South Africa introduced judicial oversight on the collection of personal health data under the COVID-19 application. The designated judge was supposed to receive weekly updates on the collection and usage of personal data and make directives for protection of privacy.46 In addition, the Disaster Management regulations that established a national COVID-19 Tracing Database containing the identification and contact information for all persons tested for COVID-19, and the details of known or suspected contacts of any person who tested positive for COVID-19, was supposed to destroyed within six weeks of the end of the State of Disaster. Furthermore, the database information must be anonymized, if to be retained for research purposes. Despite the above clear framework, the IR as the data protection authority was unable to compel the National Department of Health (NDoH) to confirm that the information collected during the pandemic had been destroyed or archived with sufficient security measures confirmed by an expert third party information security firm. The NDOH was supposed to obtain a report from an information security firm confirming the measures undertaken, and this was also on recommendation of the designate judge. The NDOH defied a directive from the IR, compelling the escalation of the matter to the IR's Enforcement Committee issuing an enforcement notice equivalent to a court order. 4.3 Automated data processing Through analysing personal data information technology has eased human roles in decision making accentuating risks of discrimination, bias and unfair decisions making to data subjects. The making of decisions that have an impact of significant nature or substantial effect from automated processes is not allowed in most DP laws, unless if there are exceptions, of a data subject allowing that, or appropriate measures are in place to protect data subject personal interests. The Zambian47 and Mauritian 48 data protection laws, specifically define profiling as defined in the GDPR recital 71. The laws only differ on the use of personal aspects relating to a natural person (Zambia) and relating to an individual (Mauritius). The GDPR recital 71 define profiling means. Section of the Disaster Management Act No. of Regulations. ZDPA section , profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, including analysis or prediction of the data subject s aspects concerning that natural person s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Mauritian DPA section means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. PAGE