supermarkets, banks, hotels were required to take temperature readings and record relevant personal information of clients.40 For instance, Botswana required under Restrictions on Meetings, Societies, Gatherings that for purposes of contact tracing, a host must maintain a register containing the personal details and contact details of all persons accessing the premises. This information shall be open for inspection by the Director of Health Services for the purposes of contact tracing, and by law enforcement in the case of investigation of an offence under Emergency Powers.41 The collection of personal data presented a huge risk to health-related data of consumers and the public as many of these public and private entities did not have the requisite training and infrastructure for confidentiality.42 For Botswana and Zimbabwe the various statutory instruments declaring the pandemic, did not have any provisions of how the collected personal data was to be stored, and destroyed, and how DPAs or data controllers and processors were to conduct themselves. 4.2.2 COVID-19 data storage and destruction case of South Africa Compared to Zimbabwe which had no DPA or DP law at the time of the declaration of COVID-19 disaster, South Africa had already enacted the Protection of Personal Information Act of 2013 (POPIA), with an independent and functional DPA, in this instance the Information Regulator (IR).43 The IR oversight, appointment and removal is subjected to parliamentary processes.44 As laws regulating the COVID-19 public health emergency are temporary, data protection mechanisms for health-related data need not be temporary. South Africa's data protection authority, IR issued guidelines articulating data processing parameters.45 No other country in the SADC region had similar pronouncements. Even without data protection law or authorities, the ministries of health in all the countries acted as a sector specific public data controller responsible for other private and public data processors and must have issued health-related data processing guidelines concurrently with the public health standards and measures. This was done manually with basic thermometers, infrared temperature readings or mobile applications such as Quick Response QR codes or bar codes used to check in to venues, hospitals, public places. Botswana Government Gazette Directions for the Prevention of the Spread of COVID A G.N. No. of of General Data Protection Regulation processing of health data for medical purposes under art ; GN of ; GN of h must be done by a professional who is bound by professional confidentiality. s establishment of IR; s appointment of IR under the Protection of Personal Information Act No. of Section b iv ; s ;s of Protection of Personal Information Act No. of . Guidance Note on the processing of personal information in the Management and Containment of COVID of Personal Information Act of . pandemic in terms of the Protection . PAGE