South Africa’s New Privacy Laws may Jeopardize Advancements in Scientific Research

By Arabang Dingalo
Arabang Dingalo is a sophomore at the Wharton School studying Business Economics and Public Policy. 

In this day and technology age, there are growing concerns from nations worldwide on the possible abuse of citizens’ personal data and privacy, and South Africa is no exception. This growing concern prompted the then president of South Africa, Jacob Zuma, to sign the Protection of Personal Information Act (POPIA) into being in 2013 [1] and it has finally come into effect in December 2018. POPIA was greatly molded around Europe’s General Data Privacy Protection (GDPR) Act and despite the GDPR having made extensive adjustments since its conception, POPIA has stayed stagnant and failed to adapt to some critical points of the GDPR changes. One pivotal change is the law surrounding Scientific Research. Article 9(2)(j) of the GDPR allows for processing of genetic data as part of a special category of data if ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,’ [2]. The POPIA has failed to make this adjustments and there are growing concerns from the South African scientific community about the implication this will have on what is today, the hub of African research.

One greatly affected scientific industry is biobanking. Biobanking is a growing field associated with biomedical sciences that involves the collection, processing, analysis and sharing of biospecimen and the research obtained from the samples [3]. South Africa is home to the most Biobanks in Africa and it is seen as the hub of African biobanking due to its large population and thus the diverse pool of genes that it encompasses, which allows for countries all over the world to work together and make advancements in public health. The new article stipulated by POPIA may take this all away. Previously, biobank governance was controlled by the National Health Act (NHA) Act No 61 of 2003, which allowed for sharing of data on the condition of participant anonymization without the need for continual consent but this is set to change with POPIA. There have been growing concerns over biobanks globally around the issue of informed consent, prompting questions around the sensitive information that stays in biobank databases on research the sample donors know nothing about. POPIA has declared a blanket statement in condition 3 of Act No.4 of 2013 which states “Personal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party,” [4].

However, this may have detrimental effects on scientific research institutions, especially biobanks.

Biobanks are crucial in identifying the role that genes play in disease development. This has accelerated new drug development which is a long process and the research depends on specimens being in the lab for long periods of time. It also entails samples being used for research which may be different from intended and even unknown at the time of sample collection. Therefore, POPIA will jeopardize the chances of having sample longevity in labs and long-lasting studies which could lead to breakthroughs in the scientific realm. The GDPR, which came into force May 2018 and has already started seeing the fruits of its labor, exempts it’s restrictions on the use of data for research, particularly in biobanks. However, the opponents of this exemption are worried about whether legally compliant to the GDPR translates to ethical compliance particular to the dealings of sensitive information such as genomes [5].

This need for consent means research has to be halted and even discarded if they do not receive replies from the sample donors. From another point of view, this may increase the number of donors to biobanks as biobanks rely on public trust and this law strengthens that trust. Donors are more comfortable giving their blood if they know where the samples are going, when they will be used and what they will be used for [6]. But this study is based on theoretical conditions, it is still unknown the real implications of the donors having to consent each time their sample is used.
​
As with all sectors now from social platforms to financial regulations, data privacy is a recurring topic. It is one that is fairly new and thus, unknown. What remains in question here with POPIA is if the law can balance the protection of privacy with the advancement of scientific developments because it is unclear if these two can coexist.

Photo Credit: Photo by Ousa Chea on Unsplash 

References:

[1]Protection of Personal Information Act 2013, Information Regulator South Africa retrieved from http://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf
[2]​How GDPR changes the rules for research. (n.d.). Retrieved from https://iapp.org/news/a/how-gdpr-changes-the-rules-for-research/
[3]Akinyemi, R. O. (2018, June 1). Biobanking in a Challenging African Environment: Unique Experience from the SIREN Project. Retrieved from https://www.liebertpub.com/doi/full/10.1089/bio.2017.0113
[4]​Protection of Personal Information Act 2013, Information Regulator South Africa retrieved from ​http://www.justice.gov.za/inforeg/docs/InfoRegSA-POPIA-act2013-004.pdf​ pg 31.
[5]Eugenia, Alepis, Efthimios, & Constantinos. (2018, March 26). Forgetting personal data and revoking consent under the GDPR: Challenges and proposed solutions. Retrieved from https://academic.oup.com/cybersecurity/article/4/1/tyy001/4954056
[6]Keymanthri Moodley, Nomathemba Sibanda, & Theresa Rossouw. (2014, January 22). "It's my blood": Ethical complexities in the use, storage and export of biological samples: Perspectives from South African research participants. Retrieved from https://bmcmedethics.biomedcentral.com/articles/10.1186/1472-6939-15-4 
The opinions and views expressed through this publication are the opinions of the designated authors and do not reflect the opinions or views of the Penn Undergraduate Law Journal, our staff, or our clients.