Exempting Health Research from the Consent Provisions of POPIA

D Thaldar* and B Townsend**

Online ISSN 1727-3781

PER / PELJ - Pioneer in peer-reviewed, open access online law publications

Authors Donrich Thaldar Beverley Townsend

Affiliation University of KwaZulu-Natal South Africa

Email ThaldarD@ukzn.ac.za and TownsendB@ukzn.ac.za

Date Submission 15 March 2021

Date Revised 24 May 2021

Date Accepted 24 May 2021

Date published 15 June 2021

Section Editor Mr M Laubscher

How to cite this article

Thaldar DW and Townsend BA "Exempting Health Research from the Consent Provisions of POPIA" PER / PELJ 2021(24) -DOI http://dx.doi.org/10.17159/17273781/2021/v24i0a10420

Copyright

Abstract

The Protection of Personal Information Act 4 of 2013 (hereafter POPIA) has the potential to disrupt health research in South Africa. While the legal status quo is that broad consent by research participants is acceptable, POPIA requires specific consent for any processing of research participants' health and genetic information. However, POPIA offers mechanisms such as an exemption from specified measures which can potentially be used to ameliorate its impact. It is proposed that the health research sector should seek to utilise these mechanisms – in particular, a sector-wide exemption of all health research projects from the requirement of specific consent by research participants, subject to the conditions that: (a) a health research project must be approved by a health research ethics committee, and that (b) either specific, broad or tiered consent must be obtained for a health research project. Importantly, it would be counter-productive to approach such an application for exemption from the perspective of inconvenience for health researchers. Instead, an application for exemption must be approached from a human rights platform, and must be supported by solid evidence. Such evidence should include the results of empirical studies of South African research participants' preferences.

Keywords

Code of conduct; consent; exemption; POPIA; privacy;

Protection of Personal Information Act.

……………………………………………………….

DOI

http://dx.doi.org/10.17159/17273781/2021/v24i0a10420

1 Introduction

Like a fox in a chicken coop, the Protection of Personal Information Act (POPIA)1 has caused consternation among some scientists, bioethicists, and biolawyers.2 Until recently the issue of acceptable modes of informed consent seemed to have been settled on a position that either specific, broad, or tiered consent is acceptable in South Africa. By contrast, as we discuss below, POPIA requires consent to be specific, and for such specific consent to be obtained for various actions that are part of health research, such as the storage and sharing of research information. This has raised concerns that health research in South Africa and with South African collaborators abroad may be impeded.3 One concern in particular is about large biobanks of specimens and data that were built up in the past without specific consent. Can these specimens and data still be used for new research projects, or would research participants who donated years ago need to be traced and "reconsented"?

In this article we show that POPIA itself offers possible solutions to these problems. Moreover, we show that the possible solutions offered by POPIA can for the most part be embedded in South Africa's well-established and comprehensive regulatory framework for health research. The perceived fox may actually be a guard dog.

2 Background: Modes of consent

From the researcher's perspective, the most convenient type of consent is "blanket consent", where no study is defined, and where no restrictions are placed on the kind of research that can be conducted. However, this type of consent provides the least information to the participant. On the other side of the spectrum is "specific consent", where the participant consents only to a specific research project, and where any other actions with the participant's human biological material and associated data would require separate, new consent. This type of consent provides the most protection to the participant, while requiring the most effort by the researcher. Roughly in the middle of the spectrum is "broad consent", which entails that the participant consents to a defined range of studies, which may be subject to certain restrictions. While the participant has more information about the kind of research that will be done than with blanket consent, this type of consent can open the door to an infinite number of further research projects (within the defined range) with the participant's human biological material and associated data.

* Donrich W Thaldar. BLC LLB MPPS (UP) PGDip (Oxon) PhD (UCT). Associate
Professor, School of Law, University of KwaZulu-Natal, Durban, South Africa. Email:
ThaldarD@ukzn.ac.za. ORCiD ID: https://orcid.org/0000-0002-7346-3490.
** Beverley A Townsend. BA LLB LLM PGDip LLM (cum laude) PhD (UCT) MSt in
Practical Ethics (Oxford University). Postdoctoral Research Fellow, School of Law,
University of KwaZulu-Natal, Durban, South Africa. (Subsequent to co-authoring this
article, Dr Townsend has taken up a new position as Research Fellow, Department
of Computer Science & School of Law, University of York, United Kingdom). Email:
bev.townsend@york.ac.uk: ORCiD ID: https://orcid.org/0000-0002-8486-6041
1 Protection of Personal Information Act 4 of 2013 (hereafter POPIA).
2 Nordling 2019 Science.
3 Nordling 2019 Science.

Against the background of these basic types of consent, more sophisticated models have evolved. First, "dynamic consent" refers to a personalised communication interface with each participant, allowing participants to opt-in or opt-out of further actions with their human biological material and associated data; it is "dynamic" because it allows interactions over time.4 Typically, dynamic consent models use websites or smartphones.5 As such, some have dismissed dynamic consent as unsuited for many African environments.6 However, we suggest that it is possible to conceive of a low-tech version of dynamic consent. For instance, ongoing engagement between a researcher and participants can be accomplished through text messaging with participants, or having physical meetings in communities.

Another more sophisticated consent model that has evolved is "tiered consent", which entails that participants are offered options regarding the scope of the research, the scope of sharing, and the storage of their human biological material and associated data. Tiered consent can therefore provide for blanket, broad, or specific consent options regarding all the elements of a researcher's agenda. While some view tiered consent as enabling participant autonomy,7 Ram8 points out that the choices offered by tiered consent become too multitudinous, which can cause information overload, leading to lower quality decision-making and hence undermining autonomy. The practical difficulty of managing a collection of human biological material and associated data that are subject to various combinations of participant permissions due to the use of a tiered consent model is also a matter of concern.9

4 Kaye et al 2015 Eur J Hum Genet.
5 Budin-Ljsne et al 2017 BMC Medical Ethics; Teare et al 2021 Eur J Hum Genet;
Nembaware et al 2019 Nature Genetics.
6 Nembaware et al 2019 Nature Genetics.
7 Nembaware et al 2019 Nature Genetics.
8 Ram 2007 Jurimetrics.

While the bioethics debate about the desirability of the different kinds of consent is ongoing,10 legal developments in South Africa are redefining the kinds of consent that researchers are legally required to obtain from participants in relation to the collection, research, storage, further research, and sharing of human biological material and associated data.

3 The pre-POPIA legal landscape relevant to health research

In this section we provide an overview of the pre-POPIA legal landscape in South Africa relevant to protecting health research participants in general and research participant consent in particular. We show that there is a robust legal framework already in existence to protect participants in health research, with a possible exception that is highlighted.

3.1 National Health Act

First, the oldest legal instrument relevant to the subject of protecting participants in health research is the National Health Act,11 enacted in 2003. Although the National Health Act does not provide which mode of consent is required (it provides, in section 55(a), only that there must be written consent for the provision of human biological material), it is relevant because it is the empowering legislation for several regulations that deal with consent in more detail.12

Also important is that the National Health Act establishes a system of compulsory review by a research ethics committee of all health research in South Africa.13 Every institution in South Africa that conducts health research is legally compelled either to have its own health research ethics committee, or to have access to a health research ethics committee that is registered with the National Health Research Ethics Council.14 These health research ethics committees have a statutory mandate to review health research proposals and protocols,15 and to approve those that comply with both its own ethical standards16 and the standards and norms determined by the National Health Research Ethics Council.17

9 H3Africa 2017 https://h3africa.org/wp-content/uploads/2018/05/H3A%202017%20
Revised%20IC%20guideline%20for%20SC%2020_10_2017.pdf.
10 Sheehan et al 2019 Public Health Ethics; Manson 2019 Journal of Medical Ethics.
11 National Health Act 61 of 2003 (hereafter the NHA).
12 Sections 55(b), 68(1)(c) and 68(1)(g) of the NHA.
13 Sections 69-73 of the NHA.
14 Section 73(1) of the NHA.

3.2 Regulations relating to Research with Human Participants

In 2014 the Regulations relating to Research with Human Participants18 were promulgated in terms of the National Health Act. These Regulations describe the information that must be communicated as part of a consent process. In particular the Regulations require that participants must be informed of the "purpose of the research".19 The implication is that the research must have some identifiable purpose, which appears to exclude the possibility of blanket consent. Given that the range of studies can have one unifying, broad purpose, broad consent appears to be acceptable under these Regulations. Tiered consent is also limited to exclude the option of consent to all kinds of research.

A noteworthy element of the Regulations relating to Research with Human Participants is that all research with human participants must comply with ethics guidelines issued by the Department of Health.20 This effectively gives ethics guidelines issued by the Department of Health the force of law at the level of secondary legislation. This leads our analysis to the next legal instrument.

3.3 Department of Health Ethics Guidelines

In 2015 the Department of Health issued the second edition of its ethics guidelines (Department of Health Guidelines).21 Given the provision in the Regulations relating to Research with Human Participants referred to above,22 the Department of Health Guidelines are legally binding on research institutes and researchers engaged in health research involving human participants. The Department of Health Guidelines were strongly influenced by Human Heredity and Health in Africa (H3Africa), as is evident from an explicit endorsement23 and a dozen references throughout the document. This is a matter of concern, as H3Africa does not have any democratic mandate from the people of South Africa: H3Africa is a "partnership" between American and British grantmaking institutions and African scientists who are actual and potential recipients of grants from these foreign grantmaking institutions.24 The Department of Health Guidelines reject blanket consent, and list three kinds of consent that are acceptable:25

15 Section 73(2)(a) of the NHA.
16 Section 73(2)(b) of the NHA.
17 Section 72(6)(c) of the NHA.
18 GN R719 in GG 38000 of 19 September 2014 (the Regulations relating to Research
with Human Participants).
19 Regulation 5 of the Regulations relating to Research with Human Participants.
20 Regulation 2(a) of the Regulations relating to Research with Human Participants.
21 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview.
22 Regulation 2(a) of the Regulations relating to Research with Human Participants.
23 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview 12.

 "Narrow (restrictive) consent", which is described as "the donor permits use of the biological specimen for single use only; no storage of leftover specimen; and no sharing of data or specimen. This form necessitates new consent if further use is desirable". As such, this approximates to specific consent.

 Tiered consent, which is described as "the donor provides consent for the primary study and chooses whether to permit storage for future use, sample and data sharing". We suggest that this is an extremely limited and elementary version of tiered consent.

 Broad consent, which is described as "the donor permits use of the specimen for current research, for storage and possible future research purposes, even though the precise nature of future research may be unclear at present".

While these three kinds of consent are all acceptable, the Department of Health Guidelines make it clear that broad consent is preferred, by stating that research ethics committees should bear in mind "the vision of the H3Africa Initiative and its recommendation that consent should be 'broad enough to allow for future and secondary uses of data …'".26

3.4 South Africa's (standard) material transfer agreement

In 2018 the Minister of Health promulgated a standard material transfer agreement (hereafter the SA MTA) in the Government Gazette and gave notice that research institutions sharing human biological material for health research or clinical trials must have a material transfer agreement in place that uses the SA MTA as a framework.27 This legal development makes

24 National Institutes of Health 2020 https://www.fic.nih.gov/Funding/Pages/

collaborations-h3africa.aspx. 25 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview 31. 26 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview 31. 27 GN R719 in GG 41781 of 20 July 2018 (Material Transfer Agreement for Human

Biological Materials, hereafter the SA MTA).

South Africa unique in the world, as the only country to require the use of a standard material transfer agreement through national legislation and forces even parties outside South Africa to use the SA MTA when engaging in the transfer of human biological material to or from South Africa.28 It should be noted that because of the formulation of the Minister's notice in the Government Gazette, the SA MTA is triggered into application when human biological material (not data) is transferred, and then applies equally to human biological material and associated data.29 This means that if data is transferred alone (without human biological material), the SA MTA does not apply; however, if data is transferred together with its associated human biological material, the SA MTA applies to both the data and the human biological material. Also, the SA MTA applies to transfers out of, into and within South Africa.30

The SA MTA introduces its own consent requirements for research participants, which approximates to a form of dynamic consent: First, participants must consent to the "donation" of their human biological material and associated data for use in the research project, after which there must be an "ongoing information sharing process" to allow participants to consent to "whether and how" their human biological material and associated data will be used.31 The consent of research participants to further research is required "where reasonably possible".32 Also, before human biological material and the associated data can be transferred by the collecting/providing research institution to the recipient research institution, the research participants involved must consent to such transfer to the recipient research institution.33 Evidently, the SA MTA signals a departure from the preference expressed in the Department of Health Guidelines for broad consent. Where the provisions of these two pieces of secondary legislation are in conflict, the common law rule of interpretation that the more recent legislation will take precedence over the earlier legislation will apply.34 Accordingly, in cases where the SA MTA is applicable (namely whenever human biological material is transferred), the dynamic consent provisions of the SA MTA must be adhered to, despite existence of more lenient provisions that allow for broad and (elementary) tiered consent in the provisions of the Department of Health Guidelines.

28 Thaldar et al 2020 BMC Medical Ethics.
29 Thaldar et al 2020 BMC Medical Ethics.
30 Thaldar et al 2020 BMC Medical Ethics.
31 Paragraph 2.12 of the SA MTA.
32 Paragraph 4.3 of the SA MTA.
33 Paragraph 10.1 of the SA MTA.
34 New Modderfontein Gold Mining Company v Transvaal Provincial Administration
1919 AD 367 400.

For instance, assume hypothetically that tiered consent was used when collecting human biological material from research participants. Some research participants indicated that their human biological material and associated data can be stored, shared, and used for the purposes of future research. Although this consent is given, if the collecting research institution intends to actually share the human biological material and associated data with another research institution, it will first have to contact the research participants and: (a) obtain consent for the research project of the intended recipient research institution, and (b) obtain consent for the transfer, explicitly naming the intended recipient researcher institution. In other words, although the original tiered consent complied with the Department of Health Guidelines, it does not comply with the SA MTA. If there is any sharing of human biological material, there must be compliance with the provisions of the SA MTA.

The disruptor: Protection of Personal Information Act

In 2009 the Law Reform Commission noted that South Africa should more closely align itself with international developments in data protection, and recommended the development of a legal framework for heightened data protection in South Africa.35 As a result, four years later, in 2013, parliament enacted the Protection of Personal Information Act.36 It was entered into force only in stages, however. This was firstly to enable its enforcement mechanism, the Information Regulator, to be established, and secondly to afford sufficient opportunity to South African society to prepare to become compliant with POPIA. The provisions of POPIA that are relevant to research participant consent were thus technically entered into force on July 1, 2020,37 but given that POPIA contains a one-year grace period,38 actual enforcement will be from July 1, 2021.

35 SALRC Report on Privacy and Data Protection.
36 POPIA was influenced inter alia by the OECD Guidelines on the Protection of Priv acy
and Transborder Flows of Personal Data (1980) and the Convention for the
Protection of Individuals with regard to Automatic Processin g of Person al Data
(1981).
37 Proc R21 in GG 43461 of 22 June 2020.
38 Section 114(1) of POPIA.

4.1 Scope of application

POPIA applies to the processing of personal information entered in a record by or for a responsible party.39 The words "processing", "personal information", "record" and "responsible party" are all technical terms that are defined in POPIA:40

 "Processing" means any operation or activity concerning personal information, and includes inter alia the collection, receipt, recording, collation, storage, alteration, use, dissemination, distribution, erasure or destruction of such personal information.

 "Personal information" is defined to include a wide range of information, inter alia information relating to a person's physical or mental health, well-being, and biometric information; "biometrics" in turn is defined as a technique of personal identification that is based inter alia on DNA analysis.

 "Record" means any recorded information – regardless of form or medium.

 "Responsible party" means a public or private body or any other person which, alone or in conjunction with others, determines the purpose of and means of processing personal information.

Given these definitions, POPIA applies to a wide variety of actions that are typically entailed by a health research programme, ranging from the collection of a research participant's health information, recording a DNA analysis of a specimen taken from a research participant, storing such health information and biometric information, and conducting research on such information, to sharing such information.

It is also important to note that particular kinds of personal information are delineated as "special personal information", which includes inter alia information relating to a person's physical or mental health, well-being, and biometric information.41 Such special personal information therefore includes various forms of research data, including genetic information, and would be subject to certain additional requirements for its processing.42

39 Section 3(1) of POPIA.
40 Section 1 of POPIA.
41 Section 26 of POPIA.
42 Section 27 of POPIA.

An interesting and consequential question is whether a physical specimen itself –human biological material – falls within POPIA's scope of application. Although a specimen contains genetic information which qualifies as personal information, we suggest that POPIA does not apply to a specimen. POPIA applies only to personal information "entered in a record by or for a responsible party".43 We first analyse the word "record", followed by the phrase "by or for a responsible party":

 A "record" is defined as "any recorded information … regardless of form or medium …". However, the genetic information found in a

specimen is not recorded in such a specimen; rather, such information naturally occurs in such a specimen. The adjective "recorded" implies a preceding action of recording information, which is clearly not the case with the genetic information found in a specimen.

 Even if the specimen is arguendo assumed to qualify as a record, the

genetic information contained in the specimen had to be entered in it

"by or for a responsible party". Again, this is evidently not the case.

Accordingly, POPIA does not apply to a specimen that is collected for health research. However, when a specimen is collected for research, researchers would typically also collect information such as the participant's name and contact details, and sometimes also health information. This information that is associated with the specimen is personal information and falls within the regulatory ambit of POPIA. Once the genetic information is extracted from a specimen, and recorded, for instance on a computer hard drive, it enters into the regulatory ambit of POPIA.

Note that research information that has been de-identified to the extent that it cannot be re-identified is excluded from the scope of application of POPIA.44 Whether the nature of genomic data is such that it is capable of being de-identified, the conditions upon which such de-identifiability can be considered to be irreversible, the limitations on the controllability of genomic data once shared and its uses in perpetuity, the hereditary nature of genomic data and the inherent familial implications this might have, and the influence that contextual-specificity has on the ability to de-identify data are the subject of much recent debate.45 Challenges in obscuring the source of data and in the effectiveness of utilising de-identification strategies when

43 Section 3(1) of POPIA. 44 Section 6(1)(b) of POPIA. 45 Kaye 2012 Annu Rev Genomics Hum Genet; Vayena et al 2013 Science

Translational Medicine; Shabani and Marelliv 2019 EMBO Reports.

applied to genomic data remain unresolved. Importantly, as genomics research evolves, so it becomes increasingly difficult to appreciate the future extent of the information that might be extracted from sequenced genomic data and the risks this might pose if such information is disclosed.46 In addition, there may be ethical imperatives not to de-identify genomic data. During genomics research, researchers might incidentally discover that a certain research participant is at risk of a serious illness that could be avoided or better managed when treated early. In the event of such an "incidental finding", researchers must be able to identify and contact the relevant research participant. Accordingly, given that the de-identifiability of certain health research information may not be achievable, or might otherwise be undesirable, the provisions of POPIA are likely to apply to most health research projects in South Africa.

4.2 The meaning of "consent"

POPIA provides that consent means a "voluntary, specific and informed" expression of will.47 This requirement that consent must be specific must be contrasted with the status quo ante in South Africa, where the Department of Health Ethics Guidelines provided that either specific consent, tiered consent, or broad consent was acceptable.48 Since POPIA is primary legislation that supersedes the Department of Health Ethics Guidelines, the definition of consent contains the seed of the potential disruption of the way in which health research is conducted in South Africa – and has been the subject of some academic debate: Staunton et al49 and Staunton et al50 argue that POPIA allows for broad consent. We have serious reservations about the legal merits of Staunton et al's position. They purportedly base their argument on the legal doctrine of purposive interpretation, but fail to consider any South African case law on the actual meaning and application of purposive interpretation. We have proffered a full critique of Staunton et al's51 position and Staunton et al52 have replied. In brief, we suggest that it would be a misapplication of the legal doctrine of purposive interpretation to change the clear meaning of the word "specific" – as used in POPIA – to "broad". First because the Constitutional Court held that a "purposive reading of a statute must of course remain faithful to the actual wording of the statute"53 and second because purposive interpretation requires looking at the context of the statute as a whole.54 Cherry picking one aspect from among the statute's objectives is unhelpful. A more constructive approach to lessen the potential disruption that POPIA can cause to health research would be to use the mechanisms provided by POPIA itself. This is the approach that we adopt in this article.

46 Shabani and Borry 2015 Life Science, Society and Policy.
47 Section 1 of POPIA.
48 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview 31.
49 Staunton et al 2019 SAMJ.
50 Staunton et al 2020 IDPL.
51 Thaldar and Townsend 2020 SAMJ; Townsend and Thaldar 2019 SAJHR.
52 Staunton et al 2020 SAMJ.

4.3 Conditions for the processing of personal information

POPIA sets out eight conditions for the processing of personal information: accountability; processing limitation; purpose specification; further processing limitation; information quality; openness; security safeguards; and data subject participation.55 Responsible parties, which would include researchers and research institutions, are required to ensure that all measures are taken to adhere to these processing conditions, unless one or more particular conditions have been specifically excluded or exempted from operation under specific provisions in POPIA.56 In the following paragraphs we highlight the pertinent ways in which POPIA's conditions for the processing of personal information are set to impact on health research in South Africa.

The Processing Limitation Condition provides that there must be a legal ground for the processing of personal information.57 Although there are six possible legal grounds for the processing of personal information, we suggest that the most likely ground to be applicable in the context of health research is consent by the "data subject".58 A "data subject" refers to the person whose personal information is processed59 – that is the research participant in the context of health research. In the light of the above definitions, this means that research participants must provide specific consent to each of the following processing actions: the collection of a research participant's health information; recording a DNA analysis of a specimen taken from a research participant; storing such health information and biometric information; conducting research on such information; and sharing such information. This clearly entails significantly more effort on the part of health researchers than was the case in the past, where research participants could provide once-off, broad consent to all these processing actions.

53 Bertie Van Zyl (Pty) Ltd v Minister for Safety and Security 2010 2 SA 181 (CC) para
22.
54 S v Zuma 1995 2 SA 642 (CC) para 15.
55 Chapter 3 s 4(1) of POPIA.
56 Sections 12, 14(2), 13, 15(3)(e), 18(1)-(4), 27(1)(d), 32(5) and 35(1)(d) of POPIA.
57 Section 11(1) of POPIA.
58 Section 11(1)(a) of POPIA.
59 Section 1 of POPIA.

While the Processing Limitation Condition deals with the processing of personal information in general, the Purpose Specification Condition focuses on two kinds of processing: collection for a specific purpose and the retention and restriction of personal information records.60 In the case of collection, it provides that such collection must be for a specific, explicitly defined and lawful purpose.61 This propounds the difficulties faced by health researchers discussed above. In the case of the retention of personal information, the Purpose Specification Condition provides that personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected. However, it also provides an exception that may be welcomed by health researchers, namely that personal information may be retained for research purposes if the researcher has established "appropriate safeguards" against the use of records for any other purposes.62

The Further Processing Limitation Condition requires any further processing of personal information to be compatible with the purpose for which it was collected.63 If the further processing is for "historical, statistical or research purposes" it is deemed to be compatible, provided that it is carried out solely for such "historical, statistical or research purposes" and that the personal information may not be published in any identifiable form.64 However, the Further Processing Limitation Condition seems to imply that if the initial collection of personal information was not for a specific, explicitly defined and lawful purpose (as required by the purpose specification condition), further processing of personal information would eo ipso be unlawful.65 This poses a problem for health researchers who wish to use historical data, if such data was originally collected using broad or tiered consent. The implication would be that using data contained in a biobank that was developed in the past using broad (not specific) consent would not be legally permissible. All the original research participants would have to be contacted anew to provide (specific) consent in terms of POPIA.

60 Sections 13 and 14 of POPIA.
61 Section 13 of POPIA.
62 Section 14 of POPIA.
63 Section 15 of POPIA.
64 Section 15(3)(e) of POPIA.
65 Section 15(1) of POPIA.

The Security Safeguards Condition provides – in the context of health research – that a health research institution must secure the confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent inter alia unlawful access to or the processing of personal information and notifying the Information Regulator and the research participant (the data subject) of any compromises of security.66

Lastly, the Data Subject Participation Condition67 provides that a data subject has the right inter alia to request from a health research institution the record or a description of the personal information about the research participant held by the health research institution, including information about the identity of all third parties (other research institutions) who have, or have had, access to the information. The research participant (the data subject) may also request the correction or deletion of personal information.

4.4 Exemption from the conditions

The Information Regulator may grant an exemption from having to adhere to any one or more of the eight conditions for the processing of personal information, if the Regulator is satisfied that the public interest in the processing outweighs to a substantial degree any interference with the privacy of the data subject that could result from such processing.68 For the purposes of considering an exemption, the public interest includes "historical, statistical or research activity".69 Although this provision would clearly assist health researchers over the first hurdle to qualify for an exemption, the second hurdle still poses a significant challenge – namely that such public interest must, when balanced against the privacy interest of the data subject, be found to outweigh the individual's privacy interest to a substantial degree. This suggests that mere inconvenience (or lack of expediency) to the researcher of complying with the existing conditions will not suffice as a reason for granting an exemption. We analyse these aspects below in more detail.

In the context of a possible exemption from the consent requirements contained in POPIA's processing conditions, one may compare POPIA to the "gold standard" of the regulation of data protection, namely the European Union's General Data Protection Regulation (hereafter the GDPR).70 Note for clarity that although the GDPR is not legally binding in South Africa, the levels of protection contained within the GDPR follow European Union personal data wherever it should find itself globally and may have an impact on South African research institutions.71 While there are significant similarities between the GDPR and POPIA, differences are also to be noted. While the GDPR generally requires consent to be specific

66 Sections 19–22 of POPIA.
67 Sections 23–25 of POPIA.
68 Section 37(1)(a) of POPIA.
69 Section 37(2)(e) of POPIA.

– as does POPIA – the GDPR contains an exception for scientific research that is not present in POPIA: Recital 33 of the GDPR relaxes the specificity requirements of Article 4(11) regarding the scope of consent for scientific research. POPIA does not contain an equivalent of Recital 33. As analysed above, POPIA allows for the further processing of personal information for research purposes without the requirement of consent in certain circumstances, but subject to obtaining specific consent at the time of data collection.72 The only way to relax this requirement is to approach the Information Regulator for an exemption from the consent requirements contained in POPIA's processing conditions. We discuss this is more detail below.

4.5 Processing of special personal information

In addition to the eight conditions for the processing of personal information, the requirements for processing special personal information are also likely to apply to health research and therefore constitute an extra layer of regulation that must be adhered to by health researchers. Special personal information may not be processed, unless one of the grounds for processing special personal information is present.73 Although the list of possible legal grounds for processing special personal information is different from the list of possible legal grounds for processing personal information in general, there is also an overlap – most pertinently, consent by the research participant.74 Accordingly, if specific consent for a certain processing action has been obtained, it provides sufficient legal ground for processing the relevant health information and biometric information, both as personal information and as special personal information. However, as mentioned above, obtaining specific consent for each processing action may pose significant challenges to health researchers.

70 General Data Protection Regulation 679/2016 (hereafter GDPR). 71 Townsend 2021 Information & Communications Technology Law. 72 Sections 13, 15(3)(e) and 15(3)(f) of POPIA. 73 Section 27(1) of POPIA. 74 Section 27(1)(a) of POPIA.

The possible legal grounds for processing special personal information include a unique legal ground that would entail significantly less effort by health researchers than obtaining specific consent for every act of processing, and may therefore be more appealing – namely that "processing is for historical, statistical or research purposes".75 This legal ground may be relied upon if one of two conditions are met: (a) the purpose serves a public interest and the processing is necessary for that purpose, or (b) it appears to be impossible or would involve a disproportionate effort to ask for consent to such processing, and sufficient guarantees are provided to ensure that the processing does not adversely affect the data subject's privacy to a disproportionate extent. We refer to (a) above as the public-interest condition, and the (b) above as the disproportionate-effort condition.

We first consider the disproportionate-effort condition. Obtaining consent from thousands of research participants each time that an intended new processing action is planned would entail significant effort, especially if the data was collected years before and the research participants' contact details could have changed. (Certain research participants might even have died, making POPIA inapplicable to their data.)76 The financial cost of attempting to contact research participants all over again may have a debilitating effect on the budget of a health research project. As such, it might, depending on the facts of a specific case, convincingly be argued that obtaining consent would entail disproportionate effort. However, health research projects differ widely in terms of the variables that contribute to the amount of effort it would take to obtain consent from research participants, and in terms of the resources available to obtain consent from research participants. In the case of some health research projects, it may be significantly less effort to obtain consent from the research participants. Accordingly, although the disproportionate-effort condition might in certain cases be relevant, it does not provide a general solution for all health research. It should also be noted that even if a specific health research project can demonstrate that it meets the disproportionate-effort condition, this enables only the "historical, statistical or research purposes" legal ground for processing special personal information. It does not affect the

75 Section 27(1)(d) of POPIA.

76 Section 3(1) provides that POPIA applies to "personal information", which is defined in section 1 as information relating inter alia to a living, natural person. Accordingly, POPIA does not apply to information relating to the deceased.

processing conditions for processing research information qua personal information in general.

Next we consider the public-interest condition. It should be noted that, unlike the context of an exemption from the processing conditions, in the context of the processing of special personal information, processing for historical, statistical or research purposes is not deemed to automatically serve a public interest. Accordingly, for health researchers to rely on the "historical, statistical or research purpose" legal ground for processing special personal information by meeting the public-interest condition, it would need to be demonstrated that health research in fact serves a public interest. For guidance on how this should be demonstrated, we next investigate how public interest has historically been interpreted.

4.6 Public interest

Given the recency of POPIA's coming into force, it is too early to have case law on the meaning of public interest in the context of POPIA. However, the concept "public interest" is used in other statutes. The meaning of "public interest" in the Liquor Act,77 in particular, has been the subject of litigation, and can be instructive to how public interest will be interpreted in the context of POPIA. The Liquor Act provides that the Liquor Board "shall not grant an application … for any licence unless … the granting of the licence is in the public interest."78 Three principles have crystalised in case law regarding the interpretation of public interest in this context.79

The first principle is that the "public" whose interest is to be served need not be widely representative of the general public. This interpretive principle can find fruitful application when considering health research in the POPIA context. It would mean inter alia that to qualify as being in the public interest a particular health research project need not aim to contribute to finding healthcare solutions for a health problem that affects most or many people in South Africa. Rather, it is entirely acceptable for the health research project to focus on a health problem that affects only a particular small group within the broader South African population.

77 Liquor Act 27 of 1989. Repealed by the Liquor Act 59 of 2003. 78 Section 22(2)(d)(ee) of the Liquor Act 27 of 1989. 79 Maharaj v Chairman, Liquor Board 1997 1 SA 273 (N); Asko Beleggings v Voorsitter

van die Drankraad 1997 2 SA 57 (NC); Hartswater Hotels BK v Drankraad van die Noord-Kaap 2003 ZANCHC 30 (28 March 2003); CJW Marketing CC v Limpopo Provincial Liquor Board 2008 ZAGPHC 403 (12 December 2008).

The second principle is that being in the "public interest" means that the public would be "better served" if the applicant for a liquor licence were granted the licence than if the existing state of affairs were to continue. How would this principle apply to health research in the POPIA context? We suggest that if a health research project offers potential healthcare solutions for a particular group of persons within the broader South African population, such group is evidently "better served" by potential healthcare solutions than by the lack thereof. Given that health research per definition seeks to find potential healthcare solutions, satisfying this condition seems almost assured, with the only potential hurdle being that such potential healthcare solutions must be aimed at a group of persons in the broader South African population. However, from a legal perspective this should always be the case – at least when research participants are involved: The Regulations relating to Research with Human Participants80 provide that health research that involves research participants must inter alia be responsive to health needs or priorities of the population, the participating community, or the proposed participants.

The third principle regarding the interpretation of "public interest" that has crystalised in case law is that public interest should not be equated with the national interest but rather with the interest of inhabitants in the areas for which the liquor licence is sought, or visitors to that area. While a liquor licence is defined by a certain geographic area in South Africa, health research can also focus on the inhabitants of a certain geographic area, but we suggest that such a geographic focus is incidental and that health research is best defined by its purpose in terms of the health problem, such as HIV, for which a solution is sought. Therefore, while the persons who are the intended beneficiaries of a particular health research project are not necessarily confined to a specific geographic area but may be dispersed all over South Africa, they can be considered to be a distinct group of persons, such as HIV-positive persons. It follows that when applied to health research in the POPIA context, the third interpretative principle is very similar to the first principle (perhaps with a difference in nuance). To qualify as being in the public interest, a particular health research project need not aim to contribute to finding healthcare solutions that would be in the national interest. Rather, it is entirely acceptable that the health research project focuses on a health problem that affects only a particular small group in the broader South African population.

GN R719 in GG 38000 of 19 September 2014.

Considering the analysis above of the three principles that have crystalised in case law regarding the interpretation of public interest, we suggest that there should be little doubt that health research in general qualifies as being in the public interest. Note that although this conclusion provides health researchers with a legal ground for processing research information qua special personal information, it is not dispositive of the issue of an exemption from the processing conditions for processing research information qua personal information in general. We analyse the issue of an exemption in more detail below.

A possible counter-argument to our conclusion that health research in general qualifies as being in the public interest is the following: what about health research that is exploitative or could lead to stigma or discrimination? Would such health research be in the public interest? The problem with this counter-argument is that it assumes that health research in South Africa can be exploitative or could lead to stigma or discrimination. This assumption requires some analysis. As discussed above, South Africa has a system of compulsory research ethics committee review of all intended health research.81 Health research ethics committees apply not only their own ethical guidelines,82 but also the standards and norms determined by the National Health Research Ethics Council.83 This system was designed as a safety mechanism to ensure that intended research that would be exploitative or that would lead to stigma or discrimination is not allowed to proceed. Accordingly, the concern that health research in South Africa can be exploitative or could lead to stigma or discrimination is already comprehensively addressed by the existing health research regulatory framework. Accordingly, we suggest that this counter-argument can be dismissed with confidence.

4.7 Cross-border transfers

POPIA has specific provisions dealing with cross-border transfers.84 There is a general provision for the cross-border transfer of personal information,85 and an additional provision for the cross-border transfer of special personal information.86 The general provision has the effect in the health research context that a South African health research institute may transfer personal information to a research institute in a foreign country only if a legal ground for such transfer is present.87 Relevant legal grounds would be: (a) consent by the research participant (which must be specific, hence excluding broad and tiered consent), or (b) an adequate level of protection for the processing of personal information by either the law in the relevant foreign country or by an agreement between the two research institutes.88

81 Sections 69-73 of the NHA.
82 Section 73(2)(b) of the NHA.
83 Section 72(6)(c) of the NHA.
84 Sections 57(1)(d) and 72 of POPIA.
85 Section 72 of POPIA.
86 Section 57(1)(d) of POPIA.

An important question arises in this context – namely, whether the SA MTA provides an adequate level of protection and can therefore be used as an alternative for consent to comply with POPIA's general provision for the cross-border transfer of personal information. We suggest not. The data protection provisions contained in the SA MTA are rather exiguous and clearly not on a par with those of POPIA.89 In order to provide an adequate level of protection, the data protection provisions in a binding agreement must offer at least "substantially similar" protection to the protection afforded by POPIA.90

Apart from the general provision for the cross-border transfer of personal information, the additional provision for the cross-border transfer of special personal information is also likely to be applicable in the context of health research.91 This additional provision entails that when a South African health research institute intends to transfer health information and biometric information to a research institute in a foreign country that does not provide an adequate level of protection, the South African health research institute must obtain prior authorisation for the intended transfer from the Information Regulator.92 However, there is an important exception to the legal requirement for obtaining prior authorisation: if the Information Regulator has approved a code of conduct for the relevant sector, such as the health research sector, the need for prior authorisation is obviated.93

4.8 Unique identifiers and the linking of information

In the same way in which the cross-border transfer of special personal information is made subject to prior authorisation from the Information Regulator, so too is a situation where a "unique identifier" (that is an identifier assigned to a particular research participant and which uniquely identifies such a participant)94 is processed for a purpose other than the purpose for which the identifier was specifically intended at collection, and such processing entails linking the identifier together with information processed by another responsible party.95 In the health research context this would often be the case with collaborative research projects. Whenever a research institute embarks on a new research project which entails combining some of its existing research data that include unique identifiers with research data contributed by one or more other research institutes, the prior authorisation provision of POPIA would be triggered. Again, the requirement for prior authorisation can be averted if the Information Regulator has approved a code of conduct for the health research sector.96

87 Section 72 of POPIA.
88 Section 72 of POPIA.
89 Thaldar et al 2020 BMC Medical Ethics.
90 Section 72 of POPIA.
91 Section 57(1)(d) of POPIA.
92 Section 57(1)(d) of POPIA.
93 Section 57(3) of POPIA.

We provide a graphic illustration that summarises POPIA's provisions from the perspective of health research in the figure below.97

5 Proposed solution

In the light of our analyses above, there are clearly a number of levers that can be pulled within the POPIA legal framework that, if successful and properly executed, would in the long term save health researchers significant time and effort, while still protecting the privacy rights of health research participants. To this effect, we propose that the health research sector, including both private and public research institutes that conduct health research, should take the following actions:

1) Apply to the Information Regulator for a sector-wide exemption of all health research projects from the requirement that research participant consent must be for a specific purpose –subject to the conditions that:

94 Section 1 of POPIA. 95 Section 57(1)(a) of POPIA. 96 Section 57(3) of POPIA. 97 Also see the supplementary page where a clearer picture is provided. Follow this

link: https://perjournal.co.za/article/view/10420/16719

  • a) in compliance with the National Health Act 61 of 2003 a health research project must be approved by a health research ethics committee, and that
  • b) in compliance with the Department of Health Ethics Guidelines,98 either specific, broad or tiered consent must be obtained for a health research project.
  • 2) Apply to the Information Regulator to issue a sector-wide code of conduct that inter alia includes the following provisions:

  • a) a confirmation that all health research is in the public interest, and
  • b) a general authorisation of all transfers of health information and biometric information to research institutions in foreign jurisdictions, on condition that such transfer must be done in terms of a written agreement that includes specified standard privacy clauses,
  • c) a general authorisation for combining research data that include unique identifiers with research data contributed by collaborating research institutes, on condition that such combining must be done in terms of a written agreement that includes specified standard privacy clauses.
  • If the Information Regulator grants the exemption and issues the code of conduct, the net effect would be that the status quo ante POPIA regarding consent to health research can continue, while the SA MTA's weakness regarding data protection will be compensated for by requiring the inclusion of standard privacy clauses – either as part of a material transfer agreement that is based on the SA MTA, or in a separate data transfer agreement – that will contractually ensure that research collaborators are bound to the protection of privacy on a par with POPIA. In other words, our proposal is aimed at avoiding significant disruption by relying on the robust aspects of the existing health research regulatory framework, while complementing it where there is a weakness.

    Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview.

    5.1 Can an exemption be justified?

    To justify an exemption from any aspect of the processing conditions, the Information Regulator must be persuaded that the public interest in the processing outweighs to a substantial degree any interference with the privacy of research participants that could result from such processing.99 As discussed above, in the context of an exemption health research would automatically qualify as serving the public interest.100 However, it is not self-evident that the public interest substantially outweighs any interference with the privacy of research participants. We suggest that an argument in support of the public interest substantially outweighing any interference with the privacy of research participants may be constructed along the following lines. Health research aims to provide new and improved solutions for health problems. Improved health promotes autonomy, and (because autonomy is perceived as a "vital part" of human dignity)101 therefore also human dignity. Human dignity is entrenched as both a founding value and an enforceable right in the Constitution.102 Improved health through health research also links with a variety of other human rights that are enumerated in the Constitution, including the right to freedom of scientific research103 and the right to access to healthcare.104 Accordingly, when doing a human rights analysis, health research should clearly be allocated significant weight in any balancing exercise.

    On the other hand, the privacy of research participants is in principle equally deserving of significant weight in a balancing exercise. After all, the right to privacy is an enumerated right in the Constitution.105 Furthermore, like improved health, privacy also links with autonomy and human dignity.106 However, one needs not only to consider privacy in the abstract but also to investigate the nature of the actual, concrete interference in privacy. The interference in this case would be that instead of specific consent to each action in the health research endeavour (the collection of a research participant's health information; recording a DNA analysis of a specimen taken from a research participant; storing such health information and

    99 Section 37(1)(a) of POPIA. 100 Section 37(2)(e) of POPIA. 101 Barkhuizen v Napier 2007 5 SA 323 (CC) para 57. 102 Sections 1(a), 7(1), 10, 36(1) and 39(1)(a) of the Constitution of the Republic of

    South Africa, 1996 (hereafter the Constitution). 103 Section 16(1)(d) of the Constitution. 104 Section 27(1)(a) of the Constitution. 105 Section 14 of the Constitution. 106 British American Tobacco South Africa (Pty) Ltd v Minister of Health 2012 3 All SA

    593 (SCA) para 13.

    biometric information; conducting research on such information; and sharing such information), specific, tiered, or broad consent by research participants (as per the Department of Health Ethics Guidelines107) would be deemed legally sufficient to proceed with all these typical actions in the health research endeavour (notably absent cross-border transfer, which entails additional requirements). The question is therefore how significant the interference with privacy would be if the consent of the research participant is non-specific (tiered or broad) rather than specific?

    Although there is a considerable body of literature on ethics about which mode of consent is preferable, we suggest that engaging in this debate would be of little if any assistance in attempting to answer the above question in a legal context, as it will probably be viewed as too abstract and contentious. To illustrate, consider the following example. While it can be argued that specific consent respects the autonomy of research participants because their consent must be obtained each time an action in the health research endeavour with their personal information is planned, it can be counter-argued that contacting a research participant each time that a new action in the health research endeavour is planned is disrespectful of the research participants' autonomy if they were willing at the outset of the research programme to provide broad consent. These abstract arguments can be expanded on ad nauseam. Proponents of an exemption as proposed above would be best advised to generate or obtain the following evidence:

     The results of an empirical study of South African health research participants that is large enough to be generalisable to South African health research participants in general and that investigates actual preferences regarding specific, tiered, or broad consent. If the study shows a statistically significant preference for specific consent, it would be difficult to proceed with the request for an exemption; however, if the study does not show a statistically significant preference for specific consent, a strong factual basis would be established in favour of an exemption.

     An affidavit on behalf of the National Health Research Ethics Council, as the body that developed the Department of Health Ethics Guidelines,108 to explain its policy considerations in deciding that specific, tiered, and broad consent are acceptable. Assuming that the

    107 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview 31. 108 Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview 4.

    Council would stand its ground, these policy considerations would clearly support the case for an exemption.

    If these pieces of evidence show that the interference with privacy when the consent of research participants is non-specific (tiered or broad) rather than specific is not significant, there will be good grounds to argue that the public interest significantly outweighs the interference with privacy, and that an exemption is therefore justified.

    5.2 Why both an exemption and a code of conduct?

    An exemption is limited to the conditions for the processing of personal information and does not affect the extra layers of requirements for the processing of special personal information, for the cross-border transfer of information, or for the linking of information that contains unique identifiers. Accordingly, these extra layers of requirements must also be dealt with. First, regarding the processing of special personal information, the possible legal grounds for processing such information include not only (specific)

    consent, but also "processing … for historical, statistical or research

    purposes". This latter ground can be relied upon if the processing serves a public interest, which we have already suggested is indeed the case. However, it would of course be best to have this confirmed in a code of conduct for health research which is officially issued by the Information Regulator.

    Furthermore, South African health researchers are part of many international health research collaborations. Accordingly, the cross-border transfer of health information and biometric information is an important issue. As discussed above, the cross-border transfer of health information and biometric information is regulated both as personal information in general and as special personal information. Our proposed solution deals with both of these. First, relating to the cross-border transfer of special personal information, the proposed code of conduct for health research would obviate the requirement for prior authorisation from the Information Regulator. Second, relating to the cross-border transfer of personal information in general, to avoid the (specific) consent requirement, a standard set of privacy contractual clauses should be developed that encapsulates the elements of POPIA's eight conditions that are relevant to health research, and that ensures that further transfers would be subject to the same provisions. Such a standard set of privacy clauses should be approved by the Information Regulator and appended as a schedule to the code of conduct for health research. A good example of such a standard set of privacy contractual clauses that could be included in any binding agreement, material or data transfer agreement is the European Commission's Standard Contractual Clauses for Data Transfers between EU and non-EU countries.109

    Lastly, in the case of health research collaboration where research data that include unique identifiers are linked with other research data from collaborators, the proposed code of conduct for health research will eliminate the requirement for prior authorisation from the Information Regulator. Given that collaborators may be in foreign jurisdictions, the same standard set of privacy contractual clauses that is to be used for cross-border transfers should also be required in this context.

    6 Conclusion

    In the event that the South African health research sector wishes to accept our proposed solution, it is essential that the justification for the exemption must have a solid foundation in law – in particular, in human rights law. Arguments to the effect that implementing specific consent would require extra time and effort on the part of health researchers are unhelpful. One must remember that POPIA and its definition of consent as "specific" are aimed at protecting privacy – a human right entrenched in the Constitution. And inconvenience – extra time and effort – can never trump a right. To scale the mountain of justification, one needs the right tools and the right preparation. One must see the mountain for what it is: a human rights issue. Accordingly, the tools are the human rights that are positively impacted on by health research, and the preparation entails generating and obtaining relevant evidence. Even with the right tools and preparation, there is no guarantee that one will reach the mountain's summit, but it does offer the best chance for success.

    109 European Commission Date Unknown https://ec.europa.eu/info/law/law-topic/dataprotection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

    Bibliography

    Literature

    Budin-Ljsne et al 2017 BMC Medical Ethics Budin-Ljsne I et al "Dynamic Consent: A Potential Solution to Some of the Challenges of Modern Biomedical Research" 2017 BMC Medical Ethics https://doi.org/10.1186/s12910-016-0162-9

    Kaye 2012 Annu Rev Genomics Hum Genet Kaye J "The Tension between Data Sharing and the Protection of Privacy in Genomics Research" 2012 Annu Rev Genomics Hum Genet 415-431

    Kaye et al 2015 Eur J Hum Genet Kaye J et al "Dynamic Consent: A Patient Interface for Twenty-First Century Research Networks" 2015 Eur J Hum Genet 141-146

    Manson 2019 Journal of Medical Ethics Manson NC "The Biobank Consent Debate: Why 'Meta-Consent' is not the Solution?" 2019 Journal of Medical Ethics 291-294

    Nembaware et al 2019 Nature Genetics Nembaware V et al "A Framework for Tiered Informed Consent for Health Genomic Research in Africa" 2019 Nature Genetics 1566-1571

    Nordling 2019 Science Nordling L "South African Law may Impede Human Health Research" 2019 Science 802

    Ram 2007 Jurimetrics Ram N "Tiered Consent and the Tyranny of Choice" 2007 Jurimetrics 253

    SALRC Report on Privacy and Data Protection South African Law Reform Commission Project 124: Report on Privacy and Data Protection (The Commission Pretoria 2009)

    Shabani and Borry 2015 Life Science, Society and Policy Shabani M and Borry P "Challenges of Web-Based Personal Genomic Data Sharing" 2015 Life Science, Society and Policy 1-13

    Shabani and Marelliv 2019 EMBO Reports Shabani M and Marelliv L "Re-identifiability of Genomic Data and the GDPR" 2019 EMBO Reports 1-5 Sheehan et al 2019 Public Health Ethics Sheehan M et al "Authority and the Future of Consent in Population-Level Biomedical Research" 2019 Public Health Ethics 225-236

    Staunton et al 2020 IDPL Staunton C et al "Protection of Personal Information Act 2013 and Data Protection for Health Research in South Africa" 2020 IDPL 160-179

    Staunton et al 2019 SAMJ Staunton C et al "Safeguarding the Future of Genomic Research in South Africa: Broad Consent and the Protection of Personal Information Act No 4 of 2013" 2019 SAMJ 468-470

    Staunton et al 2020 SAMJ Staunton C et al "Correspondence" 2020 SAMJ 175-176

    Teare et al 2021 Eur J Hum Genet Teare HJA et al "Reflections on Dynamic Consent in Biomedical Research: The Story so Far" 2021 Eur J Hum Genet 649-656

    Thaldar and Townsend 2020 SAMJ Thaldar DW and Townsend BA "Genomic Research and Privacy: A Response to Staunton et al" 2020 SAMJ 172-174

    Thaldar et al 2020 BMC Medical Ethics Thaldar DW et al "South Africa's New Standard Material Transfer Agreement: Proposals for Improvement and Pointers for Implementation" 2020 BMC Medical Ethics 1-13

    Townsend 2021 Information and Communications Technology Law Townsend BA "The Lawful Sharing of Health Research Data in South Africa and Beyond" 2021 Information and Communications Technology Law 1-18

    Townsend and Thaldar 2019 SAJHR Townsend BA and Thaldar DW "Navigating Uncharted Waters: Biobanks and Informational Privacy in South Africa" 2019 SAJHR 329-350

    Vayena et al 2013 Science Translational Medicine Vayena E et al "Caught in the Web: Informed Consent for Online Health Research" 2013 Science Translational Medicine 1-3

    Case law

    Asko Beleggings v Voorsitter van die Drankraad 1997 2 SA 57 (NC) Barkhuizen v Napier 2007 5 SA 323 (CC)

    Bertie Van Zyl (Pty) Ltd v Minister for Safety and Security 2010 2 SA 181 (CC) British American Tobacco South Africa (Pty) Ltd v Minister of Health 2012 3

    All SA 593 (SCA)

    CJW Marketing CC v Limpopo Provincial Liquor Board 2008 ZAGPHC 403 (12 December 2008) Hartswater Hotels BK v Drankraad van die Noord-Kaap 2003 ZANCHC 30

    (28 March 2003) Maharaj v Chairman, Liquor Board 1997 1 SA 273 (N) New Modderfontein Gold Mining Company v Transvaal Provincial

    Administration 1919 AD 367 S v Zuma 1995 2 SA 642 (CC)

    Legislation

    South Africa

    Constitution of the Republic of South Africa, 1996 Liquor Act 27 of 1989 Liquor Act 59 of 2003 National Health Act 61 of 2003 Protection of Personal Information Act 4 of 2013

    European Union

    General Data Protection Regulation 679/2016

    Government publications

    GN R719 in GG 38000 of 19 September 2014 GN R719 in GG 41781 of 20 July 2018 Proc R21 in GG 43461 of 22 June 2020

    International instruments

    Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981)

    OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

    Internet sources

    Department of Health 2015 http://nhrec.health.gov.za/index.php/grids-preview Department of Health 2015 Ethics in Health Research: Principles, Processes and Structures http://nhrec.health.gov.za/index.php/grids-preview accessed 12 March 2021

    European Commission Date Unknown https://ec.europa.eu/info/law/lawtopic/data-protection/international-dimension-data-protection/standardcontractual-clauses-scc_en European Commission Date Unknown Standard Contractual Clauses https://ec.europa.eu/info/law/law-topic/data-protection/internationaldimension-data-protection/standard-contractual-clauses-scc_en accessed 20 August 2020

    H3Africa 2017 https://h3africa.org/wp-content/uploads/2018/05/H3A% 202017%20Revised%20IC%20guideline%20for%20SC%2020_10_2017.p df Human Heredity and Health in Africa 2017 H3Africa Guideline for Informed Consent https://h3africa.org/wp-content/uploads/2018/05/H3A%202017 %20Revised%20IC%20guideline%20for%20SC%2020_10_2017.pdf accessed 20 August 2020

    National Institutes of Health 2020 https://www.fic.nih.gov/Funding/Pages/ collaborations-h3africa.aspx National Institutes of Health (United States of America) 2020 Human Heredity and Health in Africa (H3Africa) at NIH

    https://www.fic.nih.gov/Funding/Pages/collaborations-h3africa.aspx accessed 8 May 2021

    List of Abbreviations

    Annu Rev Genomics Hum Annual Review of Genomics and Human Genet Genetics EU European Union Eur J Hum Genet European Journal of Human Genetics GDPR General Data Protection Regulation H3Africa Human Heredity and Health in Africa IDPL International Data Privacy Law NHA National Health Act 61 of 2003 OECD Organisation for Economic Co-operation and

    Development POPIA Protection of Personal Information Act 4 of 2013 SA MTA Material Transfer Agreement for Human

    Biological Materials SAJHR South African Journal of Human Rights SALRC South African Law Reform Commission SAMJ South African Medical Journal