1. Introduction & legal bases
- The app is free and easy to use. The purpose of the app is to notify users who have potentially been in close contact (proximity) with someone who has tested positive for COVID-19, while providing strong protection for each user’s right to privacy as provided for in section 14(d) of the Constitution.
- How your information is used;
- Who your information is shared with;
- How your data is kept securely;
- The extent to which any personal information is transferred or stored.
“Personal data” or “personal information” means all information relating to an identified or identifiable person.
“Processing” means any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection storage, use, revision, disclosure, archiving, or destruction of data.
The processing of personal data is governed by the Exposure Notification rules set out by Alphabet Inc. and Apple Inc.
- The provisions and safeguards in the Protection of Personal Information Act, 2013 (Act No. 4 of 2013) have been used as a benchmark for the protection of the right to privacy.
2. Responsible Party
- The controller responsible for the data processing described herein is the:
National Department of Health (NDOH)
1112 Voortrekker Rd,
- The entire system for the app is under the direct control of the NDoH, Google and Apple and is operated technically, on its behalf, by the NDoH.
- Discovery, Google and Apple developed the app software on behalf of the NDoH and provides any necessary technical support services. Discovery Limited will periodically provide basic service volumes to the NDoH. This data is completely anonymized.
- Google provides the one-time-pin verification code service to ensure fidelity of the system.
- All employees of the NDoH, Discovery Limited, Apple and Google and . are bound by confidentiality in the management of data.
3. Collection and processing of personal data
- The purpose of the app is to notify users who have been in close contact (proximity) to an individual infected by COVID-19 to help prevent further transmission, while protecting the identity of its users. This aim is achieved in several ways:
- The entire app system is designed to ensure that the app user is not identifiable and remains anonymous.
- The processing of personal data is kept to a minimum and the app does not collect location data.
- Data cannot be traced back by technical means to persons, locations or devices.
- The app allows encrypted data concerning close contact (proximity) events to be recorded via Bluetooth.
- Not even the NDoH, Google or Apple are able to draw any conclusions concerning the identity of app users.
4. Operation of the app – how does it work?
There are two main phases in the app’s process.
1. First, anonymous, random codes are shared via Bluetooth when users of the app are in close contact (proximity). These anonymous, random codes are stored on a user’s device indicating Bluetooth interactions over the last 14 days.
2. Second, if a user tests positive for Covid-19, he or she can choose to upload their anonymous codes to the Exposure Notification Server (ENS), which will then send these out to all devices that have the application installed in the relevant jurisdiction.
3. These devices will then run through the random codes to check for any matches against the random codes that have been stored on their devices over the last 14 days.
Both phases harness the power of Bluetooth technology to aid in exposure notification.
Phase 1 – anonymous scanning by the app
- Once the app is enabled, a user’s devices will regularly send out a beacon via Bluetooth that includes a random Bluetooth identifier code — basically, a string of random numbers that are not tied to that user’s identity or personal information.
- For additional protection, the random Bluetooth codes change every 10-20 minutes.
Other phones with the app will be monitoring for these beacons and broadcasting theirs as well. When each phone receives another beacon, it will record and securely store that beacon on the device.
At least once per day, the system will download a list of the keys for the beacons that have been verified as belonging to people confirmed as positive for COVID-19.
Each device will check the list of beacons it has recorded against the list downloaded from the server.
If there is a match between the beacons stored on the device and the positive diagnosis list, the user may be notified and advised on steps to take next.
What information is stored on the mobile phone during the scanning phase?
The following data is stored on the mobile phone:
- the random codes (random identifier) from your phone, for 14 days;
- the random codes received from other phones near you, for 14 days;
- In relation to each encounter data is stored regarding:
- the Bluetooth signal strength between the two users’ devices;
- the estimated duration of the encounter.
How does the app determine the distance between two users?
To approximate distance, the system uses Bluetooth attenuation (signal strength) to estimate distance between the two devices. The closer the devices are, the higher the signal strength recorded. Signal strength can vary significantly based on factors like how the device is being held and as such this only provides an estimate of distance.
Phase 2 – if you are diagnosed with COVID-19
If at some point a user is positively diagnosed with COVID-19, he or she can elect to upload their random Bluetooth beacons (this is easily done from prompts in the app). The user’s random Bluetooth codes will then added to the positive diagnosis list.
If an app user elects to upload his/her positive diagnosis, all devices that have been in close contact (proximity) to that user, will be notified.
Importantly, this notification does not share any information other than the date of last exposure.
A user’s identity will not be shared with other users, Apple and Google as part of this process
Notifications also draw attention to free advice in the app.
If you upload your COVID-19 positive status what information is stored?
In the event of an infection being confirmed by a user, the following data is recorded in the PIN verification system:
1. the one time code ( (sent upon request of the App user)
2. the date of test; date of symptom onset and travel history
The back end (Exposure Notification Server) contains a list with the following data:
3. the private keys of infected users which were current in the period (i.e. 14 days);
4. the date of each key.
A user can only see that they have had potential exposure. They cannot see details other than the date, distance and estimated duration of the potential exposure. No other details are shared through the app.
No personal information is stored, only temporary exposure keys are stored on the central database.
5. Data transfer
The Exposure Notification Server data list is made available to the app (or front end) in the retrieval process.
The app uses an interface to the operating system of the user’s mobile phone, which entails the processing of data by Apple or Google (a subsidiary of Alphabet Inc.).
The operating system functions used via the interface comply with the Protection of Personal Information Act 4 of 2013. The NDoH makes sure that these requirements are complied with..
6. How long will data be retained and when will it be destroyed?
Data will be destroyed as soon as it is no longer required for the notifications of users. Specifically, it will be destroyed as follows:
- Data in the proximity data management systems (on mobile phones): 14 days after capture.
7. What security measures are in place to secure my data and keep my identity anonymous?
- Only public health authorities are allowed to control the app. The system is only permitted to be used: (a) for contact tracing; (b) by public health authorities.
- Nothing is done without your permission!
- Each user will have to make an explicit choice to download the app and to turn on the Bluetooth technology.
- The app can also be turned off by the user at any time.
- The random Bluetooth identifier codes rotates, to help prevent tracking.
- This system does not collect location data from your device, and does not share the identities of other users to each other, Google or Apple.
- The user controls all data they want to share, and the decision to share it.
- Notification that a person has tested positive for COVID-19 is only made at that user’s election and is done on the user’s device.
- People who test positive are not identified by the system to other users, to Apple or Google, or to the NDOH, or Discovery.
To protect data against unauthorised access, loss, or misuse the app makes use of a variety of sophisticated technical security measures (including, for instance, encryption; pseudonymisation, logging, access controls and restrictions). The NDoH and its partners also employ organisational strategies (including, for example, staff directives, confidentiality agreements, reasonably regular inspections) to ensure that all legal requirements have been, and are being, complied with.
Google and Apple will disable the exposure notification system, on a regional basis, when it is no longer needed to guide the public health authority’s response to the COVID-19 pandemic.
What security measures are in place?
To protect data against unauthorized access, loss, or misuse, the NDoH, in collaboration with Discovery Limited, Google, Apple, internal and external hosting providers and other IT service providers, takes appropriate security measures of a technical (e.g. encryption, pseudonymisation, logging, access controls and restrictions, data backup, IT and network security solutions, etc.) and organisational nature (e.g. staff directives, confidentiality agreements, inspections, etc.) in accordance with South African data protection legislation and corporate policies where applicable.
6. Rights of all app users
In the event of alleged infringements of any data protection legislation in force in the Republic at the time of the alleged infringement, you can contact the competent data protection supervisory authority or take legal action in accordance with that data protection legislation.
The ability to exercise your rights requires that you provide clear evidence of your identity (e.g. a copy of your identity documents). To assert your rights you can contact the NDoH at the address given in Section 1.
As made clear above – the ‘privacy by design’ principle on which the app is based means that there is very little personal information or data that is processed.
The app is designed – through innovative encryption and cryptographic methods as well as decentralised data processing – to ensure that, as far as possible, no information relating to or identifiable persons (personal data) is present and that the risk of any possible re-identification is extremely low.
For that reason, it is not possible for the NDoH and its partners (Discovery Limited, Google Apple.) to (for example) provide information on the proximity events logged for a specific person or to correct this data. The NDoH and its partners cannot inspect this data, as it is stored only on the users’ mobile phones.
7. Other documents governing privacy and data protection