Abstract

Keywords

COVID-19; pandemic; processing; data subject; privacy; sensitive personal data; health-related data; Zimbabwe.

……………………………………………………….

1 Introduction

On the 17th of March 2020 Zimbabwe declared the COVID-19 pandemic a national disaster. 1

* Otto Saki. LLB Hons (Uni Zim) LLM Human Rights Law (Columbia University, USA) LLM Information Communication Technology Law (Open University, Tanzania) LLD Candidate, University of the Western Cape, South Africa. Email: otto.saki@caa.columbia.edu. ORCiD: https://orcid.org/0009-0002-8924-9365.

1 Statutory Instrument 76 of 2020: Civil Protection (Declaration of State of Disaster: Rural and Urban Areas of Zimbabwe) (COVID-19) Notice, 2020.

Prior to the pandemic, medical institutions were implementing e-health solutions which are cost-effective information and communication technologies deployed in support of health and health‐related fields and are dependent on the processing of health-related data. 5

5 Tsiko 2019 https://www.herald.co.zw/telemedicine-revolutionises-zim-healthcare.

For Zimbabwe, the paper identifies a major limitation in the use of e-health platforms as being the lack of data protection mechanisms and infrastructure. 8

8 Furusa and Coleman 2018 South African Journal of Information Management 1; Khumalo 2017 Library Philosophy and Practice 1-18.

processing in Zimbabwe during the pandemic and the consistent application of data processing principles, even before the Cyber and Data Protection Act (CDP Act) was gazetted. The paper undertakes an analysis of processing personal data during a health pandemic, informed by the evolution of data principles which are internationally accepted parameters for data processing. The paper proceeds to analyse three principles, namely those of consent, the purpose of the limitation, and transparency, that were considerably impacted or waived during the pandemic. The paper explores the most relevant human rights instruments, national laws and comparative responses to the pandemic. It concludes with specific recommendations on the gaps in the law and in practice that require immediate attention to avert a data pandemic.

1.1 Re-defining personal data under COVID-19

The response to COVID-19 depended on the collection of personal data, which is any information that relates to an identified or identifiable natural person. 9

9 Amann v Switzerland ECHR App No 27798/95 (16 February 2000) para 65; s 1 of the Protection of Personal Information Act 4 of 2013 defines personal data to include an identifiable juristic person; Art 4 of the General Data Protection Regulation (2016) (GDPR).

Zimbabwe passed its data protection law on 3 December 2021. The Zimbabwe CDP Act 13

13 Cyber and Data Protection Act, 2021 (Chapter 12:07) (CDP Act).

disclosure. This categoric statement is not oblivious of the difficulties in defining what constitutes sensitive data, due to contextual factors. 16

16 Lloyd Information Technology Law 44; OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), as revised in 2013 (OECD Guidelines) Explanatory Memorandum 19.

Human rights courts have observed that individuals are generally reluctant to provide their health-related data for fear of stigma and discrimination. 19

19 Z v Finland 1997 ECHR 10 para 96.

2 Evolution and implementation of data principles

Data protection principles emerged in the USA as the Code of Fair Information Practices in Health, Education and Welfare report of 1973. 24

24 USA Department of Health 1973 https://aspe.hhs.gov/reports/records-computers-rights-citizens.

the time the US government was grappling with the proliferation of public and private databases containing important personal data including sensitive health data. The report disclosed that some health datasets had "50 million characters of data, or approximately 3,500 characters per patient-record." 25

25 USA Department of Health 1973 https://aspe.hhs.gov/reports/records-computers-rights-citizens. US medical facilities had databases containing administrative information on patients, the statistical reporting of ailments, lists of high-risk groups needing special attention, and records of medical tests.

The Code of Fair Information Practices listed five principles of data processing. The first principle challenged the secrecy of personal data record-keeping systems. While for individuals secrecy constitutes an element of informational privacy, for public and private databases secrecy is not maintaining privacy. 26

26 Solove 2002 CLR 1087.

insufficient to protect privacy as re-identification through the mixing of data sets and computational analysis increased. 34

34 Rocher, Hendrickx and De Montjoye 2019 Nature Communications 1-9.

In 1980 the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data incorporating fair information practices were adopted. 35

35 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).

The limitations of fair information practices necessitated their coding into principles of enforceable treaty provisions. The Council of Europe (CoE) introduced the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108), which entered into force in 1981. Convention 108 is the first global instrument on data protection for CoE members and non-members. 39

39 The Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data (1981) (Convention 108). Some of the non-Council of Europe members include Argentina, Cabo Verde, Mauritius, Mexico, Morocco, Russian Federation, Senegal, Tunisia and Uruguay. Convention 108 was amended by the Protocol Amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (2018) (Convention 108+).

Convention 108, which was geared towards advancing the compatibility of national laws and practices among CoE states. 42

42 Council of Europe Committee of Ministers Recommendation 509 (1968) Assembly Debate on 31 January 1968.

In 1995 the European Union (EU) adopted a data directive expanding on the data protection principles for member states. 46

46 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data OJ L 281/31 (1995).

Data protection and privacy are a priority for Africa despite the absence of a specific right to privacy in the African Charter on Human and Peoples'

Rights (the Charter). 54

54 The African Charter on Human and Peoples Rights (1981) has no specific provision on privacy; but this can be read into the Charter through Art 60 of the Charter and principle 40(1) of the African Commission on Human and Peoples Rights Declaration of Principles on Freedom of Expression and Access to Information (2019), which provides: "everyone has the right to privacy, including the confidentiality of their communications and the protection of their personal information." Zimbabwe ratified the Charter. The African Charter on the Rights and Welfare of the Child (1990) protects the right to privacy of the child in Art 10, and Zimbabwe is a state party.

The GDPR, the CoE Convention 108+ and the Malabo Convention are the binding instruments on data protection incorporating the data principles essential in data protection. The OECD Guidelines are equally persuasive for member states from an economic perspective. Zimbabwe is not a signatory to the Malabo Convention, and neither has it been invited to join the CoE Convention 108+. The OECD Guidelines and GDPR are relevant from an economic perspective, with the GDPR being more frequently referenced in national laws. This is the proverbial "Brussels effect". 58

58 Bradford 2012 North Western University Law Review 1.

2.1 The making and implementation of data principles in Zimbabwe

Zimbabwe adopted a data protection law in 2021, after years of deliberation. 59

59 The first public move in this direction was recorded during the attempt at the Harmonisation of ICT Policies in Sub-Saharan Africa (HIPSSA) supported by the International Communication Union, European Union, and the African Union. A

law, but a few aspects are relevant. 60

60 This is the subject of the author's PhD thesis on data protection in Zimbabwe, in which ch. 5 specifically examines these issues. Part of this analysis is reflected in that chapter.

to increase cyber security in order to build confidence and trust in the secure use of information and communication technologies by data controllers, their representatives and data subjects. 62

62 Section 2 of the CDP Act.

This statement of the objective of a data protection law cannot begin with the need to increase cyber security in the interest of the security of the state. This assumes that cybersecurity improves data protection, yet cyber security is only one element of data protection. An earlier version of the Act was the Data Protection Act, which had its title and objective changed in the Cyber and Data Protection Act. 63

63 The Act was gazetted on 3 December 2021 and re-gazetted with the correct title and chapter number on 11 March 2022 by GN 492/2022.

The difference between "increase[ing] cyber security" and "increase[ing] data protection" appears to be minor, whereas it is in fact essential. For example, the Act gives wide powers to the Minister responsible for the Cyber Security and Monitoring Centre, and the Minister for Information "may give directions" on the implementation of the provisions relative to the processing of sensitive information affecting national security or the

interests of the state. 65

65 Section 11(4) of the CDP Act.

2.2 Consent

The processing of personal data under the Zimbabwe CDP Act must take place when there is consent. This applies to both sensitive and non-sensitive data. 68

68 Sections 10 and 11 of the CDP Act.

There are four conditions of consent that must be satisfied. 70

70 Article 7(1)-7(4) of the GDPR, as well as Recital 32, 33, 42, and 43.

Consent is the basic authorisation for a data controller to process the data subject’s personal information. Hurd talks of the moral magic of consent in transforming rights and obligations. 73

73 Hurd 1996 Legal Theory 121.

of consent. Consent is how legal acts are constituted. 74

74 Schermer, Custers and Van der Hof 2014 Ethics Information and Technology 171.

The CDP Act prohibits the processing of sensitive data unless consent is provided, and other exceptions apply. 75

75 CDP Act s 11(1): written consent to process sensitive personal data; s 12(1): the processing of genetic data, biometric data and health data is prohibited unless the data subject has given written consent for the processing thereof.

2.3 Purpose and storage limitation

Having observed the limits of consent, the data controller must comply with other data principles. In that context, the purpose of the data processing becomes pertinent. 84

84 Koops 2021 Law, Innovation and Technology 29.

data is collected for specified, explicit and legitimate purposes and, taking into account all relevant factors, especially the reasonable expectations of the data subject and the applicable legal and regulatory provisions, that the data is not further processed in a way incompatible with such purposes. 85

85 Section 13(c)-(d) of the CDP Act repeats this provision but as a duty of the data controller or processor.

This provision cannot be faulted; however, it must be bolstered by practice directives to data controllers as specific codes of conduct under the CDP Act. 86

86 Section 30 of the CDP Act provides for the adoption of codes of conduct in certain categories of data controllers. This provision supplements s 12(5), which allows the data protection authority to specify conditions for processing sensitive personal data.

processing of data concerning health for reasons of public interest should not result in personal data being processed for other purposes by third parties such as employers or insurance and banking companies. 89

89 Recital 54 of the GDPR.

If personal data is to be used for a specific purpose, it must be relevant, adequate and accurate. This principle is reflected in the CDP Act section 7(1)(a), quality of data and duty of controller and data processor, under section 13(d). Certainly, data controllers have duties and responsibilities, and describing this as a duty might have been designed to repackage the principle as an enforceable rule than an aspirational standard. During the response to the COVID pandemic, the principle was violated in several instances as governments generally and Zimbabwe in particular collected information, which was not relevant, and collecting irrelevant information constitutes a violation of privacy, as that information will not meet the purpose that it was designed to address. The word “relevant” when applied to personal data means no more than what is necessary to achieve an

objective. For instance, the unlabelled data forms which were deployed during the pandemic at Zimbabwe international airports required travellers to provide information on their social relationships, their family members, and their hair and eye colours, which added very little to the effectiveness of the pandemic response. 90

90 The copy had no official stamp or indication of which department was responsible for the collected information. The forms were titled "Data Forms". There was a separate form from the Ministry of Health.

The storage of personal data is a thorny issue, as databases and data warehouses are viable businesses. 92

92 Blume 2004 Scand Stud L 306. Blume observes that the possession of personal data is more than an economic asset, but is probably a necessity for most corporations capable of trading on the internet

its disaster management team gave directives on data management post the pandemic. 97

97 Regulation 11H of the South African Regulations Issued in terms of Section 27(2) of the Disaster Management Act 57 of 2002 (GN 318 in GG 43107 of 18 March 2020, as amended) (the COVID-19 Regulations).

The CDP Act provides that data controllers shall ensure that data processed is "retained in a form that allows for the identification of data subjects, for no longer than necessary with a view to the purposes for which the data is collected or further processed." 98

98 Section 7(1)(c) of the CDP Act. Any further processing must be compatible with the initial purposes unless it is for scientific, statistical or historical purposes as provided under s 9(2) of the CDP Act.

2.4 Transparency

Transparency is an overarching data principle evident throughout the data life cycle. 103

103 Article 5(1)(a) of the GDPR; OECD Guidelines para 14, Accountability principle: "A data controller should be accountable for complying with measures which give effect to the principles stated above."

controllers must inform the data subjects of their identities and habitual residences. The Zimbabwe CDP Act has similar provisions. 105

105 Sections 15 and 16 of the CDP Act.

The data controller must provide concise information in plain language on what data is being processed. 106

106 Article 12(1) of the GDPR.

3 Human rights frameworks and the pandemic

There are a number of human rights instruments and positions taken by treaty bodies that are relevant for this consideration. First is the United Nations' International Covenant on Civil and Political Rights (ICCPR). 112

112 International Covenant on Civil and Political Rights (1966) (ICCPR).

rights can be limited. 113

113 Article 4 of the ICCPR.

An international treaty which has been concluded or executed by the President or under the President's authority (a) does not bind Zimbabwe until it has been approved by Parliament; and (b) does not form part of the law of Zimbabwe unless it has been incorporated into the law through an Act of Parliament.

Section 34 of the Constitution of Zimbabwe provides that "the State must ensure that all international conventions, treaties and agreements to which Zimbabwe is a party are incorporated into domestic law." In addition, section 46 of the Constitution requires that when interpreting the Declaration of Rights, courts and tribunals "must take into account international law and all treaties and conventions to which Zimbabwe is a party." If there is no domestication, courts must refer to the treaty as ratification even without domestication creates obligations. 117

117 Tuovinen 2013 CCR 435.

In addition to specific treaty provisions, the ICCPR Human Rights Committee issues general comments. The general comment on the right to privacy recommends that states store information for known purposes. 119

119 Human Rights Committee 1988 https://www.refworld.org/legal/general/hrc/1988/ en/27539 (General Comment 16).

mass data collection defies a known purpose, is unnecessary and disproportionate. Further, the general comment requires that data subjects must control their files and must have the ability to ascertain the nature of the information stored by public and private authorities, including the ability to rectify or eliminate it. 121

121 General Comment 16 para 10.

The second relevant instrument is the African Charter. 125

125 African Charter on Human and Peoples' Rights (1981) (the Charter).

nothing stopping the Commission from reading privacy into the Charter, as has been done with other "missing rights." 134

134 Singh and Power 2019 African Human Rights Yearbook 202.

The dignity, integrity and privacy of data subjects have been affected by the reaction to pandemics in Africa. For instance, the HIV and Aids pandemic trigged mandatory testing resulting in the unauthorised disclosure of health-related data, violating privacy rights and increasing stigma. 136

136 Gumedze 2004 AHRLJ 181.

The last and most relevant instrument is the WHO's International Health Regulations (IHR). 140

140 Articles 21(a) and 22 of the Constitution of the World Health Organization (1946) confer authority on the World Health Assembly to adopt regulations for containing the international spread of a disease.

among others. 144

144 Articles 45(1), 45(2) and 45(3) of the IHR.

4 Analysing the public health laws

Since the CDP Act entered into force after the pandemic, this section explores the existing laws and the extent of the protection of sensitive health data, especially the PHA, that govern public health responses. The Constitution of Zimbabwe as the supreme law 147

147 Section 2 of the Constitution.

after the declaration of the pandemic, compliance with the provisions of the Constitution was required.

The COVID-19 emergency laws compelled compulsory testing, 153

153 Section 6 of Statutory Instrument 77 of 2020: Public Health (COVID-19 Prevention, Containment and Treatment) Regulations, 2020 provides for compulsory testing if one is suspected of having COVID-19.

The Constitution allows for the limiting of rights under various circumstances including public health emergencies, a circumstance which COVID-19

satisfied. 161

161 Section 86 of the Constitution.

To limit these rights in the service of greater public welfare, Zimbabwe invoked PHA section 68, declaring COVID-19 a formidable epidemic disease. The limitations were part of the PHSMs, which according to the PHA must be guided by respect for human rights and international public health commitments. 165

165 Sections 31(1)(a) and 31(1)(j) of the PHA.

Due to the PHA provisions, excessive health-related data processing is inevitable through community medical surveillance. The PHA requires every

individual who suspects or comes into contact with a suspected patient or case of a formidable disease to notify the district medical officer. 169

169 Section 65 of the PHA.

While the PHA anchors the surveillance by the medical community, the infamous Interception of Communications Act regulates surveillance generally in Zimbabwe. 171

171 Interception of Communications Act 6 of 2007 (Chapter 11:20).

privacy impact assessments of these databases were conducted, 177

177 Sections 2 and 10(2) of Statutory Instrument 95 of 2014: Postal and Telecommunications (Subscriber) Regulations, 2014 provide for a private impact form and define it as a form which evaluates the entire project from a privacy perspective and identifies risks and mitigation strategies throughout. The form is not publicly provided in the Statutory Instrument.

5 Digital surveillance and the pandemic

Admittedly, the medical surveillance infrastructure is premised on the WHO global health architecture. 179

179 French 2009 Surveillance & Society 101.

To augment the manual training systems, Zimbabwe designed and implemented a digital contact tracing application. 185

185 Moyo-Ndlovu 2021 https://www.herald.co.zw/health-ministry-launches-covid-19-app/. Most of the application's functions are not fully described on either the Google or Apple store, which raises the question of how much of their functionality meets the required data protection standards.

policy states that "all data collected or shared (with you) is completely managed and stored by ministry of health."

First, there are limitations to the privacy policy. It does not indicate the type of data collected by the Health Ministry. In addition, the PHA and the various COVID statutory instruments are silent on how the collected sensitive personal health data will be used, stored and or destroyed by the data controller, the health ministry. The application requests minimal personal information on registration, such as a mobile number. 187

187 The reference to the collection of personal data "including but not limited to phone number" is purportedly for the better application user experience, and that information is retained by the Health Ministry. Dencroft date unknown https://dencroft.com/zimcovid-safe-app-policy.

Thirdly, the application’s privacy policy removes data processor liability for data security and the integrity of the information. The data processor, Dencroft, is immunised, no pun intended. The privacy policy fails to indicate how the data controller, being the Health Ministry, is using technical and organisational measures to secure data confidentiality as required under section 39 of the PHA and in terms of section 18 of the CDP Act. While the use of digital tracing contacts and techno-based solutions was touted as a

solution to the pandemic, 191

191 One example of success in using technological solutions is Taiwan, with a high digital connectivity rate and the use of mobile devices that allow cellular location tracking as an effective means to enforce quarantine. See Eigen, Wang and Gasser 2020 https://cyber.harvard.edu/story/2020-07/country-spotlight-taiwans-digital-quarantine-system.

6 Comparative pandemic responses

South Africa's Constitution and jurisprudence has contributed to the development of Zimbabwe's legal system. Despite their shared legal histories, South Africa has progressed in terms of health-related data protection. South Africa spent more than a decade in developing the Protection of Personal Information Act 4 of 2013. 192

192 The South African Law Reform Commission considered the inclusion of a discussion on privacy and data protection on 17 November 2000. SALRC Discussion Paper 109 1.

Although laws regulating the COVID-19 public health emergency are temporary, data protection mechanisms for health-related data need not be temporary. At the very least, a sector-specific data protection authority or a national data protection authority must be put in place. 195

195 In the absence of a national data protection law, a sectoral law will suffice; for instance, the Health Ministry becomes the data controller and manager for all COVID-19-related data as the PHA provides for data protection.

Of equal importance is the oversight of surveillance. Zimbabwe and South Africa's histories are replete with cases of unlawful surveillance. 203

203 Kwet "Surveillance in South Africa" 98.

7 Conclusion

As unprecedented as it has been, the pandemic has surfaced existing and newer issues on the processing of sensitive health-related data. Globally, government responses were similar with variations in the intensity of the emergency measures adopted and the deployment of digital contact tracing. These measures limited citizens’ fundamental rights, including the right to privacy. Granted, the right to privacy is not absolute and public health emergencies constitute a legitimate and justifiable limitation. However, any form of limitation of the right to privacy through the collection of personal data requires consent, disclosure of the purpose of the data collection, secure storage and destruction, the transparent conduct of the data controllers, and oversight of any surveillance measures. Admittedly Zimbabwe had no effective data protection law until December 2021. Notwithstanding this regulatory weakness the supreme law, the Constitution, remained valid and in force, and provisions of the PHA and the dozens of COVID designed instruments should have been interpreted to protect sensitive health data. Any pandemic disaster declaration should have been constitutionally compliant, safeguarding the fundamental right to privacy. It cannot be gainsaid that the pursuit of the right to health must be

viewed as consistent with the right to privacy and the protection of sensitive personal data. The urgent need to respond to any pandemic must not create a data pandemic were health-related data is abused, as the consequences will always outlast the pandemic.

Bibliography

Literature

Alunge "Consolidating the Right to Data Protection"

Alunge R "Consolidating the Right to Data Protection in the Information Age: A Comparative Appraisal of the Adoption of the OECD (Revised) Guidelines into the EU GDPR, the Ghanaian Data Protection Act 2012 and the Kenyan Data Protection Act 2019" in Thorn J, Gueye A and Hejnowicz A (eds) Innovations and Interdisciplinary Solutions for Underserved Areas (Springer Cham 2020) 192-207

Baraniuk 2020 BMJ

Baraniuk C Covid-19 Contact Tracing: A Briefing 2020 BMJ 1-3

Borra "COVID-19 Apps"

Borra S "COVID-19 Apps: Privacy and Security Concerns" in Joshi A, Dey N and Santosh K (eds) Intelligent Systems and Methods to Combat Covid-19 (Springer Singapore 2020) 11-17

Blume 2004 Scand Stud L

Blume EP "Data Protection in the Private Sector" 2004 Scand Stud L 297-318

Bradford 2012 North Western University Law Review

Bradford A "The Brussels Effect" 2012 North Western University Law Review 1-69

Braman 2011 New Media & Society

Braman S "Privacy by Design: Networked Computing, 1969-1979" 2011 New Media & Society 798-814

Chen 2016 IDPL

Chen J "How the Best-Laid Plans Go Awry: The (Unsolved) Issues of Applicable Law in the General Data Protection Regulation" 2016 IDPL 310-323

Chipendo et al 2022 Pan African Medical Journal

Chipendo T et al "Implementation of the COVID-19 Laboratory Testing Certification Program (CoLTeP), Zimbabwe, 2021" 2022 Pan African Medical Journal 1-8

Dersso 2006 AHRLJ

Dersso AS "The Jurisprudence of the African Commission in Human and People's Rights with Respect to People's Rights" 2006 AHRLJ 333-357

Dove and Chen 2020 IDPL

Dove SE and Chen J "Should Consent for Data Processing be Privileged in Health Research? A Comparative Legal Analysis" 2020 IDPL 117-131

Esayas 2017 IJLIT

Esayas YS "The Idea of 'Emergent Properties' in Data Privacy: Towards a Holistic Approach" 2017 IJLIT 139-178

French 2009 Surveillance & Society

French MA "Woven of War-Time Fabrics: The Globalization of Public Health Surveillance" 2009 Surveillance & Society 101-115

Furusa and Coleman 2018 South African Journal of Information Management

Furusa SS and Coleman A "Factors Influencing E-Health Implementation by Medical Doctors in Public Hospitals in Zimbabwe" 2018 South African Journal of Information Management 1-9

Ghersi, Mariño and Miralles 2018 BMC Medical Informatics and Decision Making

Ghersi I, Mariño M and Miralles MT "Smart Medical Beds in Patient-Care Environments of the Twenty-First Century: A State-of-Art Survey" 2018 BMC Medical Informatics and Decision Making 1-12

Greenleaf 2012 IDPL

Greenleaf G "The Influence of European Data Privacy Standards Outside Europe: Implications for Globalization of Convention 108" 2012 IDPL 68-92

Gumedze 2004 AHRLJ

Gumedze S "HIV/AIDS and Human Rights: The Role of the African Commission on Human and Peoples' Rights" 2004 AHRLJ 181-200

Hurd 1996 Legal Theory

Hurd H "The Moral Magic of Consent" 1996 Legal Theory 121-146

Khumalo 2017 Library Philosophy and Practice

Khumalo NB "The Need for the Establishment of E-records and eHealth Legislation and Policy Framework in the Health Sector in Zimbabwe" 2017 Library Philosophy and Practice 1-18

Kirby 2011 IDPL

Kirby M "The History, Achievement and Future of the 1980 OECD Guidelines on Privacy" 2011 IDPL 6-14

Klaaren et al 2020 SAMJ

Klaaren J et al "South Africa's COVID-19 Tracing Database: Risks and Rewards of which Doctors Should be Aware" 2020 SAMJ 617-620

Koops 2021 Law, Innovation and Technology

Koops BJ "The Concept of Function Creep" 2021 Law, Innovation and Technology 29-56

Kwet "Surveillance in South Africa"

Kwet M "Surveillance in South Africa: From Skin Branding to Digital Colonialism" in Vagle J and Kwet M (eds) Cambridge Handbook of Race and Surveillance (Cambridge University Press Cambridge 2023) 97-122

Lloyd Information Technology Law

Lloyd IJ Information Technology Law 7th ed (Oxford University Press Oxford 2014)

Makulilo 2016 Beijing Law Review

Makulilo AB "A Person is a Person through Other Persons: A Critical Analysis of Privacy and Culture in Africa" 2016 Beijing Law Review 192-204

Makwaiba 2021 AHRLJ

Makwaiba BS "Tension between the Individual's Fundamental Human Rights and the Protection of the Public from Infectious and Formidable Epidemic Diseases" 2021 AHRLJ 311-334

McQuoid-Mason 2020 SAMJ

McQuoid-Mason DJ "COVID-19 and Patient-Doctor Confidentiality" 2020 SAMJ 461-462

Mhazo and Maponga 2022 BMJ Global Health

Mhazo AT and Maponga CC "Governing a Pandemic: Biopower and the COVID-19 Response in Zimbabwe" 2022 BMJ Global Health 1-13

Mokrosinska 2020 Critical Review of International Social and Political Philosophy

Mokrosinska D "Why States have no Right to Privacy but May be Entitled to Secrecy: A Non-Consequentialist Defense of State Secrecy" 2020 Critical Review of International Social and Political Philosophy 415-444

Neethling 2005 SALJ

Neethling J "The Concept of Privacy in South African Law" 2005 SALJ 18-28

OHCHR and UNAIDS International Guidelines

Office of the United Nations High Commissioner for Human Rights and UNAIDS International Guidelines on HIV/AIDS and Human Rights. 2006 Consolidated Version (UN Geneva 2006)

Rocher, Hendrickx and De Montjoye 2019 Nature Communications

Rocher L, Hendrickx JM and De Montjoye YA "Estimating the Success of Re-identifications in Incomplete Datasets Using Generative Models" 2019 Nature Communications 1-9

SALRC Discussion Paper 109

South African Law Reform Commission Discussion Paper 109, Project 124: Privacy and Data Protection (The Commission Pretoria 2005)

Schermer, Custers and Van der Hof 2014 Ethics Information and Technology

Schermer BW, Custers B and Van der Hof S "The Crisis of Consent: How Stronger Legal Protection May Lead to Weaker Consent in Data Protection" 2014 Ethics Information and Technology 171-182

Singh and Power 2019 African Human Rights Yearbook

Singh A and Power M "The Privacy Awakening: The Urgent Need to Harmonise the Right to Privacy in Africa" 2019 African Human Rights Yearbook 202-220

Solove 2002 CLR

Solove DJ "Conceptualising Privacy" 2002 CLR 1087-1156

Tschider 2019 Washington University Law Review

Tschider C "The Consent Myth: Improving Choice for Patients of the Future" 2019 Washington University Law Review 1505-1528

Tuovinen 2013 CCR

Tuovinen J "What to Do with International Law? Three Flaws in Glenister" 2013 CCR 435-449

Waltraut 2014 IDPL

Waltraut K "The Proposal for a New General Data Protection Regulation: Problems Solved?" 2014 IDPL 274-281

Zimbabwe Human Rights NGO Forum 180 Days of What?

Zimbabwe Human Rights NGO Forum 180 Days of What? A Summary Review of the First 180 Days of the COVID-19 National Lockdown in Zimbabwe (Zimbabwe Human Rights NGO Forum Harare 2020)

Zwitter and Gstrein 2020 Journal of International Humanitarian Action

Zwitter A and Gstrein OJ "Big Data, Privacy and COVID-19: Learning from Humanitarian Expertise in Data Protection" 2020 Journal of International Humanitarian Action 1-7

Report

ZimCovidSafe Mobile Application Security Assessment Report (10 September 2021) (on file with the author)

Case law

Amann v Switzerland ECHR App No 27798/95 (16 February 2000)

Catt v ACPO 2012 EWHC 1471

Deliberation of the Restricted Committee No SAN-2020-012 of 7 December 2020 Concerning the Companies Google LLC and Google Ireland Limited (CNIL - French Data Protection Agency)

Jestina Mukoko v Attorney-General (SC 11/12 Const Application No 36/09) [2012] ZWSC 11 (19 March 2012)

Law Society of Zimbabwe v Minister of Transport and Communications (unreported) case number SC 59/03 of 2 March 2004

Legal Resources Foundation v Zambia 2001 AHRLR 84

Minister of Health v Goliath 2009 2 SA 248 (C)

S and Marper v United Kingdom 2008 ECHR 1581

Tyrer v United Kingdom 1978 2 EHRR 1

Z v Finland 1997 ECHR 10

Legislation

Kenya

Constitution of Kenya, 2010

South Africa

Constitution of the Republic of South Africa, 1996

National Health Act 61 of 2003

Protection of Personal Information Act 4 of 2013

United States of America

Freedom of Information Act, 1966

Zimbabwe

Constitution of Zimbabwe Act 1 of 2013

Civil Protection Act, 1989 (Chapter 10:06)

Criminal Law (Codification and Reform) Act, 2019 (Chapter 9:23)

Cyber and Data Protection Act, 2021 (Chapter 12:07)

Freedom of Information Act 1 of 2020

Interception of Communications Act 6 of 2007 (Chapter 11:20)

Postal and Telecommunications Act, 2000 (Chapter 12:05)

Public Health Act 11 of 2018

Government publications

South Africa

GN 318 in GG 43107 of 18 March 2020, as amended (Regulations Issued in terms of Section 27(2) of the Disaster Management Act 57 of 2002)

Zimbabwe

Cybersecurity and Data Protection Bill (undated layman draft)

GN 492/2022 of 11 March 2022

Statutory Instrument 95 of 2014: Postal and Telecommunications (Subscriber) Regulations, 2014

Statutory Instrument 76 of 2020: Civil Protection (Declaration of State of Disaster: Rural and Urban Areas of Zimbabwe) (COVID-19) Notice, 2020

Statutory Instrument 77 of 2020: Public Health (COVID-19 Prevention, Containment and Treatment) Regulations, 2020

Statutory Instrument 95 of 2021: Postal and Telecommunications (Telecommunications Traffic Monitoring System) Regulations, 2021

Statutory Instrument 102 of 2023: Public Health (COVID-19 Prevention, Containment and Treatment) (National Lockdown) (No 22) (Amendment) Order, 2023 (No 44)

International instruments

African Charter on Human and Peoples' Rights (1981)

African Charter on the Rights and Welfare of the Child (1990)

African Union Convention on Cyber Security and Personal Data Protection (2014)

Constitution of the World Health Organization (1946)

Convention against Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment (1984)

Convention for the Protection of Individuals with Regard to the Automatic Processing of Individual Data (1981) (Convention 108)

Council of Europe Committee of Ministers Recommendation 509 (1968)

Council of Europe Committee of Ministers Resolution (73) 22 on the Protection of the Privacy of Individuals vis-a-vis Electronic Data Banks in the Private Sector (1973)

Council of Europe Committee of Ministers Resolution (74) 29 on the Protection of the Privacy of Individuals vis-à-vis Electronic Data Banks in the Public Sector (1974)

Declaration of Principles on Freedom of Expression and Access to Information (2019)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data OJ L 281/31 (1995)

Emergency Care Systems for Universal Health Coverage: Ensuring Timely Care for the Acutely Ill and Injured. Report by the Director-General WHO Doc A72/31 (2019)

General Data Protection Regulation (2016)

International Covenant on Civil and Political Rights (1966)

International Health Regulations (2005)

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), as revised in 2013

Protocol Amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (2018) (Convention 108+)

Report of the Special Rapporteur on the Right to Privacy, Joseph A Cannataci UN Doc A/76/220 (2021)

Resolution on Human and Peoples' Rights as Central Pillar of Successful Response to COVID-19 and Recovery from Its Socio-Political Impacts AU Doc ACHPR/Res 449 (LXVI) (2020)

SADC Model Law on Data Protection (2013)

UN General Assembly, Special Rapporteur on the Right of Everyone to the Enjoyment of the Highest Attainable Standard of Physical and Mental Health UN Doc A/HRC/22/53 (2013)

Vienna Convention on the Law of Treaties (1969)

WHO Report of the Review Committee on the Functioning of the International Health Regulations (2005) during the COVID-19 Response WHO Doc A74/9 Add.1 (2021)

Internet sources

Dencroft date unknown https://dencroft.com/zimcovid-safe-app-policy

Dencroft date unknown ZimCOVID Safe App Policy https://dencroft.com/zimcovid-safe-app-policy accessed 8 September 2021

Eigen, Wang and Gasser 2020 https://cyber.harvard.edu/story/2020-07/country-spotlight-taiwans-digital-quarantine-system

Eigen M, Wang F and Gasser U 2020 Country Spotlight: Taiwan's Digital Quarantine System https://cyber.harvard.edu/story/2020-07/country-spotlight-taiwans-digital-quarantine-system accessed 23 March 2024

European Data Protection Board 2020 https://www.edpb.europa.eu/sites/

default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf

European Data Protection Board 2020 Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020 https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf accessed 22 March 2024

EU Data Protection Working Party 2007 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf

European Union Data Protection Working Party 2007 Opinion 4/2007 on the Concept of Personal Data https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2007/wp136_en.pdf accessed 22 March 2024

EU Data Protection Working Party 2005 https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf

European Union Data Protection Working Party 2005 Document No WP 105: Working Document on Data Protection Issues Related to RFID Technology https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2005/wp105_en.pdf accessed 22 March 2024

Greenleaf 2021 https://papers.ssrn.com/sol3/papers.cfm?abstract_ id=3836348

Greenleaf G 2021 Global Data Privacy Laws 2021: Despite COVID Delays, 145 Laws Show GDPR Dominance https://papers.ssrn.com/sol3/ papers.cfm?abstract_id=3836348 accessed 22 March 2024

Hoofnagle 2014 https://ssrn.com/abstract=2466418

Hoofnagle CJ 2014 The Origin of Fair Information Practices: Archive of the Meetings of the Secretary's Advisory Committee on Automated Personal Data Systems https://ssrn.com/abstract=2466418 accessed 2 September 2021

Human Rights Committee 1988 https://www.refworld.org/legal/ general/hrc/1988/en/27539

Human Rights Committee 1988 General Comment No 16: Article 17 (Right to Privacy). The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation https://www.refworld.org/legal/general/hrc/1988/en/27539 accessed 23 March 2024

Independent Panel 2021 https://theindependentpanel.org/wp-content/uploads/2021/05/COVID-19-Make-it-the-Last-Pandemic_final.pdf

Independent Panel for Pandemic Preparedness and Response 2021 COVID-19: Make It the Last Pandemic https://theindependentpanel.org/wp-content/uploads/2021/05/COVID-19-Make-it-the-Last-Pandemic_final.pdf accessed 16 September 2021

IR 2020 https://documentportal.george.gov.za/storage/level-five-covid-documents/August2020/qeyctYy1dBMmLgVwI1c5.pdf

Information Regulator 2020 Guidance Note on the Processing of Personal Information in the Management and Containment of COVID-19 Pandemic in terms of the Protection of Personal Information Act 4 of 2013 (POPIA) https://documentportal.george.gov.za/storage/level-five-covid-documents/August2020/qeyctYy1dBMmLgVwI1c5.pdf accessed 6 April 2024

Mhlanga 2018 https://www.newsday.co.zw/2018/07/zanu-pf-breaks-into-zec-database/

Mhlanga B 2018 ZANU PF Breaks into ZEC Database https://www.newsday.co.zw/2018/07/zanu-pf-breaks-into-zec-database/ accessed 14 September 2021

Mhlanga 2020 https://www.newsday.co.zw/2020/11/military-nurses-take-over-hospitals/

Mhlanga B 2020 Military Nurses Take over Hospitals https://www.newsday.co.zw/2020/11/military-nurses-take-over-hospitals/ accessed 14 September 2021

MISA Zimbabwe 2019 https://www.ohchr.org/sites/default/files/Documents/ Issues/Opinion/Surveillance/MISA_ZIMBABWE.pdf

Media Institute of Southern Africa Zimbabwe 2019 Submissions to United Nations Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression https://www.ohchr.org/sites/default/ files/Documents/Issues/Opinion/Surveillance/MISA_ZIMBABWE.pdf accessed 8 April 2024

Moyo-Ndlovu 2021 https://www.herald.co.zw/health-ministry-launches-covid-19-app/

Moyo-Ndlovu T 2021 Health Ministry Launches Covid-19 App https://www.herald.co.zw/health-ministry-launches-covid-19-app/ accessed 14 September 2021

Mungadze 2020 https://www.itweb.co.za/content/rW1xLv59YPGvRk6m

Mungadze S 2020 Life Healthcare Reveals Damage Caused by Data Breach https://www.itweb.co.za/content/rW1xLv59YPGvRk6m accessed 2 November 2021

Murwira 2021 https://www.herald.co.zw/new-dawn-for-zim-as-president-launches-data-centre-to-anchor-govt-operations

Murwira Z 2021 New Dawn for Zim … as President Launches Data Centre to Anchor Govt Operations https://www.herald.co.zw/new-dawn-for-zim-as-president-launches-data-centre-to-anchor-govt-operations accessed 14 September 2021

PSMI 2020 https://www.psmi.co.zw/2020/06/08/192323/

PSMI 2020 PSMI Launches a Telemedicine Platform https://www.psmi.co.zw/2020/06/08/192323/ accessed 14 September 2021

Tsiko 2019 https://www.herald.co.zw/telemedicine-revolutionises-zim-healthcare

Tsiko S 2019 Telemedicine Revolutionises Zim Health Care https://www.herald.co.zw/telemedicine-revolutionises-zim-healthcare/ accessed 14 September 2021

UN 2020 https://www.ohchr.org/Documents/HRBodies/SP/COVID19_ and_SP_28_April_2020.pdf

United Nations 2020 United Nations Special Procedures and Covid-19 Working Document Covering Information as of 28 April 2020 https://www.ohchr.org/Documents/HRBodies/SP/COVID19_and_SP_28_April_2020.pdf accessed 9 September 2021

UN 2020 https://unsdg.un.org/sites/default/files/2020-04/COVID-19-and-Human-Rights.pdf

United Nations 2020 COVID-19 and Human Rights: We are All in this Together https://unsdg.un.org/sites/default/files/2020-04/COVID-19-and-Human-Rights.pdf accessed 9 September 2021

USA Department of Health 1973 https://aspe.hhs.gov/reports/records-computers-rights-citizens

United States of America Department of Health, Education and Welfare Records 1973 Computers and the Rights of Citizens: Report of the Secretary's Advisory Committee on Automated Personal Data Systems

https://aspe.hhs.gov/reports/records-computers-rights-citizens accessed 1 November 2021

List of Abbreviations