The Protection of Personal Information Act 4 of 2013 in the Context of Health Research: Enabler of Privacy Rights or Roadblock?

L Swales*

PER / PELJ - Pioneer in peer-reviewed, open access online law publications

Author >Lee Swales

Affiliation University of KwaZulu-Natal

Email swalesl@ukzn.ac.za

Date Submission 21 May 2021

Date Revised 16 February 2022

Date Accepted 16 February 2022

Date published 9 March 2022

Editor Ms A Storm

How to cite this article

Swales L "The Protection of Personal Information Act 4 of 2013 in the Context of Health Research: Enabler of Privacy Rights or Roadblock?" PER / PELJ 2022(25) - DOI http://dx.doi.org/10.17159/1727-3781/2022/v25i0a11180

Copyright

DOI http://dx.doi.org/10.17159/1727-3781/2022/v25i0a11180

Abstract

Data is an exceptionally valuable asset

Online ISSN 1727-3781

Keywords

POPIA; health research; broad consent; specific consent; data privacy; exemptions to POPIA

……………………………………………………….

1 Introduction and background

Data is an exceptionally valuable asset – in a scientific context, it facilitates growth and development in society, and on a wider level it is a fundamental part of the information age, which has seen a shift from industrial production to automation, computerisation and artificial intelligence. In 2017 The Economist1 published an article in the context of internet regulation stating that data had overtaken oil as the world's most valuable resource (a claim repeated often since then, including by Forbes Magazine2 in 2019).

 Dr Lee Swales. LLB LLM PhD. Senior Lecturer, School of Law, University of KwaZulu-Natal, South Africa. E-mail: swalesl@ukzn.ac.za . ORCiD: https://orcid.org/0000-0002-4030-1874.

1 Parkins 2017 https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data.

2 Bhageshpur 2019 https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/?sh=70a690ce7304.

3 Open Science promotes scientific research and that its results be made available to all persons without restriction in order for it to be accessible and transparent, the rationale being that Open Science facilitates shared knowledge and the advancement of humankind.

4 Open Data promotes data’s being made freely available to any person to use or re-use or publish as they deem fit without any restriction from contract, copyright or patent.

5 Thaldar and Townsend 2020 SAMJ; Staunton et al 2019 SAMJ.

6 A Protection of Personal Information Act 4 of 2013 (POPIA) Code of Conduct for Research is in the process of being prepared by the Academy of Science of South Africa (ASSAf) and will further elaborate on consent in research. It is anticipated that the first version of this code will be published by 1 July 2021. See Adams et al 2021 S Afr J Sci.

7 For this article, the term health research refers to research designed to learn more about human health with a view to preventing, curing and treating diseases. This type of research usually requires the use of personal information or special personal information as defined in POPIA.

In the age of COVID-19, where the world has had to adapt quickly to fight a deadly virus, scientific research and data sharing – often on a global basis – have enabled society to manage fatalities, slow the spread of the virus, and ultimately assist with the creation of a vaccine. In this light, the concept of Open Science3 is gathering momentum. However, and the concepts of Open Data,4 and Open Science notwithstanding, a key issue that has caused some debate5 in South Africa in recent times relates to the Protection of Personal Information Act 4 of 2013 (POPIA),6 and whether the Act requires broad or specific consent in the context of health research.7

Accordingly, the primary purpose of this contribution will be to answer the following question: does POPIA require broad or specific consent from persons who take part in health research? In order to answer this question, it will be necessary to analyse POPIA and its development in South Africa, including the constitutional framework it operates within, and its historical and law reform

roots, and to reflect on the current legal framework governing health research in South Africa.

Finally, the secondary purpose of this contribution will be to consider the role of the Information Regulator in health research and to discuss the sections in POPIA applicable to codes of conduct and industry exemptions.

2 Development of the Protection of Personal Information Act

2.1 The right to privacy in South Africa – an overview

In South African law the right to privacy has been extensively set out by several courts8 and academics;9 and was the topic of comprehensive law reform discussion in the South African Law Reform Commission's Project 124: Privacy and Data Protection (which saw an issue paper,10 a discussion paper11 and a final report12 which ultimately led to the promulgation of POPIA). Accordingly, this article will not seek to walk down that well-trodden path; however, for the purposes of context, by way of introduction, it is important to briefly note some fundamental points in relation to the right to privacy in South Africa.

8 For example, see: Bernstein v Bester 1996 2 SA 751 (CC); Mistry v Interim National Medical and Dental Council 1998 4 SA 1127 (CC); National Coalition for Gay and Lesbian Equality v Minister of Justice 1999 1 SA 6 (CC); Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd 2001 1 SA 545 (CC); Centre for Child Law v Media 24 Limited 2020 4 SA 319 (CC).

9 Neethling 2005 SALJ 18; McQuoid-Mason "Privacy" 38-01–38-02; Millard and Bascerano 2016 PELJ; Roos "Data Privacy Law" 370; Naude and Papadopoulos 2016 THRHR; Burchell 2009 EJCL; Roos 2006 CILSA; Roos 2007 SALJ 433.

10 SALRC Project 124 – Issue Paper 24.

11 SALRC Project 124 – Discussion Paper 109.

12 SALRC Project 124 – Report.

13 Neethling 2005 SALJ 20.

As a point of departure, it is important to note that the right to privacy is protected by section 14 of the Constitution, and this right has been regarded as an independent personality right – falling under the concept of dignitas – in terms of the common law since the 1950s.13 Notwithstanding POPIA and constitutional protection in terms of section 14, in principle a person may still institute legal action on the basis of the common law for an infringement of her right to privacy (although given the emergence of POPIA there are now more efficient methods to protect one's privacy and hold those who infringe it to account).

The exact extent of the right to privacy is at times "amorphous and elusive",14 and difficult to clearly articulate.15 It has even been said that describing privacy is like an elephant: it is easier to recognise than to clearly define.16 Those concerns notwithstanding, broadly speaking the right to privacy can be defined as "the right to be left alone", which includes the right to have private matters and/or personal information remain confidential,17 and to be able to control how one's personal information is used.18 Nolo's Plain-English Law Dictionary further defines privacy as the right "to be free of unnecessary public scrutiny".19 The right to privacy includes protection from intrusion from public (government) and private (individual) actors and seeks to ensure a person can live – to an extent20 – free from the "public and publicity".21 The right to privacy provides a basis for a person to be able to have control over personal information that is in the public domain, and to dictate how and with whom personal information is shared – holistically, this should mean that a person can conduct her "personal affairs relatively free from unwanted intrusions".22

14 Bernstein v Bester 1996 2 SA 751 (CC); Neethling 2005 SALJ 18; McQuoid-Mason "Privacy" 38-01–38-02.

15 Roos "Data Privacy Law" 370.

16 Young Privacy 5 quoted in Larsen Data Privacy Protection.

17 LII date unknown https://www.law.cornell.edu/wex/right_to_privacy relying on Nolo plain language law dictionary – Nolo 2021 https://www.nolo.com/dictionary/privacy-term.html.

18 Neethling 2005 SALJ 19.

19 Nolo 2021 https://www.nolo.com/dictionary/privacy-term.html; Naude and Papadopoulos 2016 THRHR 53.

20 A person cannot live in total seclusion and will need to provide government and other private service providers with certain personal information in order to function in modern society. Further, a person's privacy will depend on how that person engages and shares information – particularly in the digital age with the ever-increasing use of social media and other forms of technology.

21 Neethling 2005 SALJ 19; Bernstein v Bester 1996 2 SA 751 (CC) para 68.

22 SALRC Project 124 – Report 6 quoting Neethling, Potgieter and Visser Neethling's Law of Personality 31; Naude and Papadopoulos 2016 THRHR 53.

23 National Media Ltd v Jooste 1996 3 SA 262 (A).

24 Bernstein v Bester 1996 2 SA 751 (CC).

In a South African context both the Supreme Court of Appeal23 and the Constitutional Court24 have accepted Neethling's definition of privacy, which appears now to be widely accepted as the locus classicus definition. It is as follows:

a condition of human life characterized by seclusion from the public and publicity. This condition embraces all those personal facts which the person concerned has himself determined to be excluded from the knowledge of outsiders and in respect of which he has the will that they be kept private.

Following decades of developing privacy jurisprudence, the Constitutional Court has explained the right to privacy in terms of a legitimate expectation,

where this expectation can be reasonably assumed in the "inner sanctum of a person" or the "truly personal realm"25 but that a legitimate expectation of privacy will retreat "the more a person inter-relates with the world".26 Put differently, the right to privacy is currently based on a reasonable expectation which comprises of a "subjective expectation of privacy that is objectively reasonable".27

25 Bernstein v Bester 1996 2 SA 751 (CC) para 67.

26 Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd 2001 1 SA 545 (CC) para 15; Centre for Child Law v Media 24 Limited 2020 4 SA 319 (CC) para 45.

27 Centre for Child Law v Media 24 Limited 2020 4 SA 319 (CC) para 45.

28 Preamble to POPIA.

29 Neethling 2005 SALJ 20; Roos 2007 SALJ; Naude and Papadopoulos 2016 THRHR 53.

30 National Coalition for Gay and Lesbian Equality v Minister of Justice 1999 1 SA 6 (CC) para 35. Also see Bernstein v Bester 1996 2 SA 751 (CC) para 67, where the court noted "that rights should not be construed absolutely or individualistically in ways which denied that all individuals are members of a broader community." See further, Roos "Data Privacy Law". On the constitutional limitation of rights see Dawood v Minister of Home Affairs 2000 3 SA 936 (CC). See further Woolman and Botha "Limitations" 34-01–34-134.

31 SALRC Project 124 – Report 1.

It is now trite that the right to privacy includes a right to protection from the unlawful collection and use of personal information (data protection);28 and further it is accepted that processing personal information is conduct that potentially threatens the right to privacy.29 Accordingly, in addition to constitutional frameworks, most jurisdictions around the world are subject to specific national or international laws that set out principles in relation to data processing and provide a clear basis upon which a person's data must be collected, processed, and disseminated.

As is the position with all constitutional rights in South Africa, the right to privacy is not absolute. It must be balanced against other competing interests and rights (a point noted in POPIA's Preamble). Accordingly, it may be limited in terms of section 36 of the Constitution (the colloquially named limitations clause) which allows rights to be limited by way of a law of general application provided that the limitation is reasonable and justifiable in an open and democratic society.30

2.2 A dedicated data protection framework – at last!

2.2.1 Overview

On 17 November 2000 the South African Law Reform Commission (SALRC) approved an investigation into Privacy and Data Protection.31 After detailed

discussion in three lengthy documents spanning almost a decade,32 the SALRC recommended the promulgation of a "general information protection statute" known as the Protection of Personal Information Bill (first in the October 2005 Discussion Paper, and then in its final report published in August 2009).33

32 SALRC Project 124 – Issue Paper 24; SALRC Project 124 – Discussion Paper 109; SALRC Project 124 – Report.

33 For early discussion on the Bill, see Neethling 2012 THRHR 241.

34 GN 912 in G 37067 of 26 November 2013.

35 GN 10173 in GG 37544 of 11 April 2014 where s 1 (definitions), part A of ch 5 (dealing with the Information Regulator), ss 112 and 113 (dealing with regulations to the Act) were made effective.

36 GN 11136 in GG 43461 of 22 June 2020 where it was proclaimed that ss 2-38, 55-109, 111 and 114(1)-(3) will be effective from 1 July 2020. Ss 110 (amendment of laws) and 114(4) (transitional arrangements) will be effective as from 30 June 2021. Regulations to POPIA, which are largely administrative in nature, were published in GN 1383 GG 42110 of 14 December 2018.

37 Roos 2007 SALJ 402-403; Naude and Papadopoulos 2016 THRHR 52-53.

38 Buthelezi 2013 De Jure 783.

POPIA was promulgated on 19 November 201334 following this deliberate and sluggish law reform process. Certain provisions (relating to the definitions and Information Regulator)35 were made effective from 11 April 2014, with the bulk of the Act effective from 1 July 2020.36 Importantly, in terms of section 114(1) of POPIA, persons have twelve months from the effective date of 1 July 2020 to conform with the provisions of the Act. Consequently, all parties must be fully compliant with the provisions of POPIA by 1 July 2021. Finally, the Minister responsible for the administration of justice (currently Mr Ronald Lamola), on his own accord or in consultation with the Information Regulator may in terms of section 114(2) extend the date for compliance from one year to a maximum period of three years (the very latest date possible would therefore be 1 July 2023 for full compliance with the Act) – however, given the lengthy period of time leading up to the Act's implementation and the detailed law reform that led to the Act, it seems that the initial grace period of one year is more than sufficient.

2.2.2 Data protection: Common law position prior to the Protection of Personal Information Act

Data protection can be defined as legal protection in relation to the collection, processing, storage and deletion of personal information.37 Prior to POPIA a person would invariably have had to rely on common law personality rights to privacy and/or identity to enforce her rights in relation to the unlawful use of personal information.38

The South African common law has recognised the right to privacy as an independent personality right since the landmark matter of O'Keeffe v Argus Printing and Publishing Co Ltd.39 Although the concept of informational privacy falls within the right to privacy,40 where false or misleading information is processed or published, the cause of action may also involve another personality right – the right to identity.41 The primary distinction between privacy and identity personality rights in this context is that an infringement of privacy relates to the disclosure or unlawful use of true facts relating to a person's true image; whereas with an infringement of identity, the conduct in question relates to a publication or use of false or misleading facts in relation to a person's image or identity.42

39 O'Keeffe v Argus Printing and Publishing Co Ltd 1954 3 SA 244 (C). See also Millard and Bascerano 2016 PELJ 6-7; Neethling 2005 SALJ.

40 Millard and Bascerano 2016 PELJ 6; Neethling 2005 SALJ 20.

41 Roos 2007 SALJ 422; Neethling 2005 SALJ 23-25; Buthelezi 2013 De Jure 783.

42 Neethling 2005 SALJ 24; Naude and Papadopoulos 2016 THRHR 53-54; Buthelezi 2013 De Jure 783. Also see Kidson v South African Associated Newspapers 1957 3 SA 461 (W), which involved what appears to be the first reported case dealing with the right to identity, and Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 4 SA 376 (T), which dealt with false publication of facts or a "false light" matter.

43 Jansen Van Vuuren v Kruger 1993 4 SA 842 (A); Millard and Bascerano 2016 PELJ 6; Naude and Papadopoulos 2016 THRHR 54.

44 For the requirements for an interim and final interdict, see Akoo v Master of the High Court (5612/11) [2012] ZAKZPHC 45 (31 July 2012) paras 13-14.

45 National Media Limited v Jooste 1996 3 SA 262 (SCA); McQuoid-Mason 2000 Acta Juridica 228; McQuoid-Mason "Privacy" 38-01–38-43; Naude and Papadopoulos 2016 THRHR 54.

46 McQuoid-Mason "Privacy" 38-03–38-04.

47 McQuoid-Mason "Privacy" 38-03–38-04.

In terms of the common law position, the appropriate remedy is the actio iniuriarum (a delictual remedy which aims to compensate a person for non-patrimonial loss to personality),43 the actio legis aquiliae (a delictual remedy which compensates a person for patrimonial loss), or an interdict (which would prevent a person from causing further damage).44 For either the actio iniuriarum or the actio legis aquiliae, a plaintiff would need to show that the infringement of privacy (in relation to true data) or identity (in relation to false data linked to the person) was wrongful and intentional or negligent.45 Wrongfulness is measured objectively and in terms of public policy,46 and as noted by Naude and Papadopoulos, a plaintiff must show more than a factual infringement of personality rights – the infringement would need to be objectively wrongful and fault must be present in the form of negligence or intention.47

2.2.3 Data protection: Legislative position prior to the Protection of Personal Information Act

As noted by Roos,48 as well as Naude and Papadopoulos,49 there are several pieces of legislation that were relevant (albeit indirectly at times) to data protection prior to POPIA's promulgation – the Promotion of Access to Information Act (PAIA),50 the Electronic Communications and Transactions Act (ECT Act),51 the Regulation of Interception of Communications and Provision of Communication-Related Information Act (RICA),52 the Consumer Protection Act (CPA),53 and the National Credit Act (NCA).54

48 Roos 2007 SALJ 424-433.

49 Naude and Papadopoulos 2016 THRHR 56-59.

50 Promotion of Access to Information Act 2 of 2000 (PAIA).

51 Electronic Communications and Transactions Act 25 of 2002 (ECT Act).

52 Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002 (RICA).

53 Consumer Protection Act 68 of 2008 (CPA).

54 National Credit Act 32 of 2005 (NCA).

55 For example, ss 37 and 65 of PAIA.

A full discussion of these instruments is beyond the scope of this article – however, in summary: PAIA, a freedom of information statute, contains some provisions which seek to protect a person's data,55 but that Act does not directly regulate data protection. In relation to the ECT Act, it played the most direct role in relation to data protection in that it contained two specific provisions regulating the issue: sections 50 and 51, however the sections covered electronic transactions only, were voluntary, and both were repealed by POPIA with effect from 30 June 2021. Although RICA makes it unlawful to intercept any communications unless authorised in terms of the Act, the statute does not provide any direct protection in relation to personal information. Finally, as is the case with PAIA and RICA, the NCA and CPA do not directly regulate data protection, but these two Acts do provide a framework to ensure that in the context of consumer credit and all other consumer transactions, the manner in which a consumer's data can be used is limited and regulated.

2.2.4 The medical-legal framework in relation to health research

In the context of health research, prior to POPIA the National Health Act 61 of 2003 (NHA), the Health Professions Act 56 of 1974 (HPA), and the South African Medical Research Council Act 58 of 1991 (SAMRC Act) provided – and continue to provide – a framework for treating patient data privately and ethically (patients are defined in the NHA as "users").

The NHA seeks to give effect to section 27 of the Constitution, which provides for access to health.56 The Act sets out overall responsibility for the right to health care and provides a framework for the realisation of this critical right. It sets out, inter alia: the rights and duties of health care personnel (as well as for users of the health care system); a national department of health and its responsibilities; a health council; a provincial health care structure; health establishments; and a national health research committee (as well as a range of matters for separate regulations). It is a wide-ranging Act dealing with several issues beyond the scope of this article. However, for present purposes sections 14-17 of Chapter 2 are directly relevant in that they deal with confidentiality, access to health records, and protection of health records. Section 14 sets out the basis for the protection of a person's medical records by providing that any information relating to a person's health status, treatment, or stay at a health establishment is confidential (subject to: that person’s providing consent to disclose the information, a court order, or the interests of public health). Section 15 provides that personal information in the context of health care may be used for legitimate purposes by health care workers or providers, which use will facilitate effective treatment of the patient. Section 16 allows a health care provider to access a person's medical records for the purposes of providing treatment with the consent of the user, or for research, study and teaching purposes with the consent of the user and with the consent of the health establishment and its research ethics committee – provided that if no information as to the identity of the user is contained in the record (it is appropriately anonymised), authorisation is not required. Section 17 provides for the protection of health records and obliges a health establishment to create reasonable control measures to prevent unauthorised access. A person who uses or accesses patient information improperly may be convicted of an offence and is liable on conviction to up to one year in prison and a fine.

56 Stevenson National Health Act Guide.

57 DoH Ethics in Health Research.

Further, in the context of patient data used in health research, the South African National Health Research Ethics Council in terms of section 72 of the NHA has published a comprehensive guide on ethics in health research.57 In addition to the NHA, the HPA establishes a Health Professions Council which is responsible for guiding the medical profession. Although the enabling provisions which require confidentiality are set out in the NHA (see directly above), the HPA is mandated to provide health care practitioners with guidance on a variety of important issues that relate to medical practice. The Council has therefore published detailed ethical guidelines for medical practitioners, including guidance on confidentiality in booklet 5 (confidentiality:

protecting and providing information).58 This booklet seeks to explain the standards required by medical professionals in relation to handling patient information. In addition, booklet 13, which deals with ethical guidelines for health researchers, further explains the duties relating to confidentiality and sets out the circumstances in which a practitioner may divulge patient information (consent, in terms of a statute, in terms of a court order, or in the public interest). This guidance document specifically refers practitioners to POPIA and the various obligations placed on parties therein.59

58 HPCSA date unknown https://www.hpcsa.co.za/Uploads/Professional_Practice/ Ethics_Booklet.pdf.

59 See clause 13 (HPCSA date unknown https://www.hpcsa.co.za/Uploads/Professional_ Practice/Ethics_Booklet.pdf) on data and specimen storage and transfer.

60 SAMRC 2018 https://www.samrc.ac.za/sites/default/files/attachments/2018-06-27/ResponsibleConductResearchGuidelines.pdf.

61 In addition to the above, in the context of transferring human biological specimens, see the Material Transfer Agreement (MTA) in GN 719 in GG 41781 of 20 July 2018.

62 Roos 2007 SALJ 433.

63 Roos 2007 SALJ and Naude and Papadopoulos 2016 THRHR.

The SAMRC Act, in terms of section 3, intends to promote the improvement of health and the quality of life, and seeks to ensure that its researchers conduct themselves ethically and responsibly. A set of guidelines60 has been produced by the Council, and this is consistent with the guidance produced pursuant to the NHA and HPA.

As a result, in relation to patient data and health research, the legal framework that existed prior to POPIA was already substantial.61 In this context, researchers are already accustomed to the concepts of informed consent, data protection and confidentiality. However, POPIA will provide more nuance and detail in the way persons approach the management of data and specific consent, as will be elaborated on further below.

2.2.5 Promulgation of the Protection of Personal Information Act

Roos62 notes that the data protection provided by the common law and legislation in place prior to POPIA was inadequate and did not provide sufficient protection when compared to international norms. Prior to POPIA it could be said that users could not always fully control how their data were used; further, a user's right of recourse was limited to traditional delictual principles which were not nuanced enough to provide the detailed protection required (or limited to action in terms of a breach of the NHA and/or misconduct by a medical professional in terms of the HPA).63 Insofar as the consumer legislation was concerned, it was not designed with data protection as a key objective in mind (other than a small part of the ECT Act, but this data

protection regime was flawed in that it was voluntary, and it applied to electronic transactions only). Consequently, prior to POPIA users did not have adequate protection in relation to personal information.

As a result, POPIA was certainly required to address the legislative lacuna that existed, and to bring South Africa in-line with international norms, particularly in light of the increasing use of technology and new societal trends such as Big Data and targeted advertising.

3 Health research in South Africa

3.1 Informed consent: the point of departure

As a point of departure, in terms of the NHA health research requires the informed consent of the participants.64

64 Section 71 of the National Health Act 61 of 2003 (NHA). Also see Stein 2020 SAJBL.

65 SAMA 2012 https://www.samedical.org/images/attachments/guideline-on-informed-consent-jul012.pdf.

66 Stoffberg v Elliott 1923 CPD 148; Richter v Estate Hamman 1976 3 SA 226 (C); Castell v De Greef 1994 4 SA 408 (C). See Britz and Le Roux-Kemp 2012 SAMJ; Chima 2013 BMC Medical Ethics.

67 DoH Ethics in Health Research 15.

68 Manyonga et al 2014 SAMJ.

69 Section 12 of the Constitution of the Republic of South Africa, 1996.

70 Moore and Slabbert 2013 SAJBL.

According to the South African Medical Association, informed consent is where:

… sufficient information is provided to the patient to make an informed decision and that the patient actually understands the information and the implications of acting on that information.65

Informed consent has been a part of South African law for almost one hundred years;66 and gives effect to an individual's dignity67 and autonomy.68 The Constitution guarantees the right to freedom of a person, which includes informed consent in relation to medical or scientific experiments.69 More recently, the NHA codified informed consent in sections 6-9,70 the gist of these sections being that a person should have full knowledge of the procedure or process and provide informed consent thereto (subject to the exceptions listed in sections 7 and 9 of the NHA). Further, the HPCSA's ethical guidelines in terms of the HPA for good practice provides guidance on the ethical considerations relevant to informed consent in its booklet 4, which should be

read together with booklet 13, which provides general ethical guidelines for health researchers.

In relation to health research specifically, section 71(1) of the NHA provides that notwithstanding anything to the contrary in any other law, research involving a living person may be conducted only with the written consent of a person "after he or she has been informed of the objects of the research or experimentation and any possible positive or negative consequences on his or her health." Furthermore, section 71(1)(a) provides that research involving a living person may be conducted only in the prescribed manner. In September 2014 regulations to the NHA were published which prescribe the way it should take place.71 In terms of section 2, "appropriate consent processes" must always be carried out. In terms of section 5, human participants or their legally authorised representatives must be informed of:

71 GN R719 in GG 38000 of 19 September 2014.

(a) the purpose of the research;

(b) the methods and procedures, including possible randomisation;

(c) alternatives to participation in the research;

(d) the potential harms and risks of harm posed by the research;

(e) the expected benefits of the research;

(f) the freedom to choose to participate or not, or to withdraw from the research without penalty or reason;

(g) the extent to which confidentiality and privacy will be maintained;

(h) details of the contact person in the event of a query or research-related injury;

(i) reimbursement and/or incentives given for participation;

(j) information about the sponsor;

(k) any potential conflict of interests;

(l) information about approval from the health research ethics committee or the Medicines Control Council, where relevant;

(m) insurance in the event of research-related injury, for more than minimal risk research; and

(n) the availability of beneficial products or interventions post-research.

In addition to the regulations published pursuant to section 71, section 72 of the NHA establishes a National Health Research Ethics Council (NHREC). Section 72(6) provides inter alia that the NHREC must set norms and standards for conducting health research. This latest set of norms is set out in the second edition of Ethics in Health Research: Principles, Processes and Structures72 – informed consent is a key standard set out in these norms, and detailed guidance is provided in relation to how a researcher obtains informed consent, along with applicable principles in relation thereto.73

72 DoH Ethics in Health Research.

73 See DoH Ethics in Health Research paras 2.3.6, 3.1.9 and 3.3.6. In the context of transferring human biological specimens, also see the MTA in GN 719 in GG 41781 of 20 July 2018.

74 SAMRC 2018 https://www.samrc.ac.za/sites/default/files/attachments/2018-06-27/ResponsibleConductResearchGuidelines.pdf.

75 See Townsend and Thaldar 2019 SAJHR para 3 for a discussion on consent in this context. For a foreign perspective on the differing types of informed consent, which include tiered consent, broad consent, open consent and dynamic consent, see Dankar et al 2020 CSBJ.

76 DoH Ethics in Health Research.

Finally, in terms of the SAMRC Act the SAMRC has provided guidelines on the responsible conduct of research74 (SAMRC Guidelines) to ensure that researchers conduct research ethically, responsibly, and in compliance with applicable law. As expected, informed consent is a critical part of the guidelines, and these guidelines largely mirror what is contained in the publication produced by the NHREC.

3.2 Types of consent in health research in South Africa

With informed consent being a key pillar to the legal-ethical framework in South Africa, and before moving to consider POPIA, it is necessary to reflect on the types of informed consent that are applicable in the legal frameworks governing health research locally.75

The NHA does not directly distinguish among types of consent, but the Department of Health's second edition of Ethics in Health Research: Principles, Processes and Structures76 (the DoH Ethical Guidelines) does, and refers to three types of informed consent in the context of biological material and data:

i. Narrow (restrictive) consent: the donor permits use of the biological specimen for single use only; no storage of leftover specimen; and no

sharing of data or specimen. This form necessitates new consent if further use is desirable.

ii. Tiered consent: the donor provides consent for the primary study and chooses whether to permit storage for future use, sample and data sharing.

iii. Broad consent: the donor permits use of the specimen for current research, for storage and possible future research purposes, even though the precise nature of future research may be unclear at present.

Importantly, clause 3.3.6 of the DoH's Ethical Guidelines, dealing with informed consent in the context of biological material and data, recommends that consent should be "broad enough to allow for future and secondary uses of data".77 The practice of broad consent is therefore not only endorsed, but encouraged.

77 DoH Ethics in Health Research para 3.3.6.

78 Staunton et al 2019 SAMJ.

79 DoH Ethics in Health Research para 3.3.6; SAMRC 2018 https://www.samrc.ac.za/sites/default/files/attachments/2018-06-27/ResponsibleConductResearchGuidelines.pdf para 9.2.4.

80 For more detail on these eight conditions, see De Stadler and Esselaar Guide to the Protection of Personal Information Act; Burns and Burger-Smidt Commentary on the Protection of Personal Information Act.

81 Roos 2020 CILSA.

Similarly, in the context of biological material and data the SAMRC Guidelines define broad consent on the same basis – in fact verbatim – as the DoH's Ethical Guidelines above, and also endorse and encourage the practice of obtaining broad consent. Accordingly, prior to POPIA it was acceptable from a legal and ethical point of view in the field of biological material and related data to obtain informed consent in the form of broad consent from research participants.78

However, it should be noted that both the DoH's Ethical Guidelines and the SAMRC Guidelines discourage so-called "blanket" consent (the term is not defined),79 but this term usually describes a situation where donors provide biological material to be used without restriction.

3.3 The position in terms of POPIA: broad or specific consent?

POPIA is based on eight conditions which set out how personal information should be lawfully processed.80 These principles (and the Act in general) are consistent with international law.81 Central to these principles are the definitions of personal information and special personal information. Both are defined widely; personal information refers to broadly any information that identifies a natural or juristic person, whereas special personal information

refers inter alia to "health or sex life or biometric information". As a result, in most medical research contexts a person will be processing special personal information. Accordingly, in addition to the sections in Chapter 3, Part A (sections 8-25), researchers must consider Chapter 3, Part B as well. This applies to special personal information (sections 26-35).

As a starting point, unlike the NHA, POPIA defines consent. It is defined as:

any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information.

It is therefore immediately clear that unlike the medical-legal framework set out in the NHA read together with the DoH's Ethical Guidelines and the SAMRC Guidelines,82 POPIA – which should be referred to as the privacy framework, or "privacy layer"83 in relation to data compliance in health research – requires consent to be specific as well as informed.

82 GN 719 in GG 41781 of 20 July 2018.

83 Townsend and Thaldar 2019 SAJHR 350.

In addition to the preamble, which provides that POPIA is in place to introduce conditions for the processing of personal information, sections 2 and 3 of POPIA provide further insight into how a person should approach interpreting the Act. Section 2(a) provides that the purpose of the Act is to give effect to the right to privacy, but it is noted that this is balanced against other rights, such as the right to access to information, and the free flow of information within the Republic and across international borders. Section 2(b) and 2(c) go further to state that the purpose of the Act is to regulate the way personal information is processed, and to provide persons with rights and remedies. It is therefore apparent that the central aim of POPIA is to regulate how personal information is collected, used, and stored.

Critically, section 3(2) stipulates that POPIA applies to the exclusion of any provision of any other legislation that regulates the processing of personal information where it is materially inconsistent with an object or specific provision of the Act. Therefore, it is the clear intention of the legislature that where there is some conflict in how personal information should be handled, POPIA will apply.

Section 13 of POPIA is an important section in this debate, and reads as follows:

13. Collection for specific purpose - (1) Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party.

The words used are clear, and there are no hidden meanings, nor are there difficult phrases or technical concepts to grapple with: the section requires persons who collect data to do so for a specific and explicitly defined purpose.

Section 15(1) allows further processing of personal information if it is compatible with the purpose of collection "in terms of section 13". As a starting point, on a plain reading of the legislation, section 13 must be complied with as a prerequisite before one can rely on section 15. This is so because section 13 deals with the collection of data whereas section 15 deals with the further processing of data that has already been collected.84 In addition, section 15 refers back to section 13 and specifies that the further processing is subject to its being compatible with the purpose – which must be specific and explicitly defined – in section 13.

84 Thaldar and Townsend 2020 SAMJ 173.

That aside, section 15(3) provides that personal information can be processed further for research purposes if the further processing is carried out solely for research, and if it will not be published in an identifiable form. However, it is apparent that further processing is exactly that – processing that takes place over and above the initial processing (in other words, it is secondary processing). This secondary processing, or the secondary use of data is permissible, but subject to: i) the original data being collected for a specific and explicitly defined purpose (in terms of section 13, read together with sections 1, 2, and 3); and ii) the purpose is for research and the data will not be published in an identifiable form (in terms of section 15).

Sections 1, 13, and 15 are only the start of the appropriate sections of POPIA in a health research setting. It is likely that in most health research contexts, participant data will be classified as special personal information. As a result, in terms of section 26 there is a prohibition on processing that type of data as the point of departure, but the prohibition does not apply in terms of section 27(1)(a) if a data subject provides consent. The consent, as explained above with reference to section 1, must be informed and specific.

Of course, as with the conditions regulating personal information in terms of Part A of Chapter 3 of POPIA, consent is not the only legal basis upon which a responsible party may process special personal information. The prohibition on processing special personal information will not apply (and consent will not

be required) in terms of section 27(1)(d)(i) if the processing is required for research purposes and it serves a public interest or further, in terms of section 27(1)(d)(ii), if the processing is for research purposes and it is impossible to ask for consent or asking for consent will involve a disproportionate effort (note that there is no need to satisfy a public interest requirement in terms of the exemption in 27(1)(d()ii)). Both exemptions require sufficient guarantees to ensure that the processing does not adversely affect the individual's privacy to a disproportionate extent. How does one determine whether a data subject's privacy is not disproportionately affected? This will need to be determined on a case-by-case basis and will depend on the nature of the data and the study involved. The research team may adopt measures such as pseudonymisation and/or may limit the persons who have access thereto and/or ensure that a minimal amount of identifiable information is published in the final findings of the research. It is expected that the imminent POPIA Code of Conduct produced by ASSAf will provide further guidance on this.85

85 A POPIA Code of Conduct for Research is in the process of being prepared by the ASSAf and will further elaborate on consent in research. It was anticipated that the first version of this code will be published by 1 July 2021. See Adams et al 2021 S Afr J Sci.

86 The term "process" is defined to include collection.

87 A research facility that stores biological samples for the purposes of health research.

88 In terms of the NHA definitions see DoH Ethics in Health Research.

Given the above, in research instances where broad consent was initially used this type of consent will, on the face of it, not be valid for the purposes of POPIA in terms of section 1 read together with section 13. But what about the research exemptions? On a plain reading of the legislation, section 27 does not override the conditions in Part A of Chapter 3, and specifically it does not appear to override condition 3, purpose specification (the same can be said for the exemption for further processing in terms of section 15). Therefore, even if research processes86 data in terms of section 27(1)(d), which is justifiably without consent, the research team will still need to comply with the rest of POPIA's conditions, including section 12 (collection directly from a data subject), section 13 (purpose specification), and section 18 (notification to data subject when collecting information) – subject of course to the exemptions in those sections and generally contained within POPIA.

For the sake of argument, assume a biobank87 obtained consent from users in the form of broad consent where the donor permitted the use of her specimen for a specified research project X, as well as for future unknown research. This type of consent, although classically defined as broad,88 may well allow a biobank to re-use the specimen for further research in a new project without new consent. Let us assume that the specimen was collected for purpose X in

2015. In 2021 the biobank would like to use the specimen for purpose Y. Arguably, even though the initial consent obtained in 2015 was broad in nature, it may satisfy section 13 in that the data were collected for research purpose X, if that original consent spoke in enough detail to the purpose X for which it was originally collected. Therefore, if the original "broad" consent was in fact, initially anyway, for a specific, explicitly defined and lawful purpose, then section 13 will be satisfied. As a result, the re-use of the specimen for a new purpose Y could be justified in terms of section 15 (if the further processing for purpose Y was compatible with the original purpose X, and if not published in an identifiable form). In addition, if the research was in the public interest, or if it would involve a disproportionate effort to ask for new consent, then in terms of section 27 new consent would not be required, and the data could be used or re-used (subject to the internal qualifications in section 27). Therefore, although broad consent may at first blush appear to be inconsistent with POPIA, depending on the nature of the broad consent, it may still satisfy section 13, which would then allow a responsible party to use or re-use the data in terms of the exemptions in sections 15 and 27.

Much will therefore depend on the wording and nature of the consent initially obtained, and the exemption one seeks to rely on if consent is not possible. If it is established that the original consent is too broad to comply with section 13, then participants will need to be recontacted or the data will need to be de-identified to the extent that it cannot be re-identified again, so that POPIA does not apply.89 Therefore, the point of departure must always be that data are collected for a specific and explicitly defined purpose. As a result, a research team that has relied on broad consent as a starting point may need to obtain fresh specific consent unless one can satisfy section 13 (amongst other sections), and then rely on the exemptions in section 15 or 27.

89 Section 6(b) of POPIA.

90 Staunton et al 2019 SAMJ; Thaldar and Townsend 2020 SAMJ.

91 For a discussion on the distinction between these two similar fields of medical research, see National Human Genome Research Institute 2021 https://www.genome.gov/about-genomics/fact-sheets.

Given the complexity of the above, there is some academic debate90 as to how sections 13 and 15 and POPIA in general should be interpreted in a specific field of health research: genomic and genetic research.91 The debate appears to stem from a conference held in Cape Town in February 2019: The Governance of Data Sharing for Genomic and other Health Related Data in Africa.

Following this conference, an opinion piece in Science suggested that POPIA will "impede" health research, and "limit secondary use of data and hamstring international collaborations".92 The opinion further suggests that "POPIA's restrictive effects were only pointed out [in 2018]". As noted by Thaldar and Townsend,93 this is an odd claim. As pointed out above in paragraph 2.2.1, POPIA has been in the making for well over a decade, and was promulgated in 2013. To suggest that its effects have only recently become known seems a strange claim to make some eight years after promulgation, and a claim no serious lawyer, ethicist or researcher can validly make.

92 Nordling 2019 Science.

93 Thaldar and Townsend 2020 SAMJ.

94 Townsend and Thaldar 2019 SAJHR 350.

That notwithstanding, even as it stands, POPIA is unlikely to impede health research. A researcher in the field of health sciences should just comply with POPIA and request specific and informed consent as required by sections 1, 13 and 27(1)(a) of POPIA (read together with the various other pieces of relevant legislation). As Thaldar and Townsend point out, provided that the initial collection of information transpired with specific consent, POPIA offers research exceptions that allow researchers to conduct further research with such information even without having to obtain consent anew.94 The legislature has clearly sought to balance the right to privacy with the free flow of information and the use of personal information. In any event, in many instances the "broad" consent used by biobanks and other health researchers may well have been achieved in a way that allows the further use of the data based on the exemptions above without having to get new consent.

It therefore appears that POPIA will not hamstring international collaborations, but rather will place an obligation on parties to treat data in a manner that is sensitive to the right to privacy, and in a manner that is consistent with international norms. This should be welcomed, not frowned upon – because in addition to the right to privacy, the framework in POPIA, which will add a new layer for researchers to consider, further animates an individual's right to dignity and autonomy. In the age of Big Data, smart-phones and e-mail, even in a country like South Africa, mobile phone and internet penetration means that locating participants and communicating with them should in most circumstances not involve disproportionate effort, and research teams should make allowance for new developments in our law and seek to ensure compliance rather than try to avoid it. That notwithstanding, researchers

should be cognisant of the fact that consent is not the only basis to lawfully process data.

Be that as it may, in two recent short articles95 a team led by an academic from Middlesex University in the United Kingdom make three findings that require further discussion. Namely, that: a) section 15 rescues researchers from the "strict consent" provisions of POPIA; b) a purposive approach of POPIA permits broad consent for the further processing of health information; and c) POPIA must adhere to the DoH Ethical Guidelines.

95 Staunton and De Stadler 2019 SAMJ; Staunton et al 2019 SAMJ.

96 Bertie Van Zyl (Pty) Ltd v Minister for Safety and Security 2010 2 SA 181 (CC) para 21.

97 Bato Star Fishing (Pty) Ltd v Minister of Environmental Affairs and Tourism 2004 4 SA 490 (CC) para 91.

98 Bertie Van Zyl (Pty) Ltd v Minister for Safety and Security 2010 2 SA 181 (CC) para 21.

99 Stopforth v Minister of Justice 2000 1 SA 113 (SCA) para 21.

To address these opinions, it is necessary to first consider South Africa's position on the interpretation of statutes.

4 Interpretation of statutes in South Africa

4.1 Overview of the techniques used in statutory interpretation

It is now trite that South Africa's Constitution requires a purposive approach to statutory interpretation.96 As explained in Bato Star Fishing (Pty) Ltd v Minister of Environmental Affairs and Tourism:97

The technique of paying attention to context in statutory construction is now required by the Constitution, in particular, s 39(2). As pointed out above, that provision introduces a mandatory requirement to construe every piece of legislation in a manner that promotes the "spirit, purport and objects of the Bill of Rights".

However, importantly, the Constitutional Court has confirmed that a "purposive reading of a statute must of course remain faithful to the actual wording of the statute".98 Earlier, in Stopforth v Minister of Justice,99 the SCA provided a practical guide on how to achieve a purposive interpretation by stating that one must:

(i) look at the preamble of the Act or at the other express indications in the Act as to the object that has to be achieved;

(ii) study the various sections wherein the purpose may be found;

(iii) look at what led to the enactment (not to show the meaning, but also to show the mischief the enactment was intended to deal with);

(iv) draw logical inferences from the context of the enactment.

Applying the jurisprudence in relation to purposive interpretation to POPIA, one must consider the following questions: what is the primary purpose of the Act? What led to its promulgation? What does the preamble say? What do the sections themselves say? What is the overall context of the Act?

As outlined above, POPIA's primary purpose is to give effect to the right to privacy by setting out principles that regulate how personal information should be collected and processed. The "mischief" that POPIA is trying to deal with is the unlawful collection, retention, dissemination and use of personal information. The preamble makes it clear that the right to privacy must be balanced against other rights, such as to the free flow of information. The Act seeks to therefore regulate personal information in a manner that respects the right to privacy, but does so by also ensuring that "unnecessary impediments" to the free flow of information are removed.

Given that POPIA is fairly new, one should also have regard to the process that led to its promulgation. Prior to its enactment, in the SALRC final report,100 in the context of the further use of personal information, it was stated that: "The idea of limiting use of personal information only for purposes specified at the time of collection (or compatible purposes or those authorised by the individual concerned or by law) lies at the heart of any information protection law."

100 SALRC Project 124 – Report 207 para 4.2.138.

Importantly though, although one needs to consider more than simply the ordinary meaning of the words concerned, the actual words used in the statute are a pivotal and decisive consideration. One therefore cannot use a purposive approach to achieve an aim that is contrary to the intended meaning of the section concerned.

4.2 Does a purposive approach to POPIA permit broad consent for the further processing of health information? Does section 15 rescue researchers from the consent provisions of POPIA?

With the context above in mind, and understanding the purpose and background to POPIA, armed further with the knowledge of the mischief it is trying to deal with, section 13 of POPIA is crystal clear – it deals with the collection of personal information and states plainly that it must be collected for a specific and explicitly defined purpose. Consent is also clearly defined as

being voluntary and specific. Therefore, based on a plain reading of the section 13 and section 27(1)(a) together with the definition of consent, along with the purposive tools above, specific consent is the inescapable destination one must arrive at.

Section 15 deals with further processing, which must be compatible with the purpose of collection. Therefore, at the time of the original processing, in order for a research team to comply with POPIA, data must be collected for a specific, explicitly defined purpose. Section 15 cannot save a research team simply because that section deals with further processing. Further processing cannot take place lawfully without the original processing taking place in terms of section 13. On a purposive interpretation of POPIA, health information must initially be collected by obtaining specific consent and outlining an explicitly defined purpose. Thereafter, if the data need to be processed for secondary purposes, this can be achieved in terms of section 15 (and section 27) without seeking new consent if it is compatible with the original purpose. In this context, one cannot divorce section 15 from section 13 – the two are inextricably linked. It would lead to an absurd result if one ignored section 13 and arrived at the further processing of data without considering how those data were originally collected. It would also be an interpretation that would not be faithful to the very clear wording of section 13 if section 15 were considered in isolation.

However, although a purposive interpretation of POPIA favours specific consent, it cannot be said that broad consent will always be impermissible – particularly if one relies on the definitions in the DoH Ethical Guidelines. As a result, the nature of the consent must be analysed to determine if – although classically referred to as broad in nature – a specific and explicitly defined purpose was originally agreed to. As a result, if a research team processes data without complying with section 13 and other parts of Chapter 3, Part A (sections 8-25), that team may well be acting lawfully in terms of the NHA, but they may be doing so in contravention of POPIA.101 Holistically, these sections and principles cannot be said to harm the free flow of information; nor can they be said to impede research. The legislature has intentionally inserted exceptions for research, and one must assume that these restrictions were put in place to ensure adequate protection for the right to privacy. Importantly, there are other parts of the Act that directly facilitate the free flow of information (such as exemptions which can be created by the Regulator, and section 72 dealing with foreign transfers of data); but those aside, data can flow freely if the principles of the Act are complied with.

101 Burns and Burger-Smidt Commentary on the Protection of Personal Information Act 63.

Finally, must POPIA adhere to the DoH Ethical Guidelines? In short – no. POPIA cannot be said to be subordinate to the DoH guidelines. POPIA regulates personal information, and although it is not superior to the NHA, it is certainly not subordinate to guidelines that are published pursuant to the NHA. Each act stands alone, and compliance with the one will not necessarily indicate compliance with the other. They should be read together but are independent. There is no legal basis to suggest that POPIA must comply with the DoH guidelines. POPIA introduces new dynamics for research teams to consider. The law evolves, as does society, and parties must be prepared to move with the times. As noted by the SALRC, privacy is an issue whose time has come.102

102 SALRC Project 124 – Report 13.

103 GN 10173 in GG 37544 of 11 April 2014

104 Information Regulator 2021 https://www.justice.gov.za/inforeg/.

5 Going forward: exemptions, codes of conduct and the role of the Information Regulator

The Information Regulator established in terms of section 39 of POPIA has an array of duties imposed on it in terms of section 40. The sections of POPIA that establish the Regulator and provide for its duties have been in effect longer than many other portions of the Act,103 and that office now appears to be fully staffed in anticipation of the full implementation date.104 For the present purposes, in terms of section 40(1)(a) the Regulator must provide education and promote an understanding of POPIA. Given the uncertainty, the academic debate and the vast importance of health research, it is suggested that the Regulator produce a guidance note clarifying the interaction between sections 13, 15 and 27 in the context of health research in the public interest, and comment decisively on the legal status of broad consent in terms of the Act.

In addition, in terms of section 40(1)(f) the Regulator may issue codes of conduct. In late 2020 ASSAf announced that it will be consulting with relevant parties with a view to producing a code of conduct for all scientific research activity, and will aim to submit this code to the Regulator for publication. As a result, it is hoped that this code of conduct will take account of the issue of specific and broad consent, and consider the interaction among sections 13, 15 and 27.

Those issues of clarity aside, in terms of section 27(2) a responsible party may make application to the Regulator to authorise the processing of special personal information "if such processing is in the public interest and appropriate safeguards have been put in place to protect the personal

information of the data subject." Accordingly, it is open to a party to make this application to the Registrar for the avoidance of any doubt.

Similarly, in terms of section 37 a party may apply to the Regulator for an exemption from conditions of processing personal information if the public interest outweighs the interference in privacy, or where the processing involves a clear benefit to the data subject. Specifically, section 37(2)(e) includes research as falling within the ambit of public interest, and in an instance where a responsible party cannot comply with POPIA, this section should be considered.

Further, in terms of section 40(1)(b)(ii), section 40(1)(e) and section 40(1)(h), the Regulator should conduct research and monitor developments. This should probably review the position in comparable foreign jurisdictions and consider how health research should be conducted in the light of technological advancements and the public interest. This will allow the Regulator to fully assess applicable codes of conduct, make changes where appropriate, and as the legislation matures generally allow for a more nuanced approach to data protection in the context of health research. Without doubt, the Regulator will play a critical role in education, compliance and shaping the way health research continues in South Africa.

6 Conclusion

POPIA does not stand alone, and it exists as part of a complicated legal framework.105 In the context of medical research, POPIA is one part of the legislative puzzle. It should be read together with the NHA, the DoH's Ethical Guidelines, the SAMRC Guidelines, and any applicable agreements – such as the Material Transfer Agreement (MTA).

105 Townsend and Thaldar 2019 SAJHR; Staunton et al 2019 SAMJ 470.

This article has sought to answer the following question: does POPIA require broad or specific consent from persons who take part in health research? If one considers the applicable sections of POPIA, and South Africa's interpretive tools and jurisprudence, it is clear that consent must be specific. However, there may be instances where the use of broad consent (as defined in the DoH Guidelines) will allow responsible parties to re-use data in terms of POPIA's research exemptions in sections 15 and 27; but much will depend on the wording of that consent.

Going forward, when data are collected a responsible party must have an explicitly defined purpose set out as a basis for collecting that data, and as a point of departure, specific consent ought to be obtained as a matter of best practice to ensure compliance.

In the months to come the Regulator will approve a code of conduct for research that will provide further insight into how responsible parties ought to conduct themselves. It is also hoped, to the extent that it may be required after publication of a code of conduct, that the Regulator will produce a guidance note on the various issues of contention, and provide leadership and guidance in this dynamic and quickly evolving area that is so critical to the advancement of humankind. As it currently stands, POPIA does not represent a roadblock to research, but rather it places obligations on parties to deal with data responsibly and reasonably and therefore acts as an enabler of privacy by balancing that right with the free flow of information.

Bibliography

Literature

Adams et al 2021 S Afr J Sci

Adams R et al "POPIA Code of Conduct for Research" 2021 S Afr J Sci https://doi.org/10.17159/sajs.2021/10933

Britz and Le Roux-Kemp 2012 SAMJ

Britz R and Le Roux-Kemp A "Voluntary Informed Consent and Good Clinical Practice for Clinical Research in South Africa: Ethical and Legal Perspectives" 2012 SAMJ 746-748

Burchell 2009 EJCL

Burchell J "The Legal Protection of Privacy in South Africa: A Transplantable Hybrid" 2009 EJCL 1-26

Burns and Burger-Smidt Commentary on the Protection of Personal Information Act

Burns Y and Burger-Smidt A A Commentary on the Protection of Personal Information Act (LexisNexis Durban 2018)

Buthelezi 2013 De Jure

Buthelezi C "Let False Light (Publicity) Shine Forth in South African Law" 2013 De Jure 783-797

Chima 2013 BMC Medical Ethics

Chima SC "Evaluating the Quality of Informed Consent and Contemporary Clinical Practices by Medical Doctors in South Africa: An Empirical Study" 2013 BMC Medical Ethics https://doi.org/10.1186/1472-6939-14-S1-S3

Dankar et al 2020 CSBJ

F Dankar et al "Dynamic-Informed Consent: A Potential Solution for Ethical Dilemmas in Population Sequencing Initiatives" 2020 CSBJ 913-921

De Stadler and Esselaar Guide to the Protection of Personal Information Act

De Stadler P and Esselaar Y A Guide to the Protection of Personal Information Act (Juta Cape Town 2015)

DoH Ethics in Health Research

Department of Health Ethics in Health Research: Principles, Processes and Structures 2nd ed (Department of Health Pretoria 2015)

Larsen Data Privacy Protection

Larsen C Data Privacy Protection in South Africa: An Analysis of Vicarious Liability in Light of the Protection of Personal Information Act 4 of 2013 ("POPIA") (LLM-dissertation University of KwaZulu-Natal 2019)

Manyonga et al 2014 SAMJ

Manyonga H et al "From Informed Consent to Shared Decision-Making" 2014 SAMJ 561-562

McQuoid-Mason "Privacy"

McQuoid-Mason D "Privacy" in Woolman S and Bishop M (eds) Constitutional Law of South Africa (Juta Cape Town 2008) ch 38

McQuoid-Mason 2000 Acta Juridica

McQuoid-Mason D "Invasion of Privacy: Common Law v Constitutional Delict – Does It Make a Difference?" 2000 Acta Juridica 227-261

Millard and Bascerano 2016 PELJ

Millard D and Bascerano EG "Employers' Statutory Vicarious Liability in terms of the Protection of Personal Information Act" 2016 PELJ 1-38

Moore and Slabbert 2013 SAJBL

Moore W and Slabbert M "Medical Information Therapy and Medical Malpractice Litigation in South Africa" 2013 SAJBL 60-63

Naude and Papadopoulos 2016 THRHR

Naude A and Papadopoulos S 2016 "Data Protection in South Africa: The Protection of Personal Information Act 4 of 2013 in Light of Recent International Developments (Part 1)" 2016 THRHR 51-68

Neethling 2005 SALJ

Neethling J "The Concept of Privacy in South African Law" 2005 SALJ 18-28

Neethling 2012 THRHR

Neethling J "Features of the Protection of Personal Information Bill, 2009 and the Law of Delict" 2012 THRHR 241-255

Neethling, Potgieter and Visser Neethling's Law of Personality

Neethling J, Potgieter JM and Visser PJ Neethling's Law of Personality (Butterworths Durban 2005)

Nordling 2019 Science

Nordling L "South African Law May Impede Human Health Research" 2019 Science 802

Roos 2006 CILSA

Roos A "Core Principles of Data Protection Law" 2006 CILSA 102-130

Roos 2007 SALJ

Roos A "Data Protection: Explaining the International Backdrop and Evaluating the Current South African Position" 2007 SALJ 400-433

Roos 2020 CILSA

Roos A "The European Union's General Data Protection Regulation (GDPR) and its Implications for South African Data Privacy Law: An Evaluation of Selected 'Content Principles'" 2020 CILSA 1-37

Roos "Data Privacy Law"

Roos A "Data Privacy Law" in Van der Merwe DP et al (eds) Information and Communications Technology Law (LexisNexis Durban 2016) 363-487

SALRC Project 124 – Discussion Paper 109

South African Law Reform Commission Project 124: Privacy and Data Protection – Discussion Paper 109 (SALRC Pretoria 2005)

SALRC Project 124 – Issue Paper 24

South African Law Reform Commission Project 124: Privacy and Data Protection – Issue Paper 24 (SALRC Pretoria 2003)

SALRC Project 124 – Report

South African Law Reform Commission Project 124: Privacy and Data Protection - Report (SALRC Pretoria 2009)

Staunton et al 2019 SAMJ

Staunton C et al "Safeguarding the Future of Genomic Research in South Africa: Broad Consent and the Protection of Personal Information Act No 4 of 2013" 2019 SAMJ 468-470

Staunton and De Stadler 2019 SAMJ

Staunton C and De Stadler E "Protection of Personal Information Act No 4 of 2013: Implications for Biobanks" 2019 SAMJ 232-234

Stein 2020 SAJBL

Stein C "Consent in Health Research with Incapacitated Adults in a Time of Pandemic: The National Health Research Ethics Council Needs to Urgently Reassess Its Guidelines" 2020 SAJBL 29-33

Stevenson National Health Act Guide

Stevenson S (ed) The National Health Act Guide 3rd ed (Siber Ink Cape Town 2019)

Thaldar and Townsend 2020 SAMJ

Thaldar D and Townsend B "Genomic Research and Privacy: A Response to Staunton et al" 2020 SAMJ 172-174

Townsend and Thaldar 2019 SAJHR

Townsend BA and Thaldar DW "Navigating Uncharted Waters: Biobanks and Informational Privacy in South Africa" 2019 SAJHR 329-350

Woolman and Botha "Limitations"

Woolman S and Botha H "Limitations" in Woolman S and Bishop M (eds) Constitutional Law of South Africa (Juta Cape Town 2008) ch 34

Young Privacy

Young JB Privacy (Wiley Chichester 1978)

Case law

Akoo v Master of the High Court (5612/11) [2012] ZAKZPHC 45 (31 July 2012)

Bato Star Fishing (Pty) Ltd v Minister of Environmental Affairs and Tourism 2004 4 SA 490 (CC)

Bernstein v Bester 1996 2 SA 751 (CC)

Bertie Van Zyl (Pty) Ltd v Minister for Safety and Security 2010 2 SA 181 (CC)

Castell v De Greef 1994 4 SA 408 (C)

Centre for Child Law v Media 24 Limited 2020 4 SA 319 (CC)

Dawood v Minister of Home Affairs 2000 3 SA 936 (CC)

Investigating Directorate: Serious Economic Offences v Hyundai Motor Distributors (Pty) Ltd 2001 1 SA 545 (CC)

Jansen Van Vuuren v Kruger 1993 4 SA 842 (A)

Kidson v South African Associated Newspapers 1957 3 SA 461 (W)

Mistry v Interim National Medical and Dental Council 1998 4 SA 1127 (CC)

National Coalition for Gay and Lesbian Equality v Minister of Justice 1999 1 SA 6 (CC)

National Media Limited v Jooste 1996 3 SA 262 (SCA)

O'Keeffe v Argus Printing and Publishing Co Ltd 1954 3 SA 244 (C)

Richter v Estate Hamman 1976 3 SA 226 (C)

Stoffberg v Elliott 1923 CPD 148

Stopforth v Minister of Justice 2000 1 SA 113 (SCA)

Universiteit van Pretoria v Tommie Meyer Films (Edms) Bpk 1977 4 SA 376 (T)

Legislation

Constitution of the Republic of South Africa, 1996

Consumer Protection Act 68 of 2008

Electronic Communications and Transactions Act 25 of 2002

Health Professions Act 56 of 1974

National Credit Act 32 of 2005

National Health Act 61 of 2003

Promotion of Access to Information Act 2 of 2000

Protection of Personal Information Act 4 of 2013

Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002

South African Medical Research Council Act 58 of 1991

Government publications

GN 10173 in GG 37544 of 11 April 2014

GN 11136 in GG 43461 of 22 June 2020

GN 1383 GG 42110 of 14 December 2018

GN 719 in GG 41781 of 20 July 2018 (Material Transfer Agreement of Human Biological Materials)

GN 912 in GG 37067 of 26 November 2013

GN R719 in GG 38000 of 19 September 2014

Internet sources

Bhageshpur 2019 https://www.forbes.com/sites/forbestechcouncil/-2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/?sh=70a690ce7304

Bhageshpur K 2019 Data is the New Oil -- and That's a Good Thing https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/?sh=70a690ce7304 accessed 18 May 2021

HPCSA date unknown https://www.hpcsa.co.za/Uploads/Professional-_Practice/Ethics_Booklet.pdf

Health Professions Council of South Africa date unknown Ethical Guidelines for Good Practice in the Health Care Professions https://www.hpcsa.co.za/Uploads/Professional_Practice/Ethics_Booklet.pdf accessed 18 May 2021

Information Regulator 2021 https://www.justice.gov.za/inforeg/

Information Regulator (South Africa) 2021 Home https://www.justice.gov.za/inforeg/ accessed 18 May 2021

LII date unknown https://www.law.cornell.edu/wex/right_to_privacy

Legal Information Institute date unknown Right to Privacy – Definition from Nolo's Plain-English Dictionary https://www.law.cornell.edu/wex/right_to_-privacy accessed 18 May 2021

National Human Genome Research Institute 2021 https://www.genome.gov/about-genomics/fact-sheets

National Human Genome Research Institute 2021 Fact Sheets About Genomics https://www.genome.gov/about-genomics/fact-sheets accessed 18 May 2021

Nolo 2021 https://www.nolo.com/dictionary/privacy-term.html

Nolo 2021 Privacy https://www.nolo.com/dictionary/privacy-term.html accessed 18 May 2021

Parkins 2017 https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

Parkins D 2017 The World’s Most Valuable Resource is No Longer Oil, but Data https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data accessed 18 May 2021

SAMA 2012 https://www.samedical.org/images/attachments/guideline-on-informed-consent-jul012.pdf

South African Medical Association 2012 Guidelines: Informed Consent https://www.samedical.org/images/attachments/guideline-on-informed-consent-jul012.pdf accessed 18 May 2021

SAMRC 2018 https://www.samrc.ac.za/sites/default/files/attachments/-2018-06-27/ResponsibleConductResearchGuidelines.pdf

South African Medical Research Council 2018 The South African Medical Research Council Guidelines on the Responsible Conduct of Research https://www.samrc.ac.za/sites/default/files/attachments/2018-06-27/ResponsibleConductResearchGuidelines.pdf accessed 18 May 2021

List of Abbreviations

ASSAf

Academy of Science of South Africa

CILSA

Comparative and International Law Journal of Southern Africa

CPA

Consumer Protection Act 68 of 2008

CSBJ

Computational and Structural Biotechnology Journal

DoH

Department of Health

ECT Act

Electronic Communications and Trans-actions Act 25 of 2002

EJCL

Electronic Journal of Comparative Law

HPA

Health Professions Act 56 of 1974

HPCSA

Health Professions Council of South Africa

LII

Legal Information Institute

MTA

Material Transfer Agreement

NCA

National Credit Act 32 of 2005

NHA

National Health Act 61 of 2003

NHREC

National Health Research Ethics Council

PAIA

Promotion of Access to Information Act 2 of 2000

PELJ

Potchefstroom Electronic Law Journal

POPIA

Protection of Personal Information Act 4 of 2013

RICA

Regulation of Interception of Communications and Provision of Communication-Related Information Act 70 of 2002

S Afr J Sci

South African Journal of Science

SAJBL

South African Journal of Bioethics and Law

SAJHR

South African Journal on Human Rights

SALJ

South African Law Journal

SALRC

South African Law Reform Commission

SAMA

South African Medical Association

SAMJ

South African Medical Journal

SAMRC

South African Medical Research Council

SAMRC Act

South African Medical Research Council Act 58 of 1991

THRHR

Tydskrif vir Hedendaagse Romeins-Hollandse Reg