Privacy Policy


Privacy Policy

This is the Privacy Policy of the Electronic Vaccination Data System portal developed by the National Department of Health. In this document, “we”, “our”, or “us” refer to National Department of Health (NDOH).

  1. Introduction

1.1.   The National Department of Health has developed an Electronic Vaccine Data System (EVDS) to support the COVID-19 Vaccination roll out in South Africa.

1.2.   The EVDS will be used to capture COVID-19 vaccination events digitally and provide data to NDOH data analytics platform to monitor and report on.

1.3.    This Privacy Policy explains the extent to which we collect information when you use the

EVDS. It also explains:

1.3.1        How your information is used;

1.3.2        Who your information is shared with;

1.3.3        How your data is kept securely; and

1.3.4        The extent to which any personal information is transferred or stored.

1.4.    “Personal data” or “personal information” means all information relating to an identified or identifiable person.

1.5     “Processing” means any operation with personal data, irrespective of the means applied and the procedure, and in particular the collection, storage, use, revision, disclosure, archiving, or destruction of data.

1.6    The processing of personal data is managed in line with the provisions and safeguards set out in the Protection of Personal Information Act, 2013 (Act No. 4 of 2013).

2. Responsible Party

2.1    The controller responsible for the data processing described herein is the:

National Department of Health (NDOH)
222 Thabo Sehume Street
South Africa

2.2    The EVDS is under the direct control of the National Department of Health. The EVDS is available to administrative staff and Vaccinators (HCWs) registered on the system. The system can be accessed via web browsers using suitable and compatible devices. The system also includes capabilities for vaccinees to enrol (express an interest to be vaccinated) on EVDS.

2.3    Where the NDOH engages third parties to assist with developing and supporting the EVDS platform, they have signed commercial and confidentiality agreements, undertaking contractually to comply with all requirements of Regulation 8 of the Regulations Issued in Terms of Section 27(2) of the Disaster Management Act, 2002 as well as the provisions of the Terms and Conditions and Privacy Policy. The NDOH monitors their compliance with these legal requirements. For the purpose of developing data collection tools and user applications for EVDS NDOH have engaged Mezzanine Ware (Pty) and The Council for Scientific and Industrial Research (CSIR).

  1. Collection and processing of personal data and special personal information

3.1     The EVDS does not collect any “special personal information” about you as a vaccinee. For this purpose, “Special personal information” relates to:

3.1.1        the data about your race or ethnicity;

3.1.2        religious or philosophical beliefs;

3.1.3        sex life;

3.1.4        political opinions or trade union membership;

3.1.5        information about your health and biometric data; and

3.1.6        information about criminal convictions and offences.

3.2     The following information of the vaccinee will be collected and processed by the EVDS:

3.2.1      personal information (names and Identity Number) as contained in your Identity document. This is to verify and confirm your eligibility as a COVID-19 vaccine beneficiary per the priority phases as defined in the COVID-19 National Vaccination Plan;

3.2.2        the medical aid details, residential address, email address, phone numbers (including mobile numbers in order to send messages and appointment messages for the second dose of the vaccine);

3.2.3        employment details, professional category and registration as part of the priority group eligibility verification; and

3.2.4        patient information in relation to your health status including underlying conditions that you may have as a vaccine in line with the vaccination protocols.

  1. How does the EVDS work?

4.1.   Vaccination and enrolment on the EVDS is voluntary.

4.2.   Vaccinees are provided an opportunity to enrol on the EVDS system.

4.3.   To do so, vaccinees must provide personal, contact and medical aid details.

4.4.   Enrolment is not a guarantee of vaccination.

4.5.   Eligibility of the vaccinee is then determined by the NDOH based on priority population groups over a period of time.

4.6.   Eligible vaccinees are then provided with notification and instructions on how and where to receive the vaccination.

4.7.   A vaccinee must presents himself/herself at a Facility Vaccine Registration Desk within a Vaccination Site. In this regard, he/she must produce an identity document (e.g. ID Book or Passport) in order to register, confirm details and schedule an appointment in the EVDS.

4.8.   During vaccination, all vaccination information of the vaccinee will be captured in the EVDS including the dose received, batch number, manufacturer.

4.9.   The EVDS will send an SMS to the vaccinee for an appointment for the second dose. During the second dose, the vaccinator confirms the vaccine details in the EVDS to ensure that an appropriate dose and vaccine is given to the correct vaccinee.

5. Information we process with your consent

Your personal data as well as your patient information data is processed with your informed consent.

6. Data transfer

 Anonymised data will be transferred to the NDOH database for reporting. No personal data will be transferred from the EVDS, without the required legislative provisions to do so.

 7. What security measures are in place to protect my data?

  1. 1 The Administrators and Vaccinators who access the EVDS have secure user login details that have a full audit trail on all the activities that they perform on their accounts in accordance with their assigned roles.
  1. 2 NDOH is the owner and Responsible Party of Information and data processed by the EVDS and has employed stringent technical and best practice procedures in place to ensure the integrity of Personal Information is safeguarded against the risk of loss or damage and against the unauthorised or unlawful access.
  1. 3 All systems are Protection of Personal Information (POPI) Act compliant and allow for capturing of user and client consent in the case of capturing personal information.
  1. 4 Security is based on at least 99% Availability Service Levels and ISO 27001:2013 framework, which is the international standard that describes best practices and controls.
  1. 5 All systems are built with open architecture for interoperability and alignment with local standards.

8. Rights of all EVDS users

8.1.   In the event of alleged infringements of any data protection legislation in force in the Republic at the time of the alleged infringement, you can contact the competent data protection supervisory authority or take legal action in accordance with that data protection legislation.

8.2.   The ability to exercise your rights requires that you provide clear evidence of your identity (e.g. a copy of your identity documents). To assert your rights you can contact the NDOH at the address given in clause 2.

9. Other documents governing privacy and data protection

 This Privacy Policy is not necessarily exhaustive. Specific matters may be governed by other data protection statements, similar documents, or terms and conditions of use. Where that is so, a link to any such documents will be made available to the user in the application.