Apart from the devastating impact on lives around the globe, the COVID-19 pandemic has thrown many business operations in disarray. Unfortunately, South Africa is not immune to these events and the nationwide lockdown has created complex challenges for companies. In the midst of this, organisations should not allow privacy to slip out of focus. One can give attention to a number of issues in this time:
- Remain security alert. The lockdown has forced most employees to work from home. From a privacy perspective, this can create various challenges. One of the biggest risks relate to information security. Some employees might be working on their own computers and other devices. Companies should take steps to ensure that employees have sufficient anti-virus software installed in order to reduce the risk of cyber-crimes, including information theft. Employees should also be warned about the threats posed by insecure Wi-Fi. They need to keep their devices secure as well and guarded them against being accessed or stolen. The same care should apply in the case of paper-based information, such as files that contain personal information.
- Promote privacy awareness. One can use this time effectively to send privacy reminders and tips to employees in order to keep them focussed on privacy issues. Regular bite sized messages can be sent, dealing with issues ranging from phishing to social media dos and don’ts within a data protection context. This might also be a good occasion to provide some training on the Protection of Personal Information Act (POPI).
- Update policies. Companies should have external data protection notices as well as internal data protection policies. The COVID-19 pandemic has an influence on the information that companies collect and disclose. For this reason, companies should review their notices and policies to make sure that they cover the processing of information as a result of the pandemic, for example people’s health information. Now is also a good time to update HR policies aimed at matters such as using of IT systems and social media as well as personal devices.
- Processing COVID-19 related information. Although POPI is not yet in force, companies need to be familiar with the current laws that might apply when they collect or disclose information in the context of COVID-19. For example, companies might be asked to disclose employees’ health status to the government, or they may wish to obtain health information from their employees or persons who visit their premises.
- Work on POPI readiness. Some people might have more time available at the moment. This opportunity can be used to unpack POPI’s requirements and the implications for businesses. Virtual working groups can be formed to take on challenges and work on aligning operations and systems with POPI’s provisions. Although POPI is not in full force yet, the Information Regulator has released guidance on “the processing of personal information in the management and containment of COVID-19”. This can be used as practical direction on good practice when dealing with people’s personal information in the current circumstances.
It is unknown when the COVID-19 crisis will abate. However, it is clear that it has an impact on people’s livelihoods and rights. In particular, it affects people’s rights to privacy and the protection of their personal information. Consequently, businesses should make an effort to respect these rights and ensure that they take practical steps in order not to lose focus on these important issues.