Close Menu
TechCentralTechCentral

    Subscribe to the newsletter

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    Facebook X (Twitter) YouTube LinkedIn
    WhatsApp Facebook X (Twitter) LinkedIn YouTube
    TechCentralTechCentral
    • News

      Public money, private plans: MPs demand Post Office transparency

      13 June 2025

      Coal to cash: South Africa gets major boost for energy shift

      13 June 2025

      China is behind in AI chips – but for how much longer?

      13 June 2025

      Singapore soared – why can’t we? Lessons South Africa refuses to learn

      13 June 2025

      10 red flags for Apple investors

      13 June 2025
    • World

      Yahoo tries to make its mail service relevant again

      13 June 2025

      Qualcomm shows off new chip for AI smart glasses

      11 June 2025

      Trump tariffs to dim 2025 smartphone shipments

      4 June 2025

      Shrimp Jesus and the AI ad invasion

      4 June 2025

      Apple slams EU rules as ‘flawed and costly’ in major legal pushback

      2 June 2025
    • In-depth

      Grok promised bias-free chat. Then came the edits

      2 June 2025

      Digital fortress: We go inside JB5, Teraco’s giant new AI-ready data centre

      30 May 2025

      Sam Altman and Jony Ive’s big bet to out-Apple Apple

      22 May 2025

      South Africa unveils big state digital reform programme

      12 May 2025

      Is this the end of Google Search as we know it?

      12 May 2025
    • TCS

      TechCentral Nexus S0E1: Starlink, BEE and a new leader at Vodacom

      8 June 2025

      TCS+ | The future of mobile money, with MTN’s Kagiso Mothibi

      6 June 2025

      TCS+ | AI is more than hype: Workday execs unpack real human impact

      4 June 2025

      TCS | Sentiv, and the story behind the buyout of Altron Nexus

      3 June 2025

      TCS | Signal restored: Unpacking the Blue Label and Cell C turnaround

      28 May 2025
    • Opinion

      Beyond the box: why IT distribution depends on real partnerships

      2 June 2025

      South Africa’s next crisis? Being offline in an AI-driven world

      2 June 2025

      Digital giants boost South African news media – and get blamed for it

      29 May 2025

      Solar panic? The truth about SSEG, fines and municipal rules

      14 April 2025

      Data protection must be crypto industry’s top priority

      9 April 2025
    • Company Hubs
      • Africa Data Centres
      • AfriGIS
      • Altron Digital Business
      • Altron Document Solutions
      • Altron Group
      • Arctic Wolf
      • AvertITD
      • Braintree
      • CallMiner
      • CYBER1 Solutions
      • Digicloud Africa
      • Digimune
      • Domains.co.za
      • ESET
      • Euphoria Telecom
      • Incredible Business
      • iONLINE
      • Iris Network Systems
      • LSD Open
      • NEC XON
      • Network Platforms
      • Next DLP
      • Ovations
      • Paracon
      • Paratus
      • Q-KON
      • SkyWire
      • Solid8 Technologies
      • Telit Cinterion
      • Tenable
      • Vertiv
      • Videri Digital
      • Wipro
      • Workday
    • Sections
      • AI and machine learning
      • Banking
      • Broadcasting and Media
      • Cloud services
      • Contact centres and CX
      • Cryptocurrencies
      • Education and skills
      • Electronics and hardware
      • Energy and sustainability
      • Enterprise software
      • Fintech
      • Information security
      • Internet and connectivity
      • Internet of Things
      • Investment
      • IT services
      • Lifestyle
      • Motoring
      • Public sector
      • Retail and e-commerce
      • Science
      • SMEs and start-ups
      • Social media
      • Talent and leadership
      • Telecoms
    • Events
    • Advertise
    TechCentralTechCentral
    Home » In-depth » How worried should South Africans be about Covid-19 cellphone tracing?

    How worried should South Africans be about Covid-19 cellphone tracing?

    By The Conversation28 April 2020
    Twitter LinkedIn Facebook WhatsApp Email Telegram Copy Link
    News Alerts
    WhatsApp

    Tracking people infected with Covid-19 has become an important weapon in global responses to combating the virus. Using geolocation, mobile technology offers a simple solution for tracing people possibly exposed to Covid-19. With big data analytics there is the potential for tracking the pandemic’s spread, and employing analytics to forecast future patterns of contagion.

    But at what cost? These are exceptional times calling for extraordinary measures. But do they justify the wholesale sacrifice of our rights? Concerns loom large across the globe. More than 100 civil society signatories and intergovernmental organisations have already warned as much in a joint letter.

    The mobile phone industry is reportedly exploring the creation of a global data-sharing system that could track individuals around the world. For now, however, monitoring appears to be happening at national level.

    South Africa has joined several governments in passing regulations that allow the collection and storage of data from mobile companies

    South Africa has joined several governments in passing regulations that allow the collection and storage of data from mobile companies. It has also appointed a former constitutional court justice, Kate O’Regan, as the Covid-19 judge. Her job will be to oversee data collection for the country’s contact-tracing database led by the director-general of health, Dr Anban Pillay.

    The appointment of O’Regan indicates that the country is taking seriously concerns about the risks that monitoring can pose for human rights. Nevertheless, concerns remain about the ability of the judge (or parliament, which ultimately has oversight) to ensure that data, once collected, is not abused.

    Best practices

    A set of principles and best practices have emerged internationally to guide data collection in disaster conditions. These include that:

    • Measures are transparent and accountable;
    • The limitations of rights are proportional to the harms they are intended to prevent or limit;
    • Data collection is minimised and time constrained;
    • Data is retained for research or public-use purposes and unused personal data is destroyed;
    • Data is anonymised in such a way that individuals cannot be re-identified; and
    • Third-party sharing both within and outside of government is prevented.

    However, South Africa’s data protection framework is not yet in place. Large parts of the Protection of Personal Information Act have not yet come into force. The Office of the Information Regulator has been established. And three years ago advocate Pansy Tlakula was appointed chair. But key sections of the act are not in play. Thus, her powers to act are constrained.

    There is synchronicity, however, between the principles and requirements of the Covid-19 regulations, and the lawful data processing principles the act describes.

    The regulator has issued guidelines for the collection of data to manage and curb the spread of Covid-19. These guidelines are contained in the Disaster Management Act (regulations). And she has called for proactive compliance by responsible parties when processing personal information of data subjects who have been tested for, or are infected with, Covid-19.

    The guidelines confirm the powers of the state to conduct mass surveillance of both Covid-19 carriers, and potential carriers, through the sharing of data by mobile operators. They also include reference to some of the privacy touchstones in data collection, particularly when consent is not obtained.

    Amendments to the disaster management regulations empower the director-general of health to direct, without prior notice, an electronic communications service provider to provide him with information for the Covid-19 tracing database to facilitate Covid-19 monitoring.

    Big questions remain about the practical realities of ensuring that data remains secure, especially considering the department’s own tenuous history in this regard

    But these powers are circumscribed.

    The regulations allow for the collection of location data of any person (and their personal identifiers) reasonably suspected to have contracted Covid-19, or that may have come into contact with someone who has. The commencement date is 5 March 2020.

    The contents of the communication may not be intercepted by the director-general – or anyone else.

    The regulations state that the department of health will keep the information “confidential”. But big questions remain about the practical realities of ensuring that data remains secure, especially considering the department’s own tenuous history in relation to data protection.

    The regulations empower the director-general to instruct a mobile operator to provide the information mentioned. But the actual modalities of the data collection by the health department is less clear — particularly how the data is collected and transmitted to the database securely.

    Limited collection

    For instance, once a request for the data from an operator is made and provided to the director-general, who will receive the information to inform the contacts? Who will ensure they are tested?

    Importantly, the regulations limit the collection of data only to the purpose of addressing, preventing or combating the spread of Covid-19. The data collected may only be disclosed by authorised persons for this purpose.

    The director-general is required to file weekly reports stating the number, names and details of all persons whose location or movements were obtained to the designated judge. This will contribute to the oversight of collection. It will also go some way to constraining data collection to what’s strictly necessary.

    The duration of data collection is circumscribed and terminates with the end of the national state of disaster

    The duration of data collection is circumscribed and terminates with the end of the national state of disaster. And within six weeks of it lapsing, the director-general is required to file a report with the Covid-19 judge detailing steps taken to de-identify the data. This includes providing notifications to every person whose information was obtained.

    The regulations require that all information on the Covid-19 tracing database, which has not been de-identified, be destroyed once the state of disaster has ended. But de-identification is not defined. This is a major concern, given the very real possibility of re-identification with the use of other publicly available, or hacked, databases.

    These measures go some way to safeguarding South Africans’ individual rights while acting in the public interest to contain the virus.

    But the regulations could be improved by:

    • Requiring that data subjects be informed as soon as they are tracked, but no later than six weeks after the termination of the state of disaster;
    • Explicitly empowering the judge to appoint technical experts to assist her in reviewing the use of data. This could include helping to ensure its security;
    • Explicitly giving the judge access to the database and the data supplied by the cellular providers to verify reporting. This could also assist in monitoring security and other data processing protection measures;
    • Requiring immediate notification of all compromises of privacy or security of the data to the persons whose data is compromised; and
    • Clearly prescribing data processing standards that respect the principles set out in the act.The Conversation

    Written by Alison Gillwald, adjunct professor, Nelson Mandela School of Public Governance, University of Cape Town; Andrew Rens, senior research fellow, Research ICT Africa, American University; Anri van der Spuy, PhD researcher, London School of Economics and Political Science; and Gabriella Razzano, lawyer and researcher, London School of Economics and Political Science

    • This article is republished from The Conversation under a Creative Commons licence.


    Allison Gillwald Andrew Rens Kate O'Regan top
    Subscribe to TechCentral Subscribe to TechCentral
    Share. Facebook Twitter LinkedIn WhatsApp Telegram Email Copy Link
    Previous ArticleBackspace: ‘E-commerce’
    Next Article Telkom in intriguing move to open the copper local loop

    Related Posts

    18GW in unplanned breakdowns cripple Eskom

    2 November 2021

    Nersa kicks the Karpowership can down the road

    13 September 2021

    If you think South African load shedding is bad, try Zimbabwe’s

    13 September 2021
    Company News

    Huawei Watch Fit 4 Series: smarter sensors, sharper design, stronger performance

    13 June 2025

    Change Logic and BankservAfrica set new benchmark with PayShap roll-out

    13 June 2025

    SAPHILA 2025 – transcending with purpose, connection and AI-powered vision

    13 June 2025
    Opinion

    Beyond the box: why IT distribution depends on real partnerships

    2 June 2025

    South Africa’s next crisis? Being offline in an AI-driven world

    2 June 2025

    Digital giants boost South African news media – and get blamed for it

    29 May 2025

    Subscribe to Updates

    Get the best South African technology news and analysis delivered to your e-mail inbox every morning.

    © 2009 - 2025 NewsCentral Media

    Type above and press Enter to search. Press Esc to cancel.