Services on Demand
Article
Indicators
Related links
- Cited by Google
- Similars in Google
Share
South African Journal of Science
On-line version ISSN 1996-7489
Print version ISSN 0038-2353
S. Afr. j. sci. vol.117 n.5-6 Pretoria May./Jun. 2021
http://dx.doi.org/10.17159/sajs.2021/10935
COMMENTARY
Drafting a Code of Conduct for Research under the Protection of Personal Information Act No. 4 of 2013
Rachel AdamsI; Susan VeldsmanII; Michèle RamsayIII; Himla SoodyallII
IHuman Sciences Research Council, Pretoria, South Africa
IIAcademy of Science of South Africa Pretoria, South Africa
IIISydney Brenner Institute for Molecular Bioscience, University of the Witwatersrand, Johannesburg, South Africa
Keywords: POPIA compliance, POPIA, Code of Conduct, research participants privacy, ASSAf, research community, open science
On 22 June 2020, President Ramaphosa announced that the Protection of Personal Information Act No. 4 of 2013 (POPIA) would come into effect on 1 July 2020. A one-year grace period was provided to give organisations time to comply with the provisions of the Act. It will therefore be mandatory as of 1 July 2021, for all sectors in South Africa to comply with POPIA.
POPIA gives effect to the constitutional right to privacy. In so doing, it balances the right to privacy with other rights and interests, including the free flow of information within South Africa and across its borders. POPIA adopts a principle-based approach to the processing of personal information. It sets out eight conditions for the lawful processing of personal information: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation. These principles apply equally to all sectors that process personal information.
Chapter 7 of POPIA makes provision for the development of Codes of Conduct to provide guidance on the interpretation of POPIA in relation to a particular sector or industry, or class of information. Codes of conduct are particularly important in providing prior authorisation in terms of Section 57 of POPIA for the sector to which the Code applies. Prior authorisation is required for the processing of unique identifiers, such as ID numbers, for any purpose other than that for which they were originally collected, and for use within an information matching programme. In addition, prior authorisation is required for transferring special personal information and the personal information of children to a country outside South Africa that does not have an adequate level of data protection regulation. Further guidance on Chapter 7 of POPIA and the development of Codes of conduct was published by the Information Regulator in February 2021.1 Once a code is approved by the Information Regulator and comes into force, it is legally binding.
The Academy of Science of South Africa (ASSAf) has begun a process to facilitate the development of a Code of Conduct for Research. In addition to providing prior authorisations for research, as set out above, the Code of Conduct is needed to provide guidance to researchers on how to rationalise the provisions of POPIA in relation to existing laws and standards regulating research. The general norm, in this instance, is that whichever law provides a greater level of protection of rights, and particularly the right to privacy, takes precedence.
This process began in 2020 following a call from South African scientists to consider the development of a POPIA Code of Conduct specifically to guide the use of personal information in research. Two public fora were held in 2020 to discuss: during Open Access Week on 21 October 2020 and at the Science Forum South Africa on 10 December 2020. Two committees - a Steering Committee and a Drafting Committee - were subsequently established by ASSAf to lead the process of developing the Code of Conduct for Research (Table 1).
It is important to note that in 2020, Universities South Africa (USAf), a membership organisation that represents public universities in South Africa, began the process to draft a Code of Conduct to help regulate the processing of personal information within higher education institutions. This Code of Conduct has not yet been submitted to the Information Regulator. Once it has been submitted and approved by the Information Regulator, this Code of Conduct will form another regulatory tool for guiding the research community to comply with POPIA. The USAf Code of Conduct does not set out extended provisions and explanations of POPIA in respect of research activities. Therefore, with respect to the processing of personal information for research purposes, the ASSAf-led Code of Conduct will take precedence over the USAf Code of Conduct.
This Commentary sets out why a Code of Conduct for Research is being developed, its purpose and scope, and why ASSAf is the body that is coordinating its development.
What is a Code of Conduct and why is it needed for research?
POPIA is to be welcomed as it gives greater guidance to researchers regarding the use and protection of personal information for research. This should serve to improve transparency, accountability and oversight of personal information and promote public trust in the use of personal information in research. However, there is uncertainty and need for further guidance on the application of POPIA to research. First, it is unclear how some of the high-level principles will apply in practice to research. Second, POPIA provides certain exceptions from the lawful conditions of processing personal information for research, and further interpretation is required to understand how and where these exceptions would apply in different research contexts. Third, it is important that there is a comprehensive and uniform approach to the regulation of personal information for research across all government departments, academic institutions, research councils and the private sector.
A Code of Conduct is a sectoral or industry-wide regulation issued under POPIA that provides further details on how the Act should be interpreted in relation to that particular sector or class of information. Codes of Conduct must not derogate from, or water down, the provisions of POPIA. Where relevant, Codes can heighten data subjects' rights, and can provide exemptions from the conditions of processing of personal information for all the bodies bound under the Code, in terms of Section 37 of POPIA.
A Code of Conduct must address all of the eight provisions for the processing of personal information in terms of the specific sector or class of information or provide for their functional equivalent where there are existing provisions in law (Section 60 (2) (a)). In addition, Codes of Conduct must provide for appropriate measures for information matching programmes and high-risk information in terms of the sector or class of information in question.
The Code of Conduct for Research is being developed to ensure compliance with POPIA by the research community in South Africa and to promote uniformity in the interpretation and application of the Act. Additionally, the Code will guide information officers, data stewards, research integrity officers, research ethics committees and other research governing structures in their roles with respect to POPIA. With respect to international collaboration in research, this Code will strive to meet international standards of data protection so as to allow for cross-border data sharing in international research projects and to enable compliance with the requirements of POPIA in relation to transborder information flows of personal information, as well as serve as a mechanism to protect the international flow of personal info mation.
Of principal importance, the Code will enhance and protect the rights of data subjects (who, in research, we would call 'research participants') and build the trust of data subjects and the public in the functioning of the research sector. It will also stimulate transparent processing of personal information to promote cultural change for research bodies in relation to the lawful processing of personal information and serve as a mechanism to hold responsible parties accountable for the processing of personal information.
Lastly, the Code will ensure alignment with other legislation and regulation that governs the conduct of research in South Africa and promote responsible open science in line with the principles and objectives of POPIA and international best practice.
Why the Academy of Science of South Africa?
ASSAf was approached in 2020 by various scientists in South Africa to consider leading the process to develop a Code of Conduct for Research. ASSAf is the official national science academy of South Africa. It is mandated under the Academy of Science of South Africa Act, 67 of 2001, as amended by the Science and Technology Laws Amendment Act, 16 of 2011. ASSAf's mission is to use evidence-based science to address challenges in society and to use science for societal benefit. ASSAf currently has nearly 600 members, who consistently have demonstrated academic excellence in various fields such as Agricultural Sciences, Earth Sciences, Economic Sciences, Education, Health/Medical Sciences, Humanities, Life Sciences, Mathematical Sciences, Physical Sciences, Social Sciences and Technological and Engineering Sciences.
POPIA stipulates under Section 61 (1) (b) that a body 'sufficiently representative of any class of bodies, or of any industry, profession, or vocation as defined in the Code in respect of such class of bodies or of any such industry, profession or vocation' can develop a Code of Conduct, to be reviewed and approved by the Information Regulator.
Given that POPIA will have a significan impact on research processes in South Africa, ASSAf has engaged widely with representatives of the scientific community to develop a single Code of Conduct for Research. ASSAf has the capacity to represent the scientific community to facilitate evidence-based research and to ensure compliance with regulations that guide research. Given the placement of ASSAf within the National System of Innovation, ASSAf has the ability to provide policy advice on matters relating to science and the governance of science. ASSAf is broadly considered 'sufficiently representative' in terms of POPIA and therefore best placed to develop a Code of Conduct for Research through an inclusive and consultative process.
Scope of the Code: To what and whom does it apply?
The full scope of the Code of Conduct is set out in the Discussion Document by Adams et al.2 The proposed Code will pertain to all research conducted in South Africa or by a responsible party domiciled in South Africa, and which uses (collects, processes or stores) personal information as defined under POPIA as pa t of the research process.
The Code will pertain to all research activities in South Africa that ordinarily undergo prior and independent ethics review, that follow a recognised scientific methodology or system of analysis, and that aim to publish the research in contribution to the respective field of stud .
The Code will further set out where there are other existing laws that pertain to the use of personal information in research and how these are to be reconciled with POPIA. These laws and regulatory instruments include the National Health Act No. 61 of20033and its 2012 regulations, the Department of Health's4 'Ethics in Health Research: Principles, Processes and Structures' guidelines and the Promotion of Access to Information Act, No. 2 of 2000. In short, whichever law provides a stronger level of protection of the rights with regard to personal information takes precedence. This is set out in Section 3 of POPIA.
During 2019, draft guidelines were published to guide agencies in the developing of the Code of Conduct. New guidelines were published in February 2θ21. The main differences in the later guidelines are:
1. Requirement of notification to the Information Regulator about an intention of a relevant body (i.e. the body that develops a Code) to develop a code (Section 11);
2. Further details of the paperwork required to show engagement with stakeholders and response to inputs from stakeholders (Section 16.2.2.), including a 'statement of consultation';
3. Further details pertaining to the reports to the Information Regulator which relevant bodies must submit about compliance with the Code (Section 25.3); and
4. Removal of the provisions relating to alternative dispute resolutions where parties are aggrieved by the decision of the relevant body regarding a complaint.
Research in South Africa is governed by several existing legal instruments and provisions. The Constitution of the Republic of South Africa5 provides under the Bill of Rights that '[e]veryone has the right to bodily and psychological integrity, which includes the right not to be subjected to medical or scientific experiments without their informed consent' (Section 12 (2) (c)). In addition, the National Health Act3requires all research projects that involve human participants to have the express consent of the individual involved and to 'be conducted in the prescribed manner' (Section 71). This prescribed manner relates to any regulations which further govern research, which include, particularly, the Department of Health's guidelines4 noted above. These Guidelines pertain to 'research that involves living human participants' (para 1.1.7) and requires prospective and independent ethics review from a research ethics committee registered with the National Health Research Ethics Council.
In addition, there are standards being developed and issued globally to promote open science. Open science is intended to promote the benefit and advancement of science for all, and requires research data to be made publicly available. Such data would typically be de-identified as far as possible, and the provisions of POPIA would not apply, as POPIA does not apply to de-identified information that cannot be reasonably re-identified. This is consistent with the objectives of POPIA, set out in the Preamble6, which include that the Act is
consonant with the constitutional values of democracy and openness, the need for economic and social progress, within the framework of the information society, requires the removal of unnecessary impediments to the free flow of information, including personal information.
However, it is important in the development of this Code to take into account international standards, including those relating to open science and data protection law in the European Union and African Union, as, too, is noted in the Preamble to POPIA.6 This is particularly important given how data protection laws worldwide provide for a provision of 'adequacy' when sharing data with institutions in other countries. This means that cross-border data sharing can only take place where the other jurisdiction has an adequate standard of data protection in place or a data access agreement in place to ensure adequate data protection.
Conclusion
It is anticipated that a Code of Conduct for Research will be submitted by ASSAf to the Information Regulator by early June 2021. This submission will follow wide consultation with researchers, research institutions and other relevant stakeholders. The Discussion Document by Adams et al.2 sets out the main substantive issues that the Code of Conduct for Research will address, and a public consultation forum is planned for May 2021 in which the ASSAf Steering and Drafting Committees will receive further input from the research community. Through a transparent and consultative process, we hope to develop a Code of Conduct that has lasting value in guiding the research community of South Africa in complying with POPIA.
References
1. Information Regulator (South Africa). Guidelines to develop codes of conduct: Issued under the Protection of Personal Information Act 4 of 2013 (POPIA) [document on the Internet]. c2021 [cited 2021 Apr 20]. Available from: https://www.justice.gov.za/inforeg/docs/InfoRegSA-Guidelines-DevelopCodeOfConduct-22Feb2021.pdf [ Links ]
2. Adams R, Adeleke F, Anderson D, Bawa A, Branson N, Christoffels A, et al. POPIA Code of Conduct for Research. S Afr J Sci. 2021;117(5/6), Art. #10933. https://doi.org/10.17159/sajs.2021/10933 [ Links ]
3. National Health Act 61 of 2003, Republic of South Africa. Available from: https://www.gov.za/sites/default/files/gcis_document/201409/a61-03.pd [ Links ]
4. South African Department of Health (DoH). Ethics in health research: Principles, processes and structures. 2nd ed. Pretoria: DoH; 2015. Available from: https://www.sun.ac.za/english/research-innovation/Research-Development/Documents/Integrity%20and%20Ethics/DoH%202015%20Ethics%20 in%20Health%20Research%20-%20Principles,%20Processes%20and%20 Structures%202nd%20Ed.pdf [ Links ]
5. The Constitution of the Republic of South Africa, 1996. Available from: https://www.justice.gov.za/legislation/constitution/saconstitution-web-eng.pdf [ Links ]
6. Protection of Personal Information Act 4 of 2013, Republic of South Africa. Available from: https://www.gov.za/documents/protection-personal-information-act# [ Links ]
Correspondence:
Susan Veldsman
Email: susan@assaf.org.za
Published: 03 May 2021