New privacy law demands greater protection of ‘data subjects’
The draft, which has been prepared with the support of the government after talks with key stakeholders in the higher education sector, must be ready in time for new privacy legislation which comes into effect from 1 July.
To this end, more consultation is being carried out to adjust and add to the draft where necessary and to muster additional support among the national research community.
However, even if the code is finalised in time, it will require a major overhaul of the governance and administration processes for authorising research projects and storing past and present data, for which many institutions in the sector are less than well prepared.
In addition, some of the recommendations produced by ASSAf, which took on the task of producing the code late last year, have been greeted with concern.
For example, the academy has identified a crucial role for the research ethics committees (RECs) at the country’s universities in implementing the new Protection of Personal Information Act (POPIA).
The proposal is that these committees, as the bodies already overseeing efforts to protect the interests of research subjects, are well-placed to shoulder the additional burden of safeguarding the rights of ‘data subjects’ under the act.
However, there is understandable concern among the already overstretched academic staff on these committees about taking on extra work, particularly in the absence of more resources, as was recently acknowledged by Jantina de Vries of the University of Cape Town who co-authored an ASSAf discussion paper on the draft POPIA Code of Conduct for Research.
“[Such oversight] is not their natural role [and] cannot be an unfunded mandate,” she told a virtual public meeting hosted by ASSAf early in May to present the draft code.
Research ethics committees
At the same time, it was noted that the view adopted by ASSAf in consultation with the National Health Research Ethics Council was that the RECs should be charged with ensuring compliance with POPIA on a project-by-project basis (although the information officer at each university will ultimately be responsible for institutional adherence to the new law).
The use of RECs for this is in line with international best practice for data-protection governance and also represents a practical solution, according to a discussion document co-authored by Rachel Adams, who is a senior research specialist at the Human Sciences Research Council.
“We were looking at how we can advise institutions to comply through existing, well-functioning structures and oversight bodies, as well as ways of cutting the extra resources that would be needed,” she said.
Implementation of the new legislation will also entail the adoption of a new mindset and systems for collecting and managing personal data for research purposes, according to presenters at the virtual meeting.
In line with an underlying constitutional right to privacy and to prevent personal information being divulged in ways that could harm the subject, researchers will be required to make every effort to ‘de-identify’ the data they use.
Similarly, the custodians of university and national databases need to review the terms and conditions under which these were established to ensure compliance with the new law and, as necessary, make decisions about which data sets should be retained, as well as which should be de-identified (by deleting personal markers).
These custodians should consider the sensitivity of the information that they hold from the point of view of the research subject – referred to as the ‘data subject’ in the code.
A key concern is that it can become increasingly easy to identify the individual behind the data once their personal information is cross-referenced across databases.
“Repositories should advise what can and cannot be accessed,” said Alan Christoffels of the Bioinformatics Institute at the University of the Western Cape, who co-authored ASSAf’s discussion document.
In addition, the researchers seeking access to information from other databases, including those in the public domain, should seek to adhere to the principle of ‘data minimality’, only taking the bare information they need and seeking as far as possible to access de-identified information, according to Adams.
They must further act to ensure that, in sharing personal data on research subjects among themselves during the course of a project, they use secure channels of communication.
There is much work to do in reviewing, safeguarding and, as necessary, editing existing databases, which will entail the deployment of significant information-technology resources, as well as the development and production of new data-management plans and processes.
For example, as with individual research projects, the rationale for establishing and maintaining a database containing personal information must be documented and a sufficient legal basis for this must be presented.
“POPIA will create more paperwork for record-keeping in relation to transparency,” said Adams.
In this regard, ASSAf, which will be producing annual reports on compliance with the code to be submitted to the national Information Regulator, will be offering guidance on key aspects of its implementation.
It will advise on the terms for consent which researchers may need to present to the data subjects, explaining how the information that is gleaned from them may be stored, used (and possibly reprocessed) and their rights in relation to their control over and access to this data.
A key aspect of the principle of consent promoted by the legislation is that a data subject can withdraw their permission at any time – which, as Adams noted, makes it a far from ideal basis for research.
ASSAf will further advise on the production of data management plans and how these should address the lawful basis for research projects, the risks of personal data being divulged and who is accountable for the work.
With particular reference to the fragility of research projects that may seek to rely on the consent of subjects as the basis for their data collection, the drafters of the ASSAf code have emphasised the exceptions to the code which include allowing university teams to collect and hold personal data for historical, statistical and research purposes in the public interest.
Research councils with a parliamentary mandate and universities with research as their core function thus enjoy a certain latitude, which may form the legal basis of their data management planning, according to Adams.
In this regard, the ASSAf code is only intended to apply to research with a ‘scholarly intent’, she said, including that produced by the more than 57,000 researchers at universities in 2019; and not to data being collected for other purposes, such as opinion polls and market research.
Data-sharing across borders
The academy’s guidance on the code will also include templates for assessing data management risks forged according to the principle that the greater the risk, the more stringent the required safeguards for protecting the data. ASSAf will further advise on conducting privacy impact assessments for high-risk studies.
In addition, it will provide an ethical compliance checklist in relation to the code for RECs, as well as standard contractual clauses for use in agreements for data-sharing across borders.
The code further addresses the challenge of safeguarding privacy in genetic research, in which the strands of human DNA under study can, by their nature, be ‘singled out’ and tracked back to individuals through cross-referencing with other data sets.
The draft also considers the issue of using algorithms to analyse big data, particularly in cases in which third-party holders of proprietary software may be able to access the base information under study, thus compromising the privacy of the subjects.
“As new ways of collecting data automatically via bots are developed, we need to think more about how information is being collected,” said discussion document co-author Jerome Singh of the Centre for Medical Ethics and Law at Stellenbosch University.
Given the difficulty of an absolute guarantee on the privacy of personal data used for research, the approach should be to do “what is reasonably possible” to protect it, according to Christoffels.
The standard for what may be considered “reasonably possible” should be shaped by the time, cost, effort and expertise, as well as technological capacity required to “re-identify” individuals from the data available, despite the safeguards in place.
In seeking to heighten security, “we need to prove we have taken all reasonable steps”, said Christoffels.
So, for example, even in research based on social media which is broadly exempted from the provisions of the act on the basis that the data produced on these platforms is within the public domain, there may be expectations of privacy which should be respected.
“The intent of the data subject matters,” said discussion document co-author Antonel Olckers of DNAbiotec®. She advised that such information should be de-identified and decoupled from its original post as early as possible.
The drafters of advice on the code sought to emphasise the benefits of adherence to the new legislation, which include the requirement to engage proactively with communities in seeking their buy-in for particular research projects, as well as the drive to be more efficient in information collection and cross-referencing in the name of data minimality, which may protect over-researched communities.
It was also stressed that implementation of the new code and law would ensure that the country’s knowledge producers remain competitive on the global stage by meeting international standards for data protection.
More broadly, Michèle Ramsay of the University of the Witwatersrand, who has played a leading role in developing the code, noted that it was not being forged in isolation, but rather as part of a commitment to open access among South Africa’s academic research community.
“The policy is to be as open as possible, and as closed as necessary,” she said.