Personal data protection law compliance will “be challenging for everybody”
Scientists in South Africa who deal with personal data or information will have to jump through a number of new administrative hoops from 1 July, when the country’s Protection of Personal Information Act comes into full force.
The Act will impact on a range of research, from biomedical projects that collect samples and personal health information from patients, to research that ‘scrapes’ large amounts of public data—for example on social media—and stores it for research purposes.
Since last year, the Academy of Science of South Africa has been working on a code of conduct to make it clearer for researchers what they must do to comply with the legislation. The code will clarify the conditions under which the processing of personal information for research will be allowed, even if it might be seen to contravene some general provisions of the law, such as the need for specific consent from the data owner to all uses of their data.
On 3 May Assaf hosted a webinar to update researchers on progress on the code, which needs to be presented to the information regulator, established under POPIA, and approved before it comes into force. The code is meant to be submitted to the regulator by early June, leaving a mere month for drafting and researchers’ comments.
The code will apply to research in industry and academia. It will cover general processes for research involving personal information, as well as special sections on the use of social media data in research, the handling of information-matching programmes—such as software—which could re-identify people in the dataset, genetic data processing, and international data transfers.
Although the code remains in flux, one proposal under consideration is that all research involving the collection or processing of personal information should be subject to a participants’ privacy risk self-assessment. This assessment would be recorded in the data management plan, and if the risk was rated high a full privacy impact assessment would have to be done, possibly requiring additional safeguards.
Researchers will also have to ensure that information about data processing is provided to participants, separately from consent forms used in ethics reviews. Institutions will be ultimately responsible for ensuring researchers comply with the privacy law. But some compliance oversight may be given to research ethics committees, thus expanding their role.
In the 3 May webinar, some participants said adding to research ethics committees’ administrative burdens would place excessive workloads on their members. But Jantina de Vries, a bioethicist from the University of Cape Town who is involved in drafting the code of conduct, said it might be the least bad option.
“We’re in a bit of a predicament,” she said. She said the tasks the committees would perform were “not entirely alien” to them, and that when creating the oversight structure for privacy compliance, the code’s drafters had deemed it vital that existing structures be used where possible to minimise new bureaucratic layers.
However, de Vries said, there would need to be additional resources for the ethics committees to take on this extra work. “Obviously this cannot be an unfunded mandate, but will require dedicated resources,” she said, adding that the code would provide easy-to-follow templates for all documents required for research under the privacy law.
Alan Christoffels, a bioinformatician at the University of the Western Cape, who has also worked on the code, said that universities needed to make provision for policies to demonstrate how they would protect sensitive information held in the university space. This would include matters like access controls to data and encryption layers. “Those are the kinds of discussions that we as researchers will have to have with our ICT departments,” he told the webinar.
While compliance with the privacy law might seem onerous, it’s not something researchers can ignore, the webinar heard. “This is going to be challenging for everybody,” said Michele Ramsay, a geneticist at the University of the Witwatersrand, who is working on the code.