RESEARCH

 

Pandemics, public health and the limitation of the right to privacy: Legal compliance and public trust

 

 

L Prinsen

LLB.LLM.LLD; Department of Public Law, Faculty of Law, University of the Free State, Bloemfontein, South Africa

Correspondence

 

 

---

ABSTRACT

The COVID-19 pandemic highlighted the tension between protecting public health and safeguarding individual rights, particularly the right to privacy. In South Africa (SA), privacy is both a constitutional right and a statutory obligation under the Protection of Personal Information Act (POPIA). However, during public health crises, this right may be limited by legal measures such as surveillance, mandatory reporting and data processing under POPIA, the National Health Act and the Disaster Management Act. These instruments collectively define the conditions under which the right to privacy may be limited in the interest of public health. This article examines whether SA's legal framework allows for the lawful, necessary and proportionate limitation of privacy during disease outbreaks, drawing on key legislation and case law. To assess SA's compliance with international human rights standards, a benchmarking of domestic provisions against the International Covenant on Civil and Political Rights and the Siracusa Principles is also undertaken. These instruments offer guidance on how states may justifiably limit rights during public health emergencies. The article further briefly examines whether adhering to constitutional and statutory requirements translates into public trust during pandemics. Lastly, it also provides recommended requirements to guide future limitations on privacy that uphold constitutional values while enabling effective public health responses.

Keywords: disease outbreaks, limitation of rights, pandemics, privacy, public health, regulatory framework

---

 

 

Outbreaks of infectious disease at epidemic and pandemic scale, such as the COVID-19 pandemic, have brought to the forefront the complex balance between safeguarding public health and protecting individual human rights such as the right to privacy. This right is particularly vulnerable to infringement as digital technologies such as track-and-trace, surveillance and reporting measures are important safeguards used in curbing the spread of a disease, and are readily implemented during times of public health crisis.

The COVID-19 pandemic fast-tracked the deployment of digital tools such as mobile contact tracing applications, geolocation tracking, digital health passports and centralised health databases for surveillance purposes. While these technologies offer unprecedented capabilities for disease monitoring and outbreak control, they also introduce novel privacy risks that extend beyond traditional health information collection.^[1] For example, South Africa (SA) implemented the 'COVID Alert SA' application, which used Bluetooth proximity detection to notify users of potential exposure to infected individuals. Unlike more invasive systems deployed elsewhere, this application employed decentralised data storage, meaning that exposure data remained on individual devices rather than being centrally collected.^[2] However, the application's voluntary adoption meant that uptake remained low, limiting its epidemiological effectiveness and raising questions about whether legal frameworks should mandate such technologies during future health emergencies.^[3]

Digital health surveillance technologies create particular challenges under SA's privacy framework: they enable continuous, automated and potentially indefinite data collection; may facilitate 'function creep' whereby data collected for health purposes is repurposed for law enforcement or other state functions; and generate metadata and behavioural patterns that reveal more than explicit health status alone.^[4] These concerns underline why the legal principles discussed throughout this article become even more critical when applied to digital surveillance tools that can operate at scale, in real time and with limited human oversight. Many scientists have warned that the next pandemic is not a matter of 'if' but 'when',^[5] and as such, an awareness of the regulatory framework relevant to the limitation of rights for public health reasons is necessary and relevant in preparing SA for any new health crisis.

In SA, privacy is not only a fundamental human right enshrined in the Constitution,^[6] but is also reinforced by the Protection of Personal Information Act No. 4 of 2013 (POPIA).^[7] However, during public health crises, this right may be curtailed through the mandatory measures mentioned above as implemented under not only POPIA,^[7] but also the National Health Act No. 61 of 2003 (NHA)^[8] and its associated Regulations,^[9] as well as the Disaster Management Act No. 57 of 2002 (DMA),^[10] all of which interact in shaping the limits and responsibilities of the state during a disease outbreak.

Since the Constitution is the supreme law of the country, all action taken is subject to constitutional scrutiny. However, as will be shown, POPIA is the primary Act providing for privacy-related matters. POPIA only came into full force on 30 June 2021 after a year's grace period,^[11] which means that during a large part of the COVID-19 outbreak, it was not fully followed and its provisions not fully implemented. This implementation delay created a regulatory gap during the critical early stages of the pandemic, meaning that extensive health data collection, digital surveillance and contact tracing occurred without the full protective POPIA framework, including its consent requirements, purpose limitation principles and data subject rights. Consequently, individuals may have had limited recourse against potential data misuse, and oversight mechanisms that would later become mandatory were not yet operational. This article, inter alia, provides insight into what additional requirements will now have to be met in order to limit privacy rights in the event of a future disease outbreak.

The article therefore examines SA's broader legal framework for disease control to assess if and how it allows for and justifies the limitation of the right to privacy in the name of public health during pandemics and other outbreaks.

The analysis will delve into the legality, proportionality and necessity of these limitations, exploring the interplay between privacy and public health as seen in our laws. Key case law such as Goliath^[12] and de Jager^[13] is also included in this article to better illustrate how the courts have approached and interpreted the tension between individual rights and the limitation thereof in a health context. The International Covenant on Civil and Political Rights (ICCPR)^[14] and the Siracusa Principles on the Limitation and Derogation of Provisions in the International Covenant on Civil and Political Rights (Siracusa Principles)^[15] are also evaluated in a benchmarking exercise to determine whether the SA framework aligns with global standards of balancing individual rights and societal safety.

Finally, the article offers recommended requirements in terms of the SA legal framework for limiting the right to privacy for public health reasons, to ensure that it effectively addresses future pandemics and outbreaks of infectious disease. This will aid in upholding privacy while allowing for robust public health interventions, ensuring that the limitation of rights is both justified and proportionate.

As an offshoot of asking if and how SA allows and justifies the limitation of privacy for public health, this article also briefly considers whether legal compliance alone suffices to ensure public trust during pandemic emergencies.

Before any legal analysis can take place, however, a clarification of the terms 'public health' and 'public interest' is needed, as these terms are used in this article and in the legislation to be discussed.

 

Distinguishing between 'public health' and 'public interest'

While these concepts overlap substantially in the context of disease outbreak management, they are not always synonymous and may serve distinct juridical functions.

According to the World Health Organization, 'public health' refers to 'all organised measures (whether public or private) to prevent disease, promote health, and prolong life among the population as a whole. Its activities aim to provide conditions in which people can be healthy and focus on entire populations, not on individual patients or diseases.'^[16] In other words, 'public health' may be deemed to refer specifically to the collective health status of a population, and to measures taken to prevent disease, prolong life and promote health through organised societal efforts. In SA health legislation, 'public health' appears as a specific concept justifying particular interventions. For example, section 14 of the NHA permits disclosure of confidential health information, as will be discussed below,^[8] and the Regulations relating to the Surveillance and the Control of Notifiable Medical Conditions (Surveillance Regulations)^[9] authorise mandatory reporting to enable 'public health surveillance, investigations and intervention.' Here, public health functions as a concrete, identifiable interest grounded in epidemiological necessity.

'Public interest' is a broader legal concept encompassing any matter affecting the collective welfare of society. Section 37 of POPIA permits exemptions from normal processing conditions 'where the public interest in processing substantially outweighs any interference with the privacy of the data subject,^[7] and specifically includes 'historical, statistical or research purposes' as examples of public interest activities. Thaldar^'17' has noted that 'public interest' may be understood as outcomes or actions that benefit a group or the SA people, which clearly extends beyond health alone.

In the context of pandemics, public health measures invariably serve the public interest, but the reverse is not necessarily true: data processing serving a public interest (such as economic research, for example) does not automatically qualify as a public health intervention. This distinction matters because POPIA provides different legal pathways for each: sections 15 and 32 specifically authorise processing for public health purposes, while section 37 provides a separate, broader exemption based on public interest considerations, which requires a balancing exercise between collective benefit and individual privacy.^[7] During disease outbreaks, authorities may legitimately invoke both grounds, but the legal tests and safeguards differ. Understanding this distinction ensures that pandemic data collection is justified under the appropriate legal basis and subject to corresponding limitations, a matter that becomes particularly important when considering whether surveillance measures are genuinely necessary for epidemiological purposes, or serve broader governance objectives that require more stringent justification.

In the context of this article, the terms 'public health' and 'public interest' are used in accordance with their respective meanings as outlined above and as found in the relevant legislation. This distinction does not undermine the article's core arguments. Rather, it strengthens its analytical precision by clarifying that pandemic privacy limitations rest on a specific, robust legal foundation (public health necessity) rather than having to resort to the more general public interest exemption. This ensures that the legal framework analysed throughout this article applies the most appropriate and protective standards to pandemic data collection, with safeguards tailored specifically to health emergencies, rather than relying on broader discretionary balancing that might be appropriate for other societal interests.

 

The South African legal framework

The legal framework relevant to the tension between protecting the right to privacy and implementing public health measures during disease outbreaks in SA is constituted of the Constitution,^[6] POPIA,^[7] the NHA,^[8] the Surveillance Regulations^[9] and the DMA.^[10] Each will now be discussed.

The Constitution

Section 14 of the Constitution guarantees that everyone has the right to privacy, and this includes not having the privacy of their communications infringed. In the context of pandemics and public health, 'communications' is where the right to privacy may become especially vulnerable, since digital tools are used for track-and-trace, surveillance and reporting purposes. As such, section 14, in addition to establishing the constitutional foundation for the right to privacy -which any public health measure must respect, and which should only be restricted in terms of the constitutional limitation clause - is central to any legal evaluation of disease control measures involving the use or interception of personal or health-related communications. However, the Constitution should not be directly invoked in every privacy dispute, as will be seen from the de Jager case.^[13] While the Constitution remains the supreme law and ultimate benchmark for rights protection, the principle of subsidiarity means that where specific legislation exists to give effect to constitutional rights, such as POPIA for privacy, that legislation becomes the primary framework through which the right is enforced and interpreted, though always subject to constitutional standards and section 36 limitations analysis.^[18] In terms of this section, a right may only be limited in terms of a law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom.^[6] In limiting a right, the following factors are also taken into account: the nature of the right; the importance of the purpose of the limitation; the nature and extent of the limitation; the relationship between the limitation and its purpose; and any less restrictive means to achieve the purpose.^[6]

POPIA

In context of this article, certain sections of POPIA^[7] are relevant. The first is section 5, which establishes the rights of data subjects and gives a person the right to have their personal information, which includes health information, processed in a manner that is lawful and transparent. Section 11 provides for consent, and as such, the justification for personal information processing.^[7] This section provides that personal information may only be processed with the consent of the data subject, or if it is necessary to comply with a legal obligation, to perform a public duty or protect legitimate interests. Section 15 is of great relevance to this article as it states that the further processing of personal information (such as is done with health information during track-and-trace, surveillance or reporting processes) may only be done where such processing: is necessary to prevent or reduce a serious and imminent threat to public health, public safety or any person's life or health; is for historical, statistical or research purposes (provided it remains non-identifiable); and falls under an exemption granted under section 37 of POPIA.^[7] The mentioned section 37 exemption of relevance here provides that an exemption to the normal conditions for the processing of personal information may apply where the public interest in the processing substantially outweighs any interference in the privacy of the data subject that could result from such processing. Section 37(2)(e)^[7] further clarifies that public interest includes research activities, such as health research during a time of disease outbreak. 'Public interest', as mentioned above, benefits a group or the people of SA collectively,^[17] extending beyond health-specific concerns. During pandemics, authorities might invoke section 15 for direct public health authorisation for core disease control measures (surveillance, contact tracing, mandatory reporting), while the section 37 public interest exemption would apply to ancillary activities such as research using anonymised health data or broader policy analysis.^[17]

Health information does not only fall under the definition of personal information provided by POPIA, but also under the definition of 'special personal information', and as such, section 26 of the Act becomes relevant.^[7] In terms of this section, personal information regarding health may not be processed unless certain conditions found in section 27 are met. These are: consent of the data subject or, where consent has not been obtained, when processing is for research purposes and these purposes serve a public interest; obtaining consent appears to be impossible or would involve a disproportionate effort to obtain; and sufficient guarantees are provided to ensure that the processing does not adversely affect the privacy of the data subject to a disproportionate extent.^[7]

Section 32 envisions special conditions for when processing personal health information is permitted □ mainly when necessary for health purposes.^[7] In terms of this section, the general prohibition on processing personal health information does not apply when medical professionals or healthcare institutions process the information and it is necessary for the proper treatment or care of the person, or for the administration of the institution or professional practice. In such instances, processing is only allowed if an obligation of confidentiality exists by virtue of either law, profession, employment or a written agreement with the data subject.^[7] Where no such obligation exists, the processing person must treat the information as confidential unless they are required by law or professional duties to share it with authorised persons for purposes allowed under the Act. This prohibition also does not apply when such information must be supplemented with other personal information to enable proper treatment or care of the data subject.

From these provisions it is clear that although POPIA protects personal health information, it allows limited, justified exceptions. This means that during a pandemic, privacy may be lawfully limited, but strict safeguards are required. The existence of such safeguards could also have an impact on public trust, as is discussed below.

The NHA and the Surveillance Regulations

The NHA^[8] also establishes privacy and confidentiality rights in the healthcare context. In terms of section 14, providing for confidentiality, all information related to a healthcare user, which includes information on their health status, is confidential and may not be disclosed unless, inter alia, the non-disclosure of such information represents a serious threat to public health. This is subject to section 15, which provides that health records may only be accessed under defined conditions, balancing privacy and medical necessity.^[8]

Although the NHA guarantees confidentiality of health data, it also authorises the health minister, in section 90 of the Act,^[8] to issue regulations related to communicable diseases that may override privacy under certain conditions, making it the legal bridge between health security and privacy protection. Enter the Surveillance Regulations.^[9] These regulations operationalise the NHA in times of health crisis, and allow for the infringement of privacy rights by measures such as mandatory testing, reporting and quarantine. The regulations require that these measures remain proportional, time-bound and purpose-specific.^[9]

Regulation 13 of the Surveillance Regulations provides for the mandatory, and sometimes immediate, notification and reporting of notifiable medical conditions (NMCs), which include, for example, novel respiratory pathogens,^[19] by healthcare providers and laboratories.^[9] Regulation 16(3) contains similar provisions in that the head of an institution must immediately report to the local health authority when they become aware or suspect that someone has an NMC, to enable appropriate public health measures.^[9] Regulation 15 allows for the imposition of mandatory quarantine and isolation without consent where it is necessary to prevent the spread of disease.^[9] Lastly, regulation 18 states that personal information of a person with an NMC, including information relating to their health status, treatment or stay in a health establishment, is confidential and may only be disclosed where such disclosure is for public health surveillance, investigation and intervention purposes, or where a court order or any law requires disclosure.^[9]

The DMA

Although the DMA^[10] is not a typical health-related law, it is relevant in the context of this article as it provides for the limitation of certain rights in instances of a national disaster. A 'disaster' is defined as a progressive or sudden, widespread or localised natural or human-caused occurrence that causes or threatens to cause, inter alia, death, injury or disease or disruption of the life of a community, and is of a degree that exceeds the ability of those affected to cope with its effects using only their own resources.^[10] Read together, sections 23 and 27 of the DMA provide for the declaration of a (national) state of disaster, and once such a declaration has been made, section 26 requires relevant departments to act swiftly and effectively to manage disasters.^[10] This may include a health crisis such as a disease outbreak where it meets the requirements of a disaster as defined above.

An essential part of managing a disaster relates to sharing information, and here, sections 17 and 18 of the Act become relevant.^[10] Section 17 states that the National Disaster Management Centre (NDMC) must act as a central channel and repository for all information concerning disasters and their management, and as such it must collect, process, analyse and store information related to the current disaster, which depending on the context may include information related to public health. This information must be electronically accessible and free of charge, but may include restricted sections in the database, with controlled access, where the information is kept.^[10] In other words, section 17 allows the broad collection and sharing of sensitive public health information to manage disease outbreaks. While it promotes transparency, it also introduces risks to privacy, especially where data might be used for surveillance or track-and-trace purposes. Section 18 provides that the NDMC may request any organ of state or person to provide information that is reasonably required for disaster management purposes.^[10] This means that a legal mechanism exists whereby disclosure of sensitive or personal information may be compelled for public health management purposes. It illustrates how privacy rights can be overridden in the name of the public health. Although the DMA allows for certain rights to be overridden under broader emergency power to ensure public safety, these measures must align with constitutional limitations and be subject to oversight (Table 1).

 

 

Legality, proportionality and the necessity of limitations in a health context as interpreted by the courts

While the laws discussed above provide the legislative scaffolding for limiting privacy in the interest of public health, it is ultimately through judicial interpretation that these provisions acquire practical meaning and legal boundaries. Accordingly, the SA courts have played a crucial role in clarifying when and how constitutionally protected rights may be limited. The following discussion examines how courts have applied principles such as necessity and proportionality in health and privacy contexts, thereby illustrating how abstract legislative standards are operationalised in practice.

In Minister of Health of the Province of the Western Cape v Goliath and Others,^[12] two individuals diagnosed with extreme drug-resistant tuberculosis repeatedly absconded from a public health facility, which posed a serious risk to public health. The Provincial Minister of Health brought an application to the High Court for an order compelling their involuntary isolation at Brooklyn Chest Hospital until they were no longer infectious. The legal questions in this case were: whether the forced isolation of the respondents constituted an arbitrary deprivation of their freedom of security of the person, as provided for by section 12(1) of the Constitution;^[6] whether there was a valid legal basis for their detention under existing SA health law; and whether the conditions of the respondents' detention were constitutionally compliant under section 35(2)(e) of the Constitution. The court found that the deprivation of freedom was not arbitrary or without just cause, and was justified to prevent the spread of a dangerous, highly infectious disease; it was consistent with international human rights instruments (such as the ICCPR and Siracusa Principles discussed below); and that there existed a valid statutory basis under section 7(1)(c) and (d) of the NHA^'8' to provide health services without consent where public health is seriously at risk. The court further confirmed that detained patients were entitled to conditions consistent with human dignity, including adequate medical treatment and basic rights during isolation, as per section 35(2)(e) of the Constitution.^'6' Based on these findings, the court granted the order compelling involuntary isolation.^[12]

The reasoning behind these findings may be clearly seen from the following quotes:

• 'Isolation of patients with infectious diseases is universally recognised in open and democratic societies as a measure that is justifiable in the protection and preservation of the health of citizens, even though it necessarily involves some intrusion upon the individual liberty of the patients concerned' (paragraph 37)

• 'Public health may be invoked as a ground for limiting certain rights in order to allow a state to take measures dealing with a serious threat to the health of the population Such measures must be specifically aimed at preventing disease or injury or providing care for the sick and injured' (paragraph 37 - 38)

• 'Although a country's Bill of Rights may bestow a range of human rights on individuals, these rights can usually be restricted if doing so is reasonable and justifiable' (paragraph 41)

• 'In principle, the limitation on the freedom of movement of patients with infectious diseases is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom' (paragraph 42).

This case therefore illustrated that: even constitutionally entrenched rights (in casu bodily integrity and autonomy) are not absolute,^[20] especially when weighed against the public interest in preventing the spread of infectious diseases; there exists a balancing act in justifying rights limitations for public health reasons; non-consensual measures in the name of public health (in casu involuntary detention and treatment) are lawful if necessary and proportionate; and public health emergencies may override individual rights, provided the measures taken are based on law, justified and reasonably limited. As clarified earlier, the court's reference to 'public interest' here functions as synonymous with public health protection (the collective welfare interest in preventing disease transmission), rather than the broader public interest concept as may today be found in section 37 of POPIA.^[7]

This line of judicial thinking, that rights are not absolute even in the sensitive area of healthcare, has also been more recently applied in the case of De Jager v Netcare Ltd.^[13] Although Goliath^[12] dealt more broadly with constitutional rights, the de Jager case, heard after the full implementation of POPIA, is a landmark case in the context of SA privacy law,^[21] and deals expressly with the right to privacy and its limitation. Here, de Jager challenged the admission of surveillance evidence that was covertly collected by Netcare, claiming that it violated his constitutional right to privacy, since it involved personal and health-related information. The surveillance was conducted to assess the legitimacy of his medical compensation claims against Netcare, and included pictures taken in public to expose the truth of his state of health. The legal questions that arose included whether the collection and use of the surveillance infringed on de Jager's right to privacy; whether the constitutional right to privacy may be directly invoked when POPIA governs personal information processing; whether the processing of special personal information regarding health was lawfully done under POPIA; and whether the surveillance evidence should be admissible despite the privacy concerns.^[13]

The court found that, due to the principle of subsidiarity, privacy is governed by POPIA and not the Constitution directly, and since POPIA exists to give effect to the right to privacy, de Jager should have relied on POPIA, not the Constitution, as legal foundation to his claim. Further, the surveillance evidence was lawfully obtained under POPIA, specifically, section 11(1)(f): the processing was necessary for pursuing Netcare's legitimate interest in a legal defence; and sections 26 and 27: the prohibition on processing special personal information does not apply when the information is needed to establish or defend a right in law.^[7] The court also held that section 6 of POPIA, which excludes its application from judicial functions, was interpreted broadly, which means that personal information used in court proceedings is exempt from POPIA, as long as its admission is guided by existing legal rules.^[13]

Lastly, the court confirmed that the right to privacy is not absolute, and may be proportionally limited under section 36 of the Constitution when balanced against public interest.^[13] In the context of an outbreak of disease, showing public interest as a sanctioned exemption to the lawful processing requirements might not be necessary, as sections 15 and 32 of POPIA allow exemptions for public health purposes,^[7] as discussed above. Again, the distinction between public health and broader public interest becomes relevant: the former provides more direct authorisation for pandemic-related processing based on epidemiological necessity, while the latter requires explicit demonstration that collective benefits substantially outweigh privacy interference.

The issue of proportional rights limitation was also examined in de Jager.^[13] From this case it is not only clear that privacy is not absolute, but that POPIA is aligned with the constitutional requirements for the limitation of rights. This is important when keeping in mind that the Constitution is the supreme law of SA. Although the subsidiarity principle precluded the direct invocation of the Constitution, POPIA's design reflects section 36 thereof.^[6] This may be seen in that section 9 of POPIA, which states that 'personal information must be processed lawfully and in a reasonable manner that does not infringe the privacy of the data subject'^[7] somewhat mirrors section 36 of the Constitution^[6] mandating that any limitation of a right must be reasonable and justifiable.

These cases therefore illustrate that constitutional rights, such as the right to privacy, are not absolute, and that public health may be seen as legal grounds for a limitation that is reasonable and justifiable. Goliath^[12] set a foundational precedent for justifying limitations of rights under public health that reinforced the notion that rights may be lawfully limited if proportional, necessary and grounded in statutory authority, and highlighted the role of the NHA^[8] and constitutional principles, especially section 36,^[6] in balancing individual rights and public safety. De Jager^[13] further supports the argument that privacy rights, especially in health information, are not absolute and may be limited when justified by public interest. This case illustrates that POPIA^[7] provides a structured legal framework for assessing these limitations, with built-in tests of proportionality and necessity aligning with those of section 36 of the Constitution, and although this case relates to civil litigation, the findings set a precedent transferable to public health crises, where similar justifications (health surveillance, track-and-trace, etc.) may justify the temporary limitation of privacy.

A critical question, however, remains largely unaddressed by these cases: does legal compliance necessarily translate into public trust and legitimacy? International evidence from the COVID-19 pandemic suggests that legally compliant surveillance measures often failed to achieve public health objectives because they eroded public trust,^[22] and while both mentioned cases confirm that SA's framework meets formal constitutional and statutory requirements for rights limitation, neither engages with whether affected individuals and communities actually perceive these measures as legitimate, nor whether compliance with law ensures public co-operation with health interventions.

The SA context magnifies these concerns as, after the pandemic, reports emerged of insufficient transparency regarding how health data were collected, stored and shared, creating widespread uncertainty about state surveillance activities.^[23] Studies demonstrate that public trust in government institutions significantly influences compliance with public health measures, with distrust leading to reduced participation in testing, contact tracing and vaccination programmes regardless of legal mandates.^[24,25] Historical factors in SA further compound this trust deficit, as the apartheid-era use of health systems for surveillance and control has created lasting institutional distrust, particularly around state data collection activities.^[26] When pandemic measures are implemented in ways that recall historical abuses, such as mandatory testing without clear safeguards, or data sharing without transparency, distrust and resistance rooted not in irrationality but in justified historical wariness may be triggered.

Therefore, while the legal framework analysed above provides a constitutionally sound basis for limiting privacy, it does not guarantee that such limitations will be trusted, perceived as legitimate or successfully implemented. This gap between formal legality and substantive legitimacy suggests that future pandemic preparedness must address not only whether privacy limitations are lawful, but whether they are designed and implemented in ways that maintain public co-operation and trust.^[27] It is here that safeguards will play an important role, and the recommended requirements provided below become significant.

 

Recommended requirements for the limitation of privacy during times of disease outbreak and public health crisis

From the above discussion of the SA regulatory framework and the judicial interpretation of some of these legislative documents, the following requirements to evaluate any proposed limitation on privacy during a public health crisis or disease outbreak may be identified.

(i) Any proposed limitation to the right to privacy must be based on a law of general application: section 36 of the Constitution^[6] requires that any rights limitation must be carried out in terms of a law of general application. POPIA,^[7] the NHA,^[8] the Surveillance Regulations^[9] and the DMA^[10] all qualify as such.

(ii) Any proposed limitation on the right to privacy must be reasonable and justifiable in an open and democratic society: section 36 of the Constitution^[6] requires that any limitation of rights must consider certain factors as discussed above. De Jager^[13] confirmed that POPIA aligns with section 36, making POPIA-compliant limitations presumptively constitutional.

(iii) Any proposed limitation on the right to privacy must serve a legitimate public health purpose: the limitation must be aimed at preventing the spread of infectious diseases (Goliath^[12]), protecting public health or life (as seen from sections 15 and 27 of POPIA,^[7] section 14 of the NHA^[8] and regulation 15 of the Surveillance Regulations^[9]) or enabling effective public health surveillance or research (as seen from sections 26 and 27 of POPIA^[7] and regulation 18 of the Surveillance Regulations^[9]). As distinguished earlier, 'public health purpose' here refers to specific epidemiological objectives, not the broader 'public interest' standard.

(iv) Any proposed limitation on the right to privacy must be necessary: necessity implies that there are no equally effective and less rights-infringing alternatives. In Goliath,^[12] forced isolation was necessary to prevent the spread of disease, and section 15 of POPIA^[7] allows for the further processing of data where necessary to prevent serious health threats.

(V) Any proposed limitation of the right to privacy must be proportionate: the infringement of privacy must not be excessive relative to the benefit to public health. The Goliath^[12] and de Jager^[13] cases both stress proportionality, and section 37 of POPIA^[7] requires that public interest must substantially outweigh any interference with privacy.

(vi) Any proposed limitation of the right to privacy must provide adequate safeguards: the limitation must include safeguards to protect against abuse, which should include that the limitation is time-bound and purpose-specific, that confidentiality obligations are kept and that oversight exists.

(vii) Consent must be obtained unless otherwise justified: although consent is a default requirement for the rendering of health services or the processing of personal information, it may be set aside for research in the public interest, where it is impossible or where it would entail a disproportionate effort to obtain (see section 27 of POPIA^[7]). In these instances, sufficient guarantees must be provided that the omission of consent does not adversely affect the privacy of the data subject to a disproportionate extent. Section 7 of the NHA^[8] provides for the setting aside of consent for the provision of health services where public health is seriously at risk. Consent may also be set aside where legal obligations or legitimate interests exist (such as in de Jager^[13]).

(Viii) Health information should only be used for a specific public health purpose: both POPIA^[7] and the Surveillance Regulations^[9] require purpose limitation. This means that health data should only be used for surveillance, reporting or public health management by way of track-and-trace.

(ix) Only necessary information must be collected and shared: this is seen in the POPIA section 10 minimality principle.^[7] The DMA^[10] in sections 17 and 18 allows for the sharing of data for disaster management, but only as far as necessary.

(x) The disclosure of any information must be lawful and justified: disclosing any personal health information must comply with the POPIA exemptions (section 37^[7]) and the Surveillance Regulations,^[9] which only allow disclosure for public health, investigation or as required by law.

(xi) Where relevant, judicial oversight must be available: this will apply in instances where involuntary measures may be required (such as in the Goliath^[12] example), and courts will have to review any limitation of a right for lawfulness, necessity and proportionality.

(xii) Any proposed limitation of the right to privacy may not violate human dignity: the Goliath case^[12] emphasised that rights limitations, even in emergencies, must respect dignity.

While the requirements listed above reflect SA's existing legal framework, to strengthen future pandemic preparedness beyond mere legal compliance, the following additional legal and ethical mechanisms could be considered: an independent health data oversight body; mandatory sunset clauses for pandemic data collection; data deletion and anonymisation mandates; algorithmic transparency and bias auditing; public transparency requirements; whistleblower protections for data misuse; enhanced public communication strategies; and post-pandemic review mechanisms.

Although the scope of this article does not allow for an in-depth discussion of each of these, these mechanisms move beyond confirming that existing law permits necessary limitations, to asking whether the framework actively prevents misuse, ensures accountability, maintains public trust and promotes effective public health outcomes □ concerns that formal legal compliance alone cannot address.

 

Benchmarking: International provisions

The ICCPR^[14] provides for numerous human rights. However, it also provides for the limitation of rights and, in the context of this article, it is interesting to note that it expressly allows for the limitation of the rights to liberty of movement (article 12), to freedom to manifest religion or belief (article 18), to hold opinions (article 19), to peaceful assembly (article 21) and to freedom of association (article 22) for the 'protection of public health'.^[14] The right to privacy, as provided for by article 17,^[14] does not explicitly list 'protection of public health' as grounds for limitation but states instead that no person may be subjected to arbitrary or unlawful interference in their privacy. This suggests that the ICCPR does recognise that privacy is not an absolute right and may be limited, but that such limitation must not be arbitrary or unlawful. This is in line with the requirements echoed by section 36 of the SA Constitution,^[6] as discussed above.

The Siracusa Principles^[15] further make provision for the limitation of rights enshrined in the ICCPR, showing once again that no right is absolute. In terms of clause 25 of the Siracusa Principles,^[15] public health may be invoked to limit certain rights in order to allow states to deal with serious threats to the health of their populations or to individual members. These measures must, however, be specifically aimed at preventing disease or injury or to providing care to the sick and injured. This provision again supports the argument made throughout this article that rights may be limited in the public interest and, as such, for public health reasons and the curbing of disease outbreaks. Here too, the Siracusa Principles use 'public health' as a specific justifying ground for limitations, with the broader 'public interest' concept serving as an umbrella under which public health falls.^[15]

The Siracusa Principles also provide for general interpretative principles relating to the justification of limitations.^[15] As an interesting exercise, the SA legal position related to limiting rights, as summarised above, has been benchmarked against the interpretative framework set out in the Siracusa Principles to assess whether it aligns with international standards (Table 2). This comparative analysis helps to determine whether the SA approach to limiting the right to privacy during public health crises meets the threshold of legality, necessity, proportionality and accountability required under international law. Table 2 reflects this comparison and demonstrates the extent to which SA's legal framework would withstand scrutiny under the Siracusa Principles.

 

 

This comparison shows that SA's framework for limiting the right to privacy during disease outbreaks largely aligns with international standards set by the Siracusa Principles.

 

Conclusion

In preparing for future public health crises, SA's legal framework offers a structured, constitutionally compliant and internationally aligned approach to the limitation of privacy rights. Through our laws, as interpreted and applied by the courts, SA ensures that any infringement on privacy in the name of public health remains legally grounded, necessary, proportionate and respectful of human dignity. When benchmarked against international standards the SA position also holds up, demonstrating that with proper safeguards, public health imperatives and constitutional rights may be effectively balanced.

This article has also, however, demonstrated that legal compliance alone does not ensure legitimacy or public trust. The COVID-19 pandemic revealed persistent gaps between constitutional ideals and practical implementation, particularly regarding transparency, accountability and sustained public co-operation with health interventions. Future preparedness must therefore move beyond asking whether privacy limitations are lawful to examining whether they are trusted, to achieve stated public health objectives and public confidence in state institutions. The novel mechanisms proposed above offer ways toward a pandemic response that is not merely constitutional, but genuinely legitimate and effective in maintaining the public trust necessary for successful health interventions.

Declaration. None.

Acknowledgements. None.

Author contributions. Sole author.

Funding. None.

Conflicts of interest. None.

 

References

1. Ada Lovelace Institute. Exit through the App Store? A rapid evidence review on digital contact tracing. Ada Lovelace Institute, 2020. https://www.adalovelaceinstitute.org/report/exit-through-the-app-store/ (accessed 6 November 2025).

2. National Department of Health, South Africa. Discussion on COVID Alert SA App. Pretoria: NDoH, 2020. https://www.health.gov.za/discussion-on-covid-alert-sa-app/ (accessed 6 November 2025).         [ Links ]

3. Wymant C, Ferretti L, Tsallis D, et al. The epidemiological impact of the NHS COVID-19 app. Nature 2021;594:408-412. https://doi.org/10.1038/s41586-021-03606-z        [ Links ]

4. Rowe F. Contact tracing apps and values dilemmas: A privacy paradox in a neoliberal world. IJIM 2020;55:102178. https://doi.org/10.1016/j.ijinfomgt.2020.102178        [ Links ]

5. Feldscher K. The next pandemic: Not if, but when. Boston: Harvard School of Public Health, 2024. https://hsph.harvard.edu/news/next-pandemic-not-if-but-when/ (accessed 1 April 2025).         [ Links ]

6. Constitution of the Republic of South Africa, 1996.

7. South Africa. Protection of Personal Information Act No. 4 of 2013.

8. South Africa. National Health Act No. 61 of 2003.

9. South Africa. National Health Act of 2003. Regulations relating to the Surveillance and the Control of Notifiable Medical Conditions. Government Gazette No. 35099, 2012. Published under Government Notice 604.

10. South Africa. Disaster Management Act No. 57 of 2002.

11. Accessible Law. Protection of Personal Information Act (POPI Act). Accessible Law, 2019 - 2025. https://popia.co.za/ (accessed 1 April 2025).

12. Minister of Health of the Province of the Western Cape v Goliath and Others 2009 (2) SA 248 (C).

13. De Jager v Netcare Limited and Others (42041/16) [2025] ZAGPPHC 141 (17 February 2025) (unreported). https://www.saflii.org/za/cases/ZAGPPHC/2025/141.html (accessed 24 April 2025).

14. United Nations. International Covenant on Civil and Political Rights. New York: UN, 1976. https://www.ohchr.org/sites/default/files/ccpr.pdf (accessed 11 April 2025).         [ Links ]

15. United Nations Commission on Human Rights. Siracusa Principles on the Limitation and Derogation of Provisions in the International Covenant on Civil and Political Rights. New York: UNCHR, 1984. https://www.icj.org/wp-content/uploads/1984/07/Siracusa-principles-ICCPR-legal-submission-1985-eng.pdf (accessed 11 April 2025).         [ Links ]

16. Capital Area Public Health Network. What is public health? Capital Area Public Health Network, 2025. https://www.capitalareaphn.org/about/what-is-public-health (accessed 6 November 2025).

17. Thaldar D. Research and the meaning of 'public interest' in POPIA. S Afr J Sci 2022;118(3/4):1-3. https://doi.org/10.17159/sajs.2022/13206        [ Links ]

18. Currie I, de Waal J. The Bill of Rights Handbook. 6th ed. Cape Town: Juta, 2013.         [ Links ]

19. National Department of Health, South Africa. Notifiable Medical Conditions (NMC) Disease List. Pretoria: NDOH, 2018. https://www.nicd.ac.za/wp-content/uploads/2017/06/NMC-list_2018.pdf (accessed 11 April 2025).         [ Links ]

20. Carstens P. The involuntary detention and isolation of patients infected with extreme resistant tuberculosis (XDR-TB): Implications for public health, human rights and informed consent. Obiter 2009;30(2):420-429. https://doi.org/10.17159/obiter.v30i2.12442        [ Links ]

21. Thaldar D. A landmark judgment on informational privacy. WordPress: Thaldar, 2025. https://thaldar.com/2025/02/17/a-landmark-judgment-on-informational-privacy/ (accessed 1 April 2025).

22. Ienca M, Vayena E. On the responsible use of digital data to tackle the COVID-19 pandemic. Nature Med 2020;26:463-464. https://doi.org/10.1038/s41591-020-0832-5        [ Links ]

23. Silva D, Smith M. Data sharing during pandemics: Reciprocity, solidarity, and limits to obligations. J Bioeth Inq 2023;20(40):667-672. http://doi.org/10.1007/s11673-023-10251-w        [ Links ]

24. Siegrist M, Zingg A. The role of public trust during pandemics. Eur Psychol 2014;19(1):23-32. https://doi.org/10.1027/1016-9040/a000169        [ Links ]

25. Bargain O, Aminjonov U. Trust and compliance to public health policies in times of COVID-19. J Pub Econ 2020;192:104316. https://doi.org/10.1016/j.jpubeco.2020.104316        [ Links ]

26. Coovadia H, Jewkes R, Barron P, Sanders D, McIntyre D. The health and health system of South Africa: Historical roots of current public health challenges. Lancet 2009;374(9692):817-834. https://doi.org/10.1016/S0140-6736(09)60951-X        [ Links ]

27. O'Neill O. Accountability, trust and informed consent in medical practice and research. Clin Med 2004;4(3):269-276. https://doi.org/10.7861/clinmedicine.4-3-269        [ Links ]

 

 

Correspondence:
L Prinsen
prinsenl@ufs.ac.za

Received 13 June 2025
Accepted 7 November 2025