In light of the declaration of a national state of disaster as a result of the Coronavirus (COVID-19) pandemic, it is now likely that schools and further learning institutions in South Africa will remain closed for the foreseeable future (even after the national lockdown period) and online teaching will be inevitable. However, privacy, data protection and security are critical when teachers and learners are working remotely due to the higher risk of personal data breaches.

The Information Regulator, established in terms of the Protection of Personal Information Act, 2013 (“POPIA”), has recently issued a guidance note on the processing of personal information of data subjects in the management and containment of COVID-19. Confirming that not all of the provisions of POPIA have come into effect, the Regulator nonetheless encourages proactive compliance with POPIA in order to give effect to the right to privacy as it relates to the protection of personal information. The Regulator is clearly of the view that companies, including schools and further learning institutions, should commence their POPIA compliance initiatives now if they have not done so already.

In the case of schools in particular, there is a greater responsibility to ensure that the privacy of children are secured. POPIA provides that the personal information of children may only be processed in limited circumstances and even then, should never be processed unless sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the child.

POPIA further places a restriction on the transfer of personal information of children to a third party in a foreign country that does not provide an adequate level of protection, without the prior authorisation of the Information Regulator. Cloud-based services and many online teaching platforms have servers that are not based in South Africa. In other words, submitting personal information of children to these platforms needs to be carefully considered. 

Here is a simple list of dos and don'ts in the online teaching environment:

Do

  • Implement a data protection policy. Make sure your staff and learners understand the policy and the importance of online security.
  • Implement an acceptable use policy. Provide clear guidance on what online behaviour is acceptable and what is not.
  • Ensure the effective implementation of your policies. You could create regular online awareness campaigns (like pop-up banners, fun competitions, webinars on security, etc).
  • Implement data breach protocols. Make sure your staff and learners know what to do in the case of a data breach (or suspected data breach).
  • Make sure you and the students use strong passwords that no-one else (including in the household) knows or can guess.
  • While working with school data, lock your screen when you are away/not using your device.
  • Check that all anti-virus, malware and security updates on your devices have been installed.
  • Be careful which websites you visit and which email attachments you open.
  • Keep your devices and hard copies (paper) of school-related information in a safe and secure place.
  • Remove all school data from your devices when it is no longer needed or at request of the school.
  • Obtain parental/guardian consent before processing (ie, using, recording, storing, sharing and the like) the personal information of children.
  • Carefully consider your agreements with cloud and other online services providers. It is important to understand in which territory data is stored, how data your share with them will be used, and what security measures your service providers employ.
  • Understand the role and responsibilities of the Information Officer.

Don't

  • Use USB data storage devices, as they are easy to misplace.
  • Share data with unauthorised third parties.
  • Share data on social media without parental/guardian consent.
  • Use service providers that do not have adequate data privacy and security standards.

For private schools and further learning institutions, the head of the organisation will be regarded as the Information Officer, unless such role is delegated.  Several obligations are imposed on the Information Officer in terms of POPIA. These include the obligation to ensure that a POPIA compliance framework is developed, implemented, monitored and maintained and that internal awareness sessions are conducted.

COVID-19, also known as the Coronavirus, is an infectious disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) that was declared a pandemic by the World Health Organization on 11 March 2020. The disease has since been reported in over 190 countries.

Originally Published 21 April, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.