ARTICLE

 

Towards a data transfer agreement for the South African research community: The empowerment approach

 

 

L Swales^I; M Botes^{II, III}; D Donnelly^I; D Thaldar^{I, IV}

^IPhD; School of Law, College of Law and Management Studies, University of KwaZulu-Natal, Durban, South Africa
^IILLD; School of Law, College of Law and Management Studies, University of KwaZulu-Natal, Durban, South Africa
^IIILLD; SnT Centre for Security, Reliability and Trust, University of Luxembourg, Luxembourg
^IVPhD Petrie-Flom Center for Health Law Policy, Biotechnology, and Bioethics, Harvard Law School, Cambridge, USA

Correspondence

 

 

---

ABSTRACT

The idea of a data transfer agreement (DTA) template for the South African (SA) research community is receiving increasing attention. While developing such a DTA template is certainly a worthwhile project, questions regarding the project's practical execution should be addressed, including how to best operationalise the envisioned DTA template, and the content of the envisioned DTA template. It is proposed that an empowerment approach be followed in operationalising the envisioned DTA template, which is contrasted with the regulatory approach followed with the material transfer agreement that the Minister of Health promulgated in 2018. While the regulatory approach would entail government making the use of the envisioned DTA template compulsory regardless of the quality of such a template, the empowerment approach, by contrast, entails a focus on developing a high-quality, professionally drafted DTA template for the SA research community and making the use thereof a matter of own choice. Regarding the content of the envisioned DTA template, four hot-button content provisions are analysed, and it is argued that SA research institutions and researchers should be empowered to: (i) have clarity and legal certainty regarding their ownership of data, where relevant; (ii) be able to commercialise their research findings without unnecessary contractual constraints; (iii) avoid falling into the trap of unlawful benefit sharing with research participants; and (iv) be aware that their legal role as responsible parties, where relevant, cannot be contracted out via a DTA.

---

 

 

In the scientific research context, it is trite that data are enormously valuable in advancing solutions to various health problems. Therefore, cross-border data transfers are increasingly becoming the norm, rather than the exception. However, how should South African (SA) data providers ensure that such data sharing is done on fair terms, and that their reasonable interests are legally protected? One apparent answer is a data transfer agreement (DTA). Typically, a DTA is a written agreement that regulates the lawful transfer of data between a provider and a recipient by setting out, inter alia: the purpose of the agreement; the obligations on each party; the term, ownership and intellectual property; and other critical boilerplate legal provisions. But instructing an attorney to draft a DTA for every data transfer transaction is an expensive exercise. Moreover, the field of data protection is becoming increasingly specialised. There is a myriad of local, regional and international laws that apply to data transfers,^[1] which makes it increasingly challenging for SA data providers to comply with the law. Here, government - or any civil society organisation - can assist by developing a top-quality DTA template and making it available to the research community to use.

In this article, we firstly provide some background on the topic of a DTA template for SA. We then engage with the fundamental question of how such an envisioned DTA template should be operationalised. We suggest a paradigm shift away from the regulatory approach taken with the material transfer agreement (MTA) that the SA Minister of Health promulgated in 2018 (SA MTA).^[2] While the regulatory approach entails a single 'solution' that is made mandatory for all, we suggest an empowerment approach, on which we elaborate in this article. We also make an initial foray into the content suitable for a DTA template in the SA context.

 

Background

The idea of a national template to regulate data transfers containing standard data protection provisions to assist the SA research community is not a novel idea. Most prominently, in 2018, Mahomed,^[3] in her doctoral thesis, suggested that the material transfer agreement (MTA) that she developed can be used nationally as a template. This MTA included data-related provisions. Later the same year, the SA Minister of Health promulgated the SA MTA - based almost entirely on the MTA developed by Mahomed. The minister's action to promulgate the SA MTA was over-hasty and ill-advised. There was no prior public consultation that could have proved essential in ironing out issues with the SA MTA's content. For example, the SA MTA provides that once the agreement becomes effective, the material that is the subject of the agreement is deemed to be transferred by the provider and accepted by the recipient - irrespective of whether the material was in fact transferred and accepted - hence creating a potentially problematic legal fiction.^[4,5] From a practical legal perspective, this is an obvious issue that could have been pointed out to the minister, had he only consulted before promulgating the SA MTA. Furthermore, it has been highlighted in the literature that the SA MTA is in conflict with other pieces of legislation administered by the Minister of Health.^[6-9]

The minister made the SA MTA compulsory to use for all providers and recipients of 'biological material for use in research or clinical trials under the auspices of the Health Research Ethics Committees'. In other words, the SA MTA is compulsory when biological material is shared for purposes of health research or clinical trials. While it is interesting to note that the SA MTA itself defines 'Materials' - note the uppercase and the plural form - as including both human biological material and associated data, the notice by the minister in the Government Gazette neither incorporates the definitions of the SA MTA, nor uses the word 'material' with uppercase or plural as per the defined term in the SA MTA. Accordingly, 'biological material' in the minister's notice takes its ordinary meaning, which refers to the biological matter of which humans are made - i.e. not including data.^[4,9] However, if human biological material is shared and the applicability of the SA MTA is triggered, its provisions would also apply to any data that are associated with such human biological material and that are shared together with it.^[4,9]

In 2020, Thaldar et al.^[4] suggested that the MTA should be revised to provide better data protection. The authors highlighted that the data-related provisions of the SA MTA are insufficiently specific and overbroad.^[4] For example, the SA MTA (in paragraph 13.3) provides that the parties shall treat 'all information' relating to the 'nature and processes of the research' as confidential. This means that the parties may not even reveal the nature of the research project, such as 'research on HIV', to a potential grant funder.^[4] Thaldar et al.^[4] suggested that a revised SA MTA should include standard contractual clauses based on the Protection of Personal Information Act No. 4 of 2013 (POPIA)^[10] itself to ensure that the data protection provided for in the revised SA MTA would ensure adequate protection in terms of POPIA. It is important to note that POPIA - and all other legislation -operates irrespective of whether it is given effect in an agreement between parties. However, foreign (and sometimes local) researchers might not be familiar with the provisions of POPIA that are applicable to cross-border data sharing. Accordingly, the purpose of explicitly including contractual clauses based on POPIA in a revised SA MTA would be to assist the research community to be POPIA compliant.

In 2021, Townsend^[11] provided a detailed analysis of how standard contractual clauses can be used to facilitate cross-border data transfer while ensuring adequate data protection. She suggested that such a set of standard contractual clauses, once approved by the Information Regulator, can be incorporated in any DTA to ensure adequacy via contract. Importantly, Townsend also made complementary suggestions to facilitate cross-border data transfer, including the use of data trusts and the creation of an African Data Corridor. In combination, these policy interventions can propel SA and its partners in an African Data Corridor to a high level of efficiency in cross-border data transfer, while simultaneously ensuring a high level of data protection.

Next, in a 2022 article, Mahomed et al.^[12] advocated for a SA national DTA. Coalescing with Thaldar et al.'s suggestion in 2020 that the MTA ought to be revised to make better provision for data protection,^[41 Mahomed et al. suggested that a possibility would be to 'integrate' the envisioned DTA with the MTA. In the view of Mahomed et al., this possibility would 'streamline the process'.^[12] Mahomed et al. also published a document containing suggested minimum provisions for a DTA (to be part of the MTA) as a supplementary document to inform a consultative process going forward. Subsequent to the Mahomed et al. article, a webinar on the envisioned DTA was organised under the auspices of the SA Medical Research Council (MRC) and took place on 23 June 2022 ('the June Webinar').^[13]

 

How to operationalise a DTA template

In the case of the SA MTA, a typical regulatory approach was followed, which entailed that a government minister promulgated the SA MTA in the Government Gazette, and made its use compulsory for all providers and recipients of biological material that is shared for purposes of health research or clinical trials, as discussed above. This regulatory imposition on the way research is practised - through a standard MTA that must be used - makes SA unique in the world.^[9] However, it should be added that the SA MTA declares itself to be only a 'framework', which means that stakeholders can change the content of its provisions.^{[4, 7,8,]} As observed by Thaldar and Shozi:^[7]

'If the legislative purpose is that the SA MTA must be a "framework" it means that the substantive content of each term of the agreement is not intended to be peremptory but is rather intended to be customisable - provided that the general or basic structure of the SA MTA remains intact. Essentially, the only peremptory aspects of the SA MTA are that whenever HBM [human biological material! is shared for use in research or clinical trials, a material transfer agreement ('MTA') must be in place, and such an MTA must cover all the topics that are covered in the SA MTA.'

Although the SA MTA's reference to itself as a 'framework' softens the hard edge of its compulsory nature, the fact remains that everyone in the research community involved in the sharing of human bio-specimens for health research or clinical trials remains legally compelled to ensure that their own MTAs conform to the 'framework' - i.e. not the substantive content - of the SA MTA. This appears to be aimed more at government control than at supporting the research community in an optimal way.

Government control may, of course, sometimes be necessary. However, we suggest that the data transfer space is already comprehensively and more than sufficiently governed by POPIA. The focus should rather be on how best to support the research community. This includes support to be POPIA compliant, but it also entails more than this, namely gaining access to professionally drafted legal provisions to protect the interests of SA providers of data in a fair and reasonable way.

A more supportive approach, we suggest, would be based on the recognition that while some research institutions are better resourced, and could already have invested in having top-quality DTAs developed, other research institutions - in particular small and medium enterprises and historically disadvantaged universities -might be in need of a professionally drafted DTA template. Accordingly, while some would need and appreciate a DTA template, others would have less or no need for it. Furthermore, given that there is a need for a DTA template among some research institutions, they would assumedly want to use a professionally drafted DTA template if made available to them - especially if such DTA template enjoys some official endorsement. By having a DTA template professionally developed, making it freely available for use by any SA research stakeholder, and encouraging its use through endorsement rather than using the power of government to make its use compulsory for all, the research community will be empowered. This is the approach that we suggest.

Given this empowerment approach, it is clear that the envisioned DTA template cannot be part of the SA MTA - these are two different paradigms. The envisioned DTA template should rather be a separate document. Aligned with the paradigm of empowerment, we suggest a dual set of documents: (i) a template that can be used and amended by stakeholders; and (/7) an explanatory memorandum. The memorandum should explain why clauses are included and formulated the way they are. This will assist stakeholders to understand the rationale behind the content of the template and ensure that they can make better-informed decisions when using and amending the template. The explanatory memorandum should also indicate which clauses should remain unchanged (for reasons of legal compliance), and on the other hand, where there is more space for customisation, provide possible alternative options. This will increase the user-friendliness of the DTA template.

While the regulatory approach is closed to alternatives, in the sense that there can only be one DTA template that is made legally compulsory for all, the empowerment approach is in principle open to the idea that more than one template can receive the official stamp of approval, and stakeholders can have a choice of which one they prefer. Receiving an endorsement should not be a political process, but should be structured based on legal and scientific peer review, which would move the focus to the quality of the legal drafting - e.g. is it comprehensive? Is it easy to understand? Is it well aligned with the law in general? And is it practical to use for scientists?

 

The content of a DTA for the South African context

In this section of our article, we make a foray into the content of a DTA template. Our aim is not to provide an exhaustive list of issues that should be included, but rather to place some hot-button issues on the academic discourse agenda.

In their article, Mahomed et al.^[12] suggest some minimum provisions for the envisioned SA DTA. We appreciate that these suggested minimum provisions are intended as initial ideas to stimulate discussion, and are not necessarily substantiated in the authors' article. We engage with three of the minimum provisions suggested by Mahomed et al. that we perceive as either inherently problematic (exclusion of commercial research and gain-based benefit sharing with research participants) or linked to a problematic issue (the meaning of responsible party). We also add a fourth suggested minimum provision, dealing with the ownership of data. We thought it apt to discuss the ownership of data first, to highlight the importance of its inclusion in any DTA.

Ownership of the data (and inferential data)

An important legal dimension that is not included in the minimum provisions suggested by Mahomed et al.^[12] is an ownership provision. This should deal both with the data that are the object of a DTA and - importantly - any inferential data. To illustrate the importance of such a provision, consider the following hypothetical scenario: a SA university, University X, generates genomic sequence data from DNA of local research participants. However, University X does not have a policy on the ownership of genomic sequence data, nor do the researchers involved take active steps on behalf of University X to acquire ownership of the data that they generate. There is also no agreement regarding ownership of the data in the consent forms with the research participants. Consequently, the data remains res nullius.^[14] This refers to a legal object that is not owned by anybody, and that can be acquired by the first person (i) who has the intention to become the owner of the object and (ii) who exercises effective control over the object."^[15] If University X shares the data with a foreign university, University Y, and fails to provide in detail for ownership of the data, University Y would be at liberty to claim the data instances provided to it as its own property. It would also be at liberty to claim ownership of all instances of inferential data that are generated by it. Such a scenario, we suggest, would do a disservice to University X. As such, the envisaged DTA template should ensure that the data provider's ownership rights - where they exist - are properly protected.

But, would University X not have intellectual property rights in respect of the data that it generated? Not necessarily. We briefly consider three kinds of intellectual property rights:^[14]

• Copyright. Data per se are not a proper object of copyright. Only once the data are compiled in a database, does copyright vest in the database - but not in the constituent data that make up the database.

• Patents. Only once there is an invention would patenting become relevant. The generation of data does not constitute an invention. In any event, the data that lead to a patent are not part of the patent protection.

• Trade secrets. Provided that University X manages the data that it generates as a trade secret, it may be able to qualify for trade secret protection. As such, trade secrets offer the best potential of all the kinds of intellectual property rights to protect University X's interests in respect of the data that it generates. However, keeping data secret is not always possible or viable in the academic research context.

Given the limitations of intellectual property rights, placing all one's reliance on intellectual property rights would open oneself up to unnecessary legal risk. It is a common misconception that intangibles sort under intellectual property law, while tangibles sort under (non-intellectual) property law. This over-simplistic misconception must be debunked. Property law has since Roman times included intangibles. We only need to look at our daily lives to see examples of intangible objects, such as digital money, that are indeed owned in the same way as one would own a tangible object such as a car or a cellphone. Interestingly, the Cybercrimes Act^[16] makes it clear (in section 12) that the common law crime of theft must 'not exclude' intangibles. Given that theft is a property crime against the owner, it implies that intangibles can be owned.

Accordingly, it would behove University X to ensure that it acquires ownership of the data that it generates.^[141 That said, it is important to remember that multiple branches of the law can simultaneously apply to data, and all interact with each other.^[14] This can, depending on the nature of the data, include personality rights (which include privacy rights), common law property rights (including ownership), contractual rights and intellectual property rights. Each of these branches of the law has its own distinct rules and technical terminology. As such, there can be numerous persons that have rights in respect of the same data. While one person's rights may have their origin in POPIA, another person's rights may have their origin in the common law rules regarding ownership, and yet another person's rights may have their origin in the common law rules regarding trade secrets. When drafting a DTA, this complexity needs to be embraced to its fullest extent.

Include commercial purposes

In their proposed minimum provisions, Mahomed et al.^[12] suggest that 'data cannot be shared for commercial purposes'. We do not agree. We suggest that there are at least two reasons why it is important not to close the door on data sharing for commercial purposes. First, in order to build a vibrant bio-economy in SA, the private sector should be included and supported in policy initiatives such as a DTA template. Consider the following: to effectively address the many disease burdens in SA, it is important for SA to be able to develop and manufacture its own active pharmaceutical ingredients, vaccines, biopharmaceuticals, diagnostics and medical devices locally, which in turn plays an important role in how the country's research agenda is determined. This ecosystem, starting from knowledge-based production and the use of biological resources, processes and principles to sustainably provide goods and services across all economic sectors has been defined as a bio-economy.^[17] Such a bio-economy is knowledge intensive. The SA bio-economy strategy^[18] has identified genomics, proteomics and bioinformatics - all big-data intensive disciplines - in the health sector as fields that specifically require high levels of research, which research will need access to huge amounts of data.^[18] Adopting the suggestion by Mahomed et al.^[12] that 'data cannot be shared for commercial purposes; SA's nascent bio-economy will be constrained in its potential growth.

The governments of most industrialised countries are encouraging more effective links between university-based researchers and the users of research products and services by investing large amounts in innovation and research commercialisation.™ This investment trend aims to facilitate knowledge transfer of university research inventions and discoveries to improve economic and social development. In this regard, the term 'knowledge transfer' refers to the 'processes of engaging, for mutual benefit, with business, government or the community to generate, apply and make accessible the knowledge needed to enhance material, human, social and environmental well-being'.^[20] As seen from this definition and the funding trend globally, research anywhere must inevitably follow and support national bio-economy strategies. Data, being the fuel of many a research project, can subsequently not be viewed in isolation as a single element of this ecosystem, but as a critical ingredient in the recipe for a successful bio-economy.

This brings us to the second reason why the DTA template should embrace the use of data for commercial purposes, that is, alignment with national legislation, namely the Intellectual Property Rights from Publicly Financed Research and Development Act No. 51 of 2008 (IPR Act),^[21] and the Technology Innovation Agency Act No. 26 of 2008 (TIA Act).^[22] Many SA research projects are made possible through public funding. The IPR Act aims to enhance innovation in SA and ensure that intellectual property originating from public funding is 'protected, utilised and commercialised for the benefit of the people of the Republic' (our emphasis).^[21] Next, the TIA - established by the TIA Act - has a statutory mandate to, inter a/ia, implement the SA bio-economy strategy by developing and exploiting - i.e. commercialising - innovations and technologies in the public interest.^[22] From both of these national statutes it is evident that the commercialisation of research is an important national policy objective. As such, a DTA template should facilitate, not obstruct, this policy objective.

From a practical perspective, it should be noted that a DTA template can, of course, be changed. The ways in which it can be adapted should be guided by the explanatory memorandum. As such, given that research is SA is largely driven by academia, the default wording in the template can assume a typical academic (non-commercial) collaboration on a research project. However, the explanatory memorandum should make it clear that such default wording can be changed, for example, to a licence agreement or sale of data. The envisioned DTA template for the SA research community should be sufficiently supple to allow for this possibility.

Only lawful kinds of benefit sharing

Mahomed et al.^[12] suggest that the envisioned DTA template should at a minimum specify the benefit that is to be provided to the provider by the receiver, and whether such benefits 'will directly or indirectly involve gain for participants'.^[12] The problem with this statement is that data in the health research context are often extracted from bio-specimens. As such, where linked to bio-specimens, the part of the statement about 'gain for participants' needs to be carefully reconsidered. Section 60(4) of the National Health Act No. 61 of 2003^[23] provides as follows: ' It is an offence for a person - (a) who has donated tissue, a gamete, blood or a blood product to receive any form of financia/ or other reward for such donation, except for the reimbursement of reasonable costs incurred by him or her to provide such donation; and (b) to sell or trade in tissue, gametes, blood or blood products, except as provided for in this Chapter.' (emphasis added)

Section 60(5) provides that any person convicted of an offence in terms of section 60(4) is liable on conviction to either a fine or to imprisonment for a period not exceeding 5 years, or to both a fine and such imprisonment. Accordingly, research participants who receive any form of financial or other reward for providing their biological material for research are committing a criminal offence; any research institution or researcher who is personally party to an agreement in terms of which such reward is made would be accessories to this statutory crime.^[7,8]

We acknowledge that there is a lively ethical discourse on the advantages and disadvantages of various kinds of benefit sharing, including benefit sharing with research participants. We support having this debate. However, a DTA template is not an instrument that can change statute law. By contrast, we suggest that a DTA template should facilitate legal compliance with the law. As such, we suggest that a DTA template should make it clear - for the benefit of all involved - that where research involves providing bio-specimens, benefit sharing that entails any kind of reward for research participants is unlawful.

Responsible party

The concept of a responsible party is essential to POPIA. It is defined as: 'a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information'. A responsible party is a key person in relation to the obligations created by POPIA and to the liability that may be imposed if anything goes wrong.^[24] In any given situation, determining who the responsible party or parties are is a factual question, namely: who determines the purpose of and means for processing personal information? Because this is a factual question, the answer cannot be provided through a DTA. In other words, specifying certain individuals and institutions as responsible parties in a DTA will not change the answer to the question of whether those individuals and institutions are in fact responsible parties in terms of POPIA.

As argued by Swales et al.,^[24] the definition of responsible party is not restricted to a juristic person, and is wide enough to include both a research institution and an individual researcher. Accordingly, the danger is that some responsible parties, in particular individual researchers involved, may not be specified in a DTA, leading to a possible misperception on the part of the omitted persons that they are not responsible parties. For example, Prof. X is the principal investigator of research project Y, which includes the processing of personal information. As principal investigator, she drafted the research protocol that explains the purpose of and means for such processing of personal information. However, when she enters into a DTA to obtain some of the personal information that she needs for research project Y, she specifies that her employer, University Z, is the sole responsible party on the side of the recipient. Even if this DTA is approved by University Z and the counterparty - the provider of the data - this does not change the factual situation that Prof. X qualifies in terms of POPIA's definition of responsible party as a responsible party. However, by omitting Prof. X as responsible party in the DTA, Prof. X might be induced to labour under the false belief that she is not a responsible party in terms of POPIA. Such a situation would negatively affect personal responsibility, be disempowering, and should be avoided.

It should also be considered that multiple research institutions may collaborate in a project, and that these research institutions (as well as the individual researchers) may all be responsible parties. POPIA does not specify how the responsibilities of multiple joint responsible parties should be managed. A DTA can assist in practice by specifying the duties of each of the parties to the agreement. Swales et al.^[24] previously suggested that research institutions should indemnify individual researchers in their employ against POPIA liability should a data subject decide to sue the researcher for damages for the unlawful processing of personal data. The legal provision of an indemnity could also provide a useful mechanism for research institutions to contractually assign the risk of POPIA liability between themselves. If the DTA contains an indemnity provision, then the research institution that is sued would be entitled to enforce that indemnity against the research institution that has agreed to bear responsibility for POPIA compliance. Under the indemnity provision, they could demand reimbursement of any amounts they may be ordered to pay data subjects in damages and legal costs.

When foreign researchers collaborate in projects involving personal data processed in SA, the parties should be aware that there may be two possible legal results. The recipient of the data may be a sole responsible party for subsequent processing of the data, or the recipient of the data may be a joint responsible party with the SA research institution providing the data. As indicated above, the definition of a 'responsible party' in POPIA envisages that multiple parties can be jointly responsible for the processing of data where they jointly determine the purpose and means for such processing. This would typically be the case in a foreign research collaboration where investigators from both partner institutions collectively determine the nature of the personal data to be collected and the manner and purpose of its processing. In such a scenario, the foreign research institution and/or researcher(s) will be joint responsible parties. Although the foreign research institution is domiciled outside SA, POPIA will apply to them in terms of section 3(1)(b)(ii). The section is opaque, but if interpreted widely, it means that all processing (including processing outside SA by a foreign-domiciled party) is covered by POPIA - provided some means of processing (e.g. data collection, data cleaning, database creation or data transfer) takes place in SA.

This also means that a collaborating SA research institution or researcher could be sued by a data subject even if the unlawful processing was undertaken outside SA by a foreign research collaborator. This arises as a consequence of what the law refers to as joint and several responsibility. As argued by Swales et al.^[24] a data subject can choose to sue any one of the joint responsible parties for the full amount of their damages arising from the unlawful processing of personal data. This raises the spectre of data subjects suing individual researchers rather than the research institution that employs them. In a similar vein, even if the unlawful processing was undertaken by a foreign partner, the data subjects could choose to sue only the local research collaborator(s). They may very well do so for reasons of cost and convenience. A DTA cannot remove the data subject's rights, but collaborating research institutions can agree to indemnify one another for such liability.

A further important consideration is the further (or secondary) analysis of data. What must be considered in this context is whether the research institution receiving the data will be legally entitled to further process the data for new studies in future. As discussed by Townsend and Thaldar,^[25] POPIA contains a research exemption that does permit further processing for research purposes. However, the research institution providing the data is entitled to impose contractual limitations on how the recipient will use the data. To avoid disputes and to ensure optimal respect for the rights of data subjects, we suggest that a DTA should require that any further processing of the data must be in accordance with what has been expressly agreed by the parties to a DTA, and in compliance with the consent of the data subject.

 

Conclusion

A standardised DTA template that is custom developed to be aligned with SA law - and that guides its users towards compliance with SA law - certainly has the potential to assist the SA research community. At an operational level, we advocate for a paradigm shift away from the regulatory approach taken in 2018 with the SA MTA towards an empowerment approach, as sketched in this article. And regarding the content of a standardised DTA template for the SA research community, we highlighted and analysed four hot-button issues, and suggested that the envisioned DTA template (and its explanatory memorandum) should: (i) clearly provide for ownership of data; (ii) be adaptable as to be inclusive of commercial purposes; (iii) promote legal compliance with the statutory prohibition in SA law on any kind of benefit sharing that amounts to rewarding research participants for participating in research projects that entail donation of bio-specimens; and (iv) avoid creating the impression that the DTA can determine who the responsible party or parties are in terms of POPIA.

When drafting a DTA, a lawyer needs to consider multiple variables. These include whether the data are personal information, and if so, whether the data are special personal information, the nature of the collaboration between the provider and the recipient and hence their intentions regarding any resulting inferential data and intellectual property, and their roles and responsibilities under POPIA. However, if one develops a DTA template, it needs to be sufficiently supple and comprehensive to accommodate all reasonably possible variables, without getting lost in an ocean of generalities with little operational meaning. This will be no easy task, but the benefits to the SA research community will be worth the effort.

Postscript

Since submitting this article, the authors' research group at the School of Law, University of KwaZulu-Natal, has developed and published a DTA template and explanatory memorandum for the SA research community. Aligned with the empowerment approach suggested in this article, this DTA template and explanatory memorandum can be accessed online and used free of charge.^[26]

Declaration. None.

Acknowledgements. None.

Author contributions. LS - conceptualisation, project co-ordination, writing of original draft; MB - conceptualisation, writing of original draft; DD - conceptualisation, writing of original draft; DT - conceptualisation, writing of original draft revision, funding acquisition.

Funding. The authors acknowledge the support by the US National Institute of Mental Health and the US National Institutes of Health (award number U01MH127690). The content of this article is solely the authors' responsibility and does not necessarily represent the official views of the US National Institute of Mental Health or the US National Institutes of Health.

Conflicts of interest. None.

 

References

1. Swales L. The Protection of Personal Information Act 4 of 2013 in the context of health research: Enabler of privacy rights or roadblock? PELJ 2022;(25):1-32. https://doi.org/10.17159/1727-3781/2022/v25i0a11180        [ Links ]

2. South Africa. National Health Act No. 61 of 2003. Material transfer agreement for human biological materials. GN 719, Government Gazette 41781, 20 July 2018.

3. Mahomed S. An ethico-legal framework for the regulation of biobanks in South Africa. PhD thesis. Johannesburg: University of the Witwatersrand, 2018. https://hdl.handle.net/10539/25331 (accessed 25 December 2022).         [ Links ]

4. Thaldar DW, Botes M, Nienaber A. South Africa's new standard material transfer agreement: Proposals for improvement and pointers for implementation. BMC Medical Ethics 2020;21(85):1-13. https://doi.org/10.1186/s12910-020-00526-x        [ Links ]

5. Thaldar DW, Townsend BA, Botes M, Shozi B. 'Human biological material. In: Joubert WA (editor). Law of South Africa. Cape Town: LexisNexis, 2021.

6. Thaldar DW. One material transfer agreement to rule them all? A call for revising South Africa's new standard material transfer agreement. Hum Soc Sci Commun 2020;7:105. https://doi.org/10.1057/s41599-020-00600-0        [ Links ]

7. Thaldar DW, Shozi B. The legal status of human biological material used for research. S Afr Law J 2021;138(4):881-907. https://doi.org/10.47348/SALJ/v138/i4a9        [ Links ]

8. Steytler M, Thaldar DW. Public health emergency preparedness and response in South Africa: A review of recommendations for legal reform relating to data and biological sample sharing. S Afr J Bioethics Law 2021;14(3):101-106. https://doi.org/10.7196/SAJBL.2021.v14i3.772        [ Links ]

9. Thaldar DW, Townsend BA. Exempting health research from the consent provisions of POPIA. PELJ 2021(24):10420. https://doi.org/10.17159/1727-3781/2021/v24i0a10420        [ Links ]

10. South Africa. Protection of Personal Information Act No. 4 of 2013.

11. Townsend B. The lawful sharing of health research data in South Africa and beyond. Inf Comm Tech Law 2021;31(1):17-34. https://doi.org/10.1080/13600834.2021.1918905        [ Links ]

12. Mahomed S, Loots G, Staunton C. The role of Data Transfer Agreements in ethically managing data sharing for research in South Africa. S Afr J Bioethics Law 2022;15(1):26-30. https://doi.org/10.7196/SAJBL.2022.v15i1.807        [ Links ]

13. South African Medical Research Council. Ethically managing data transfers for research in SA. Cape Town: SAMRC, 2022. https://youtu.be/HD4Lg34bSCk (accessed 6 September 2022).         [ Links ]

14. Thaldar DW, Townsend BA, Donnelly D-L, et al The multidimensional legal nature of personal genomic sequence data: A South African perspective. Front Genet 2022;13:997595. https://doi.org/10.3389/fgene.2022.997595        [ Links ]

15. Eastern Cape Parks and Tourism Agency v Medbury (Pty) Ltd t/a Crown River Society 2018 (4) SA 206 (SCA).

16. South Africa. Cybercrimes Act No. 19 of 2020.

17. Albrecht J, Carrez D, Cunningham P, et al. The knowledge based bio-economy (KBBE) in Europe: Achievements and challenges. Clever Consult 2010:1-67. https://doi.org/10.13140/RG.2.2.36049.94560

18. Department of Science and Technology, South Africa. The Bio-economy Strategy of South Africa. Pretoria: DST, 2013.

19. Mowery DC. University industry research collaboration and technology transfer in the United States since 1980. In: Yusuf S and Nabeshima K, eds. How Universities Promote Economic Growth. Washington, DC: World Bank, 2007:163-181. https://openknowledge.worldbank.org/handle/10986/6631 (accessed 6 September2022).

20. Phillips KPA. Knowledge transfer and Australian universities and publicly funded research agencies. Canberra: Department of Education, Science and Training, 2006. https://transferoflearning.com/knowledge-transfer-and-australian-universities-and-publicly-funded-research-agencies/ (accessed 6 September 2022).

21. South Africa. Intellectual Property Rights from Publicly Financed Research and Development Act No. 51 of 2008.

22. South Africa. Technology Innovation Agency Act No. 26 of 2008.

23. South Africa. National Health Act No. 61 of 2003.

24. Swales L, Thaldar DW, Donnelly, DL. Why research institutions should indemnify researchers against POPIA civil liability. S Afr J Sci 2022;118(3/4):1-3. https://doi.org/10.17159/sajs.2022/13205        [ Links ]

25. Townsend BA, Thaldar DW. Navigating uncharted waters: Biobanks and informational privacy in South Africa. S Afr J Human Rights 2020:35(4):329-350. https://doi.org/10.1080/02587203.2020.1717366        [ Links ]

26. Swales L, Ogendi P, Botes M, Townsend B, Donnelly D-L, Abdulrauf L, Thaldar D. (2023). A data transfer agreement template for South Africa (1.0). Zenodo. https://doi.org/10.5281/zenodo.7537396

 

 

Correspondence:
L Swales
SwalesL@ukzn.ac.za

Accepted 23 February 2023