the COVID-19 pandemic by redirecting resources to fund a R500 billion package for the health response and relief of social and economic distress caused by the pandemic. The South African Auditor-General undertook a real-time audit of 16 of the key Covid-19 initiatives introduced by government and the management of R147,41 billion of the funds that were made available. The Auditor-General has found that the rapid implementation of the COVID-19 initiatives in already compromised control environments created significant risks that most auditees were not able to address. Processes, criteria, needs and controls were not well considered and, in the haste of implementation, mistakes were made and opportunities were created for abuse. The Auditor-General concluded that there are clear signs of overpricing, unfair processes, potential fraud as well as supply chain management legislation being contravened.

In its most recent Special Report on the Financial Management of Government’s COVID-19 Initiatives, the Auditor-General found that the National Department of Health embarked on a project to make use of technology in an effort to strengthen covid-19 laboratory- and hospital-based reporting. At a cost of R18,9 million, with approximately R15 million paid to date, this included a surveillance and case management system intended to collate laboratory results from all private and public laboratories in the country, and to format and give the data to the Department for a period of six months from April 2020. The Department also sourced a service provider to assist with the mobile contact tracing once the laboratory information had been received, at a cost of R0,94 million per month for the duration of the declared pandemic. It is unclear whether this service provider won a competitive tender process.”

Government COVID-19 related data strategies and plans are made publicly available

Government COVID-19 strategies and plans are made publicly available on a central online resource and news portal. This includes various data related strategies.

Details of intra-governmental data sharing are made openly available and are subject to parliamentary, judicial and public scrutiny

“Parliament bears the responsibility to play an oversight role over the Executive and state organs ,and ensure that constitutional and statutory obligations are properly executed. This extends to intra-governmental data sharing agreements and practices.

Any decision by an organ of state regarding the sharing of data with another organ of state that is unlawful further stands to be reviewed and set aside by a court under the principle of legality which is an incident of the rule of law.

As set out in the Regulations issued by the Minister of Cooperative Governance and Traditional Affairs in terms of section 27 (2) of the Disaster Management Act 57 of 2002, the National Department of Health is required to maintain a national database in order to guide appropriate responses in addressing, preventing or combatting the spread of COVID­19, including contact tracing and geospatial hotspot mapping. The regulations regarding the sharing of data between organs of state are publicly available. Any member of the public may also request access to intra-state data sharing arrangements that are not in the public domain under the Promotion of Access to Information Act.

Section 32 of the South African Constitution further provides that everyone has the right of access to any information held by the state and any information that is held by another person and that is required for the exercise or protection of any rights. The Promotion of Access to Information Act 2 of 2000 has been enacted to give effect to this right. This Act sets out circumstances under which a requester would be entitled to information, which at times include the payment of a fee. A requester must be given access to information held by the State so long as the request complies with the procedures outlined in the Act and the record requested is not protected from disclosure by one of the exemptions set forth in the Act.”

Aggregated data and metadata are open to the public

Various government entities who control closed government datasets do not publish aggregated data. Beyond the sentinel hospital surveillance updates, there is also limited aggregated data and metadata regarding the data reported by employers to the NIOH.

Open source software and algorithms are used to analyse data

After an extensive desktop search of online information using search engines and public websites, only the limited information expressed in this row regarding the software or algorithms used to analyse data was found.

Data sharing agreements and related documents are openly published

The data sharing agreements between government and its partners regarding the CovidConnect platform and the Covid Alert Bluetooth-based app have not been published.

Details of intra-governmental data sharing are made openly available and are subject to parliamentary, judicial and public scrutiny

Despite enjoying significant oversight powers, Parliament has failed to scrutinise government’s data collection, sharing or management practices.