Services on Demand
Journal
Article
Indicators
Related links
- Cited by Google
- Similars in Google
Share
SAMJ: South African Medical Journal
On-line version ISSN 2078-5135Print version ISSN 0256-9574
SAMJ, S. Afr. med. j. vol.109 n.4 Pretoria Apr. 2019
https://doi.org/10.7196/samj.2019.v109i4.13617
IN PRACTICE
MEDICINE AND THE LAW
Protection of Personal Information Act No. 4 of 2013: Implications for biobanks
C StauntonI; E de StadlerII
IPhD, LLM (Public Law), BCL, Dip sa Gh; School of Law, Middlesex University, UK; and Centre for Biomedicine, EURAC, Italy
IILLM, BA LLB; Novation Consulting, Cape Town, South Africa
ABSTRACT
The Protection of Personal Information Act (POPIA) No. 4 of 2013 is the first comprehensive data-protection regulation to be passed in South Africa (SA). Its objectives include giving effect to the constitutional right to privacy by regulating the way in which personal information must be processed, balancing the right to privacy against other rights, and establishing an Information Regulator to ensure that the rights protected by POPIA are respected. POPIA will have an impact on health research, including biobanks. As sharing of samples and data is a central feature of biobanks, POPIA could change the way in which data are obtained, shared and exported. In particular, the provisions regarding data minimisation, requirements pertaining to the transfer of data abroad, consent provisions and identification of the 'responsible person' will impact the operation of biobanks in SA. With POPIA soon to come into force, it is now time to consider its implications for biobanks in SA.
The Protection of Personal Information Act (POPIA) No. 4 of 2013[1] is the first comprehensive data-protection regulation to be passed in South Africa (SA). Its purpose is to give effect to the constitutional right to privacy by regulating the way in which personal information must be processed, to balance the right to privacy against other rights, such as the right to access information, and to establish an Information Regulator to ensure that the rights protected by POPIA are respected. POPIA is similar to the European General Data Protection Regulation (GDPR), which came into force on 25 May 2018 and has changed the regulation of data protection in the European Union (EU).
Both the GDPR and POPIA will possibly have an impact on health research, including biobanks, in SA. At the heart of biobanks is the large-scale sharing of samples and data. International collaborative projects, such as Human Heredity and Health in Africa (H3Africa) and Bridging Biobanking and Biomedical Research across Europe and Africa (B3Africa), have resulted in a growth in biobanks in SA and increased the flow of samples and data across borders. The National Health Act No. 61 of 2003[2] and the Regulations relating to the import and export of human tissue, blood, blood products, cultured cells, stem cells, embryos, zygotes and gametes, 2012,[3] primarily focus on the legal requirements for obtaining and exporting a biological sample. Specifically, an export permit is required prior to the exportation of a sample only and not before data export. The Material Transfer Agreement (MTA) of Human Biological Materials, 2018,[4] and the National Department of Health ethics guidelines, 2015,[5] do have some provisions for the transfer of data.
The GDPR and POPIA will change the abovementioned information. While a full analysis of the GDPR and its impact on biobanks are beyond the remit of this article, one should note that it will have impact on the transfer of data from the EU to SA. Data can only be transferred to 'third countries' (i.e. countries outside of the EU) if the data have the same level of protection as in the EU. Transfers can only take place if they are subject to an adequacy decision or if appropriate safeguards are put in place. An adequacy decision relates to the European Commission having decided that a third country has appropriate safeguards with regard to data protection. To obtain an adequacy decision, a proposal from the European Commission, an opinion of the European Data Protection Board and an approval from representatives of EU countries must be obtained, as well as the adoption of the decision by the European Commissioner. This will possibly occur when third countries enact legislation that guarantees the same protection as that contained in the GDPR. It is possible that, when in force, POPIA will satisfy this requirement, but this is currently unclear. Should a third country be on the Commission's approved list, specific authorisation will not be required to transfer data. If a third country is not on the relevant list or is awaiting approval, data can still be transferred abroad provided there are appropriate safeguards in place, which could include a legally binding agreement. It remains to be seen whether MTAs will be deemed to provide sufficient safeguards. Therefore, since 25 May 2018, a biobank in SA that is collaborating with EU organisations, must ensure that it is compliant with the GDPR, or be subject to fines or contractual liability of up to EUR20 million or 4% of the annual worldwide turnover (whichever is greater).
The GDPR has strict provisions for the processing of sensitive data, which include genetic data. In response to criticisms from researchers, a 'research exemption' was inserted into the GDPR and sensitive data can be processed without adhering to the very strict consent requirements as outlined in Article 9(2)(a). POPIA similarly contains restrictions on the use of sensitive data, but has no research exemption. It provides that an industry can apply to have a code of conduct accredited, which is being developed for SA universities. This code should offer detailed guidance to research biobanks on the implementation of POPIA. In the interim, a biobank must consider how to govern its data to ensure that it is POPIA compliant. This article considers the provisions of POPIA that will potentially have the greatest impact on biobanks in SA. In particular, it focuses on the principle of data minimisation, requirements pertaining to the transfer of data abroad, consent provisions and a discussion on the 'responsible person'. Although POPIA does not contain research exemption, careful navigating of the Act shows that there are certain exceptions to the strict consent provisions in the research context.
Consent under the Protection of Personal Information Act
According to SA's research ethics framework, samples can be collected using the broad consent model for secondary use (as defined in the 2015 guidelines as 'use in research of materials or data originally collected for other purposes'[5]), subject to REC oversight. Samples can be shared with research institutions, both locally and internationally, subject to certain approvals. The National Department of Health guidelines place similar requirements on data and on samples. The question now facing biobanks is whether POPIA places additional requirements on the use, re-use and sharing of data.
POPIA requires that the processing of personal data must be lawful and must be done in a reasonable manner that does not infringe the privacy of the data subject (section 11). Section 13(1) states that personal information (as defined in Article 1, including health-related data) 'must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party'. With regard to the use of personal information for research, consent will be required. Section 1 states that consent must be 'voluntary, specific and informed', i.e. it must be specific and only for a clearly defined purpose when data are obtained. It would appear that POPIA rules out broad consent, as the research for subsequent processing of data may not be known at the time of data collection. However, there are certain exceptions to these strict consent provisions that are applicable to biobanks.
Section 15(1) states that the responsible party can further process personal information while not infringing on section 13, as further processing is compatible with the original purpose for which the data are collected, taking the following into account:
(a) the relationship between the purpose of the intended further processing and the purpose for which the information has been collected
(b) the nature of the information
(c) the consequences of the intended further processing for the data subject
(d) the manner in which the information has been collected
(e) any contractual rights and obligations between the parties.
Further processing refers to processing in addition to that for which the personal data were originally collected and would cover instances where personal data are initially collected for one research project, but subsequently used for other research projects. This subsection would seem to suggest that if the research is closely linked to that for which the data were collected, the responsible party can re-use the data without obtaining consent again. However, section 15(3) will perhaps bring most relief to researchers, as it provides four instances where further processing of data is permitted:
• if the data subject consents to this (section 15(3)(a))
• if it is necessary to mitigate a serious threat to public health or the life or health of a data subject or another individual (section 15(3)(d))
• if further processing is solely for research purposes and the findings will not be published in an identifiable form (section 15(3)(e))
• if the responsible party obtains a section 37 exemption (section 15(3)(f)).
This suggests that broad consent may be permissible in terms of POPIA if the subsequent projects are 'compatible' (or quite similar) with the project for which it was initially collected. The question that now faces biobanks is whether they can use data for research that are not 'compatible' with the research for which the data were initially collected.
There is a general prohibition of the processing of special personal information (section 26). This includes 'religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject' and genetic data would fall under this prohibition. Under section 27(1)(d), special data can be further processed if it is for research purposes in the public interest or where it would be impossible, or require a disproportionate effort, to ask for consent, and there are guarantees put in place that the privacy of the data subject will not be disproportionately affected. If these criteria are satisfied, it would thus appear that approval from a research ethics committee (REC) would be required for the use of data beyond the remit of the research provided for in the consent form.
With regard to the sharing of data, section 12 states that the data must be collected directly from the data subject, which implies that data cannot be shared with other researchers. Section 12(2) provides certain exceptions to that rule and data can be shared with others, including whether the data subject consents or where compliance is not reasonably practicable. A purposive interpretation of POPIA would thus suggest that broad consent is permissible. To be compliant with POPIA, if biobanks intend to share data with others for research purposes, it must be provided for in the consent form.
Generally, the responsible party decides on the use or re-use of data, but there are two instances in which the regulator must be involved. First, if any researcher intends to process unique identifiers (an identifier that is assigned to a data subject for purposes of identification) of a data subject for a purpose other than that for which they were collected, or for the purpose of linking them with other data, prior authorisation of the regulator must be obtained (section 57). Second, if a section 37 exemption is sought, i.e. if a responsible party wishes to process personal data that are not within the confines of the Act and do not fall under any of the exemptions discussed above, an application must be made to the regulator. It must be demonstrated that the public interest outweighs any interference of the privacy of the data subject, and for biobanks, public interest specifically includes research (section 37(2)(e)).
Protection of Personal Information Act and data minimisation
Section 10 states that 'personal information may only be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive' with Section 11 providing the grounds for the lawful processing of data. This is part of a movement towards minimising the volume of data collected. It will undoubtedly be problematic in the biobank setting, where the purpose is to collect large quantities of samples and data for unanticipated future use. However, the exact impact of this section in the research context remains to be seen. It will in part depend on how the phrase 'purpose for which it is processed' is interpreted. When this requirement is read with section 15 in relation to further processing (or secondary use), it would appear that obtaining data for research purposes would satisfy this requirement without it being necessary to specify the exact type of research that the data will be used for. In the interim, biobanks should review the data that they collect and ensure that they do not obtain excessive data, bearing in mind the requirements for the informed consent document set out in the Department of Health guidelines, 2015.[5]
Protection of Personal Information Act and the transfer of data abroad
Section 72 governs the transfer of data to a third country. If the receiving country is not subject to a law that provides an adequate level of data protection as measured against the levels of protection envisaged by POPIA, the personal data cannot be transferred unless the institution in the receiving country has agreed to adhere to POPIA, or if the research subject consents to the transfer to this country (section 72(1)(a) and (b)). The same rules apply if the recipient institution wants to transfer personal data to another country. In the research context, this provision will have to be complied with through the conclusion of an MTA or data transfer agreements (DTAs). The requirements set forth in the recently gazetted MTA of Human Biological Materials must now also be followed and RECs must review and approve proposals to transfer data and the MTA.
The transfer can also take place if it is in the interest of the research subject, it is impractical to obtain consent, and if it is likely that the research subject would have consented if asked (section 72(1)(e)). This exception only applies if the research is in the interest of the data subject. In general, it can be argued that all health research should be in the general interest of the public. Whether this argument will persuade the Information Regulator remains to be seen, as it will be weighed against the potential infringement of the data subjects' privacy as a result of the transfer of the personal data to a country where there is no data protection regimen in place.
Protection of Personal Information Act and the responsible party
Throughout the Act, reference is made to the 'responsible party'. It is defined as 'a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means for processing personal information'. It is the same definition as that of the 'data controller' (GDPR). In the biobank context, this could be interpreted as being the institution where the biobank is situated, principal investigator, REC or data access committee. Section 8 states that the responsible party has to ensure compliance with the Act. From this, it would appear that the institution will assume overall responsibility for ensuring that its biobanks comply with the Act, and the institution will be subject to any fines arising from a breach of the Act.
In practice, it is likely that this responsibility will be delegated to another body. As RECs are currently the oversight bodies for the use and re-use of biological samples, authority will possibly also be vested in them to ensure compliance with POPIA. While this is certainly the most practical solution, the capacity and resources of RECs are a concern. The capacity of RECs to review complex projects, such as genomic and biobanking research, has been a subject of debate[6] and it is unclear whether SA RECs would have the capacity to review protocols that pertain to data. Biobanks will need to be provided with considerable support in the drafting of their data management plans to ensure compliance with the GDPR and POPIA. Considering the large fines that the data controller can be subject to in the event of non-compliance with the GDPR or the loss of European partnerships or funding, it is in the interest of universities that their biobanks are compliant with the relevant laws.
One possible solution is the establishment of a data access committee. This committee should comprise individuals who have the necessary legal, ethical and scientific expertise required to review and monitor research that proposes to use data. It will thus avoid increasing the workload of the already over-burdened RECs. These committees should sit within the REC framework, as any research project will require a full ethical review. However, universities must set aside an additional budget for these committees to ensure that they are fully resourced, without taking away from the current REC budget.
Conclusion
POPIA will bring changes to the management and use of biological data. With no research exemption to the strict consent requirement similar to that in the GDPR, it requires careful navigation to fully assess its impact on research and secondary use of research in general and biobanks in particular in SA. It is therefore recommended that SA biobanks review their consent forms. These forms should explicitly state that data may be shared with other researchers, including collaborators who are abroad. Although it appears that data can be re-used for research purposes other than the purposes for which they were originally obtained, owing to the principle of data minimisation and the emphasis on ensuring that the secondary use of data is compatible with the original purpose, biobanks should re-use data for 'compatible' research as far as possible. Finally, in the sharing of data, biobanks must ensure that their MTAs are robust and be certain that the receiving institution is legally obliged to adhere to the strict provisions of POPIA.
Declaration. None.
Acknowledgements. None.
Author contributions. CS conceptualised the article and developed the initial draft. EdS provided feedback on the conceptualisation of the article and commented on and edited all drafts.
Funding. None.
Conflicts of interest. None.
REFERENCES
1. South Africa. Protection of Personal Information Act No. 4 of 2013. [ Links ]
2. South Africa. National Health Act No. 61 of 2003. [ Links ]
3. South Africa. National Health Act of 2003. Regulations: Import and export of human tissue, blood, blood products, cultured cells, stem cells, embryos, zygotes and gametes. Government Gazette No. 35099, 2012. (Published under Government Notice No. R181. [ Links ])
4. Department of Health, South Africa. National Health Act of 2003 (Act No. 61 of 2003). Material Transfer Agreement of Human Biological Materials. Government Gazette No. 41781:719. 2018. [ Links ]
5. National Department of Health. Ethics in Health Research Principles, Processes and Structures. 2nd ed. Pretoria: NDoH, 2015. [ Links ]
6. Munung NS, Mayosi BM, de Vries J. Equity in international health research collaborations in Africa: Perceptions and expectations of African researchers. PLOS ONE 2017;12(10):e0186237. https://doi.org/10.1371/journal.pone.0186237 [ Links ]
Correspondence:
C Staunton
c.staunton@mdx.ac.uk
Accepted 12 December 2018