Government has issued a substantial rewrite of its controversial proposal to track people using their phones and other devices in the bid to contain Covid-19.

The new rules put basic transparency provisions in place, give oversight to a judge, and ensure that most data collected will be deleted within six weeks. Most important, they ensure the emergency measures don’t outlast the emergency.

As amaB’s earlier analysis shows, the first “directions” – issued last week by the minister of communications – raised serious concerns for their vagueness and lack of privacy protections. The intention may have been noble, but the net result was to hand wide and intrusive powers to the government to seize the sensitive digital data of any number of people, without oversight, judicial or otherwise.

New regulations issued by the minister for cooperative governance and traditional affairs on Thursday offer a revised contact tracing regime that addresses many of these criticisms. Running to three-and-a-half pages, the new regulations introduce welcome and much-needed oversight and safeguards that should strike a better balance for privacy.

Under the new system, the starting point is a “Covid-19 tracing database” intended to enable the tracing of people known to have been infected with Covid-19 as well as those with whom they have been in contact.

The types of information that will be held in the database are specified to include identifying information, locations and cellphone numbers, although the list is not closed. An important departure from last week’s directions is the new regulations’ express provision that the information contained in the tracing database is confidential and its use is confined to “addressing, preventing or combatting the spread of Covid-19”.

Restricting its use

Who gets the power to trace? Under the new regulation, the director-general of health is given exclusive authority to request locational information about any person known or believed to have Covid-19, and anyone they have or are reasonably suspected to have come into contact with – and again only for the purposes of contact tracing.

It may come as some relief that the security agencies who have sought to expand their spying powers in the past – the police and state security agency – are definitively cut out of this process.

Time limits and sunset clauses

The new regulations spell out clear time limits: first, all data that isn’t needed for contact tracing must be deleted within six weeks. Second, the data collection regulation itself has an expiry date: no request can be made about a person’s movements from before March 2020 (whether they have Covid-19 or not) and no data may be sought after the declared state of disaster lapses.

Putting it before a judge

Where is the oversight? The new track-and-trace regulations borrow from the “Rica” oversight system, by putting a retired judge in place to oversee the processes here. The “Covid-19 Designated Judge”, appointed by the minister of justice, will get a weekly report setting out the names and details of any person who is traced using this system. Thus, the regulations stop short of giving the judge final say in these decisions, but nonetheless provide oversight. The judge can also make recommendations to ministers on amending the regulations, including to further protect privacy.

You will be notified if tracked

One of the key grievances amaB has raised in our legal challenge to Rica, the Act that allows interception of communications in the ordinary course of events, is the lack of post-spying notification – meaning that anybody whose communications data is intercepted never finds out about it, which has allowed abuses of the system to go undetected. 

Remarkably, the new regulations provide that any person whose movements were traced in this system will be notified within six weeks of the end of the national state of disaster.

When the dust clears…

So what happens when the emergency passes?

The regulations provide that the tracing database – which contains any information that was needed to identify and locate those known or suspected of having contracted Covid-19 – must be stripped of any identifying information, and the de-identified data may only be used for public health research in future.

The Covid-19 designated judge must receive a report on the steps taken to do so, and can make directions on any steps that must be taken to protect the privacy of those whose information was collected.

Finally, the director-general of health and the designated judge must table their reports to Parliament.

Can we all rest easy now that the regulations have been so thoroughly revised? The short answer is no.

The new rules are no doubt an improvement, and credit is due to those officials who saw the need for tighter regulations and made it happen.

But proper implementation is vital. We’ll have to see how it all comes out of the oven. Key concerns include how securely the data will be stored, and whether de-identifying it at the end will really be an adequate safeguard – just ask Donald Trump, whose location the New York Times tracked in minutes by de-anonymising such data.

Make no mistake, this is highly sensitive data, wide open to abuse if in the wrong hands. In a time when the collective attention is spread thin, this is one issue we must hold in our gaze. DM

Thakur is amaBhungane’s incoming advocacy coordinator, succeeding Hunter, who acted in the position.