COMMENTARY

 

Protecting personal information in research: Is a code of conduct the solution?

 

 

Donrich Thaldar^{I, II}; Beverley Townsend^{I, II}

^ISchool of Law, University of KwaZulu-Natal, Durban, South Africa
^IIAfrican Health Research Flagship, University of KwaZulu-Natal, Durban, South Africa

Correspondence

 

 

---

Keywords: exemption, cross-border transfer, functional equivalent, Information Regulator, POPIA, specific consent

---

 

 

In 2009, the South African Law Reform Commission published its report on privacy and data protection. Four years later this culminated in the enactment of the Protection of Personal Information Act 4 of 2013 (POPIA) by Parliament. To provide society with sufficient time to prepare to be POPIA compliant, POPIA's substantive provisions only entered into force in July 2020. In addition, POPIA itself provides for a one-year grace period before compliance becomes compulsory. During the latter part of 2020, the Academy of Science of South Africa (ASSAf) initiated a project to develop a code of conduct in terms of POPIA for all research activities. In this essay, we explore (1) the purpose of codes of conduct and (2) the concerns of the science community regarding POPIA, and (3) pose the question: is a code of conduct the solution to address these concerns?

 

The purpose of codes of conduct

POPIA provides that the Information Regulator may issue codes of conduct for particular sectors. Codes of conduct can be useful tools to facilitate compliance, as codes of conduct can explain and apply POPIA's principles to sector-specific activities. What are these principles? Most importantly, POPIA sets out eight 'conditions' for the lawful processing of personal information, namely: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. Researchers and research institutions (or 'responsible parties') are required to ensure that all measures are taken to adhere to these conditions, unless one or more particular conditions have been specifically excluded or exempted from operation under specific provisions within POPIA.

POPIA is clear: a code of conduct must incorporate all the conditions for the lawful processing of personal information, or set out obligations that provide a functional equivalent of the obligations set out in the conditions. A position or practice of 'functional equivalence' is one that performs the same function and provides the same utility as is required by the provision. It is therefore not envisaged in POPIA that a code of conduct can fundamentally deviate from the eight conditions for the lawful processing of personal information.

What a code of conduct can do - and in fact, must do - is to prescribe how the conditions for the lawful processing of research data are to be applied, and how the provisions within POPIA are to be complied with within a particular sector. In doing this, the code of conduct should focus on the typical activities particular to a given sector, in an attempt to explain and demonstrate how POPIA applies to these activities.

 

Concerns about POPIA compliance

During an ASSAf workshop on the intended code of conduct, held online on 10 December 2020, the following concerns about POPIA were most prominent among participants (in our observation):

• uncertainty about what exactly POPIA entails in general;

• the issue of cross-border transfers of personal information; and

• POPIA's requirement that consent must be specific, which is a break from the past where broad consent was deemed sufficient, and which poses a challenge especially to biobanks with historical data that were collected without specific consent.

Can a code of conduct offer a solution to these three concerns? We analyse these concerns seriatim.

Uncertainty

A well-drafted code of conduct should clearly explain the principles of POPIA and also provide guidelines on exactly how to protect personal information at every stage of the research process. Such a code of conduct would indeed address the concern about uncertainty.

Cross-border transfers

A code of conduct will offer a partial solution to concerns about cross-border transfers. First, consider a scenario in which health information and biometric information are to be transferred to a research institution in a foreign country that does not provide an adequate level of protection. This scenario would be typical in the context of health research. The default position in this scenario is that the South African research institution must obtain prior authorisation for the intended transfer from the Information Regulator. However, this requirement of having to obtain prior authorisation is obviated if the South African research institution is operating under the auspices of a code of conduct that has been approved by the Information Regulator. As such, in this scenario, a code of conduct does offer a solution.

Next, consider a scenario in which a South African research institution intends to transfer personal information (not limited to health information and biometric information) to a research institution in a foreign country. In the absence of specific consent by research participants to transfer their personal information to this research institution in a foreign country, the South African research institution may still transfer the personal information if there is an adequate level of protection of personal information by either the law in the foreign country or by an agreement between the two research institutions. (This is of course subject to the paragraph above, and also subject to the terms of the informed consent provided by the research participants.) What is needed by the South African science community is a standard data transfer agreement that can be used to ensure that an adequate level of protection of personal information is in place. Ideally, such a standard data transfer agreement should be developed together with the code of conduct as complementary legal instruments.

Specific consent

POPIA's definition of consent as 'voluntary, specific and informed expression of will' (section 1) has been the subject of academic debate: Staunton et al.^1,2 argue that POPIA allows for broad consent. We find this argument unconvincing, and have proffered a full critique of Staunton et al. 's position^3,4, to which they have replied⁵. Our position can be encapsulated as follows: POPIA contains exceptions for research; however, these exceptions are subject to certain requirements, including the requirement that the original collection of data must be done for a 'specific, explicitly defined and lawful purpose' (section 13). This poses a particular challenge to researchers who might have gathered data of thousands of data subjects in the past without obtaining consent for a 'specific, explicitly defined and lawful purpose'. Also, going forward, researchers may, for good reasons, wish to collect data for a broad range of possible research projects. Is there - within the interpretation of POPIA requiring specific consent, as we suggest - a solution to these issues?

The appropriate strategy to address issues such as biobanks with historical data (obtained without specific consent and in the absence of any other of the legitimate grounds described in section 11) would be to approach the Information Regulator for an exemption from specific consent in specified circumstances in terms of section 37. The Information Regulator may only grant an exemption if she is satisfied that the public interest outweighs any possible interference with the privacy of the research participant to a substantial degree. Accordingly, the mere inconvenience of complying with the requirement of specific consent is unlikely to suffice as a reason for granting an exemption. More solid, principled reasons would need to be put forward. For example, a principled reason in the context of health research would be that the research links with the right to access to health care and ultimately with the right to life. Furthermore, an exemption application should be supported by evidence, preferably in the form of empirical studies on representative samples of South African research participants to ascertain their opinions on the sufficiency of less specific kinds of consent. Provided that the outcome of such studies is favourable, and provided that principled reasons can be presented for a specific field of scientific endeavour, and under specified circumstances, the combination of evidence and principled reasons would constitute a good argument in support of an exemption.

A code of conduct remains important to explain and clarify how specific consent ought to be obtained in the context of scientific research, and how the requirements for the research exclusions (where no consent for further research is required by POPIA) are to be met, for example, by setting out what exactly 'sufficient guarantees' are (section 27(1)(d)). A code of conduct should also take cognisance of the Department of Health's Ethics Guidelines⁶, which under certain circumstances require research participant consent for further research (unlike POPIA). Ideally, a code of conduct would provide a consolidated guide for the science community. When engaged in this consolidation exercise, care should be taken to not erode any of the constituent sources' requirements -whether POPIA or the Ethics Guidelines.

 

Conclusion

A code of conduct is not a panacea. To address concerns about POPIA compliance in the South African science community, we recommend that ASSAf expands its current code-of-conduct-development initiative to include: (1) the development of a standard data transfer agreement that can be incorporated as an annexure to the code of conduct, and (2) an investigation into the need, scope and justification for a possible exemption from specific consent in certain contexts.

 

Acknowledgements

We acknowledge an African Health Research Flagship Grant from the University of KwaZulu-Natal and a South African National Research Foundation Grant (grant no. 116275).

 

Competing interests

We declare that there are no competing interests.

 

References

1. Staunton C, Adams R, Botes M, Dove ES, Horn L, Labuschaigne M, et al. Safeguarding the future of genomic research in South Africa: Broad consent and the Protection of Personal Information Act No 4 of 2013. S Afr Med J. 2019;109(7):468-l70. https://doi.org/10.7196/SAMJ.2019.v109i7.14148        [ Links ]

2. Staunton C, Adams R, Anderson D, Croxton T, Kamuya D, Munene M, et al. Protection of Personal Information Act 2013 and data protection for health research in South Africa. Int Data Priv Law. 2020;10(2):160-179. https://doi.org/10.1093/idpl/ipz024        [ Links ]

3. Thaldar D, Townsend B. Genomic research and privacy: A response to Staunton et al. S Afr Med J. 2020;110(3):172-174. https://doi.org/10.7196/SAMJ.2020.v110i3.14431        [ Links ]

4. Townsend B, Thaldar D. Navigating uncharted waters: Biobanks and informational privacy in South Africa. S Afr J Hum Rights. 2019;35(4):329-350. https://doi.org/10.1080/02587203.2020.1717366        [ Links ]

5. Staunton C, Adams R, Botes M, Adams R, Botes M, Dove ES, et al. Correspondence. S Afr Med J. 2020;110(3):175-176. https://doi.org/10.7196/SAMJ.2020.v110i3.14450        [ Links ]

6. South African Department of Health (DoH). Ethics in health research: Principles, processes and structures. Pretoria: DoH; 2015.         [ Links ]

 

 

Correspondence:
Donrich Thaldar
Email: ThaldarD@ukzn.ac.za

Published: 29 March 2021