SA already has a well-established system for regulating health research on human subjects, but with stricter data protection regulations since the Protection of Personal Information Act (POPIA) came into effect, it is important to establish which legislation applies when processing personal information for this field.
In the SA Medical Journal, V Bronstein and D Nyachowe write that Section 3(2)(b) of POPIA is relevant here – providing that POPIA does not apply where other legislation creates “more extensive” conditions for the lawful processing of personal information than chapter 3 of POPIA does – and unravels the implications of this curious provision in the context of health research.
The National Health Act (NHA) is the primary legislation for regulating health research in South Africa, its provisions reinforced by the detailed National Department of Health 2015 ‘Ethics in health research: Principles, processes and structures’ (DoH Guidelines).
These guidelines have the force of law at the level of secondary legislation. The Health Professions Act also regulates health professionals and their conduct.
The Health Professions Council of South Africa (HPCSA) has issued guidelines that include general ethical guidelines for researchers, and also guidelines on keeping patients’ records that, inter alia, allow data subjects to access their own records and incorporate aspects of the Promotion of Access to Information Act.
The South African Medical Research Council (SAMRC) also has guidelines on the responsible conduct of research.
In practice, all the above laws, but most importantly, the NHA and its regulations and guidelines, form a composite whole for the regulation of health research.
We refer to the above legislation as the “sectoral legislation” in this article because it is specific legislation that pertains to health research.
The precepts of the sectoral legislation are implemented through a network of human research ethics committees (HRECs) operating under the auspices of the National Health Research Ethics Council (NHREC) (s72 NHA).
The NHREC sets “norms and standards for conducting research on humans” and for conducting clinical trials (s72(6)(c) NHA).
Every establishment where research is conducted must either establish or have access to an HREC (s73(1) NHA). HRECs apply the DoH guidelines in addition to standards and conditions set by the particular ethics committee. They review research proposals and protocols, and only grant approval for research that meets their standards (s73(2)(a) and (b) NHA).
Health research always generates large volumes of personal information, and regulation of this has been made more complex by the coming into force of POPIA.
There is a general assumption that POPIA always applies to personal information generated in the process of health research, but our aim is to show this assumption is flawed, as it fails to engage with the application provision of POPIA.
The application of POPIA Section 3(2) of POPIA reads:
‘(a)This Act applies, subject to paragraph (b), to the exclusion of any provision of any other legislation that regulates the processing of personal information and is materially inconsistent with an object, or a specific provision, of this Act.
(b) If any other legislation provides for conditions for the lawful processing of personal information that are more extensive than those set out in Chapter 3 (of POPIA), the extensive conditions prevail (our italics).’
Section 3(2)(b) has not been explored in the context of health research. Although s3(2)(a) states that POPIA applies ‘to the exclusion of … any other legislation’, the provision is immediately undercut by s3(2)(b), which makes it clear that POPIA does not apply in circumstances where more extensive legislation than chapter three of POPIA applies to the field.
Implications of s3(2)(b) of POPIA in the context of health research
Are the conditions set out in the complex of sectoral legislation regulating health research more extensive than those in chapter three of POPIA?
What does ‘more extensive than’ mean in the context of s3(2)(b)? To our surprise, the term ‘more extensive than’ is almost never used in SA legislation.
A search on Jutastat only finds the exact phrase in this one subsection, and there are no cases referring to it or interpreting its meaning. In a bid to find the meaning of ‘extensive’, this research has explored ordinary dictionary meanings.
Dictionary definitions of extensive seem to follow a similar pattern. Extensive commonly refers to something ‘that covers a large area’ or ‘that is wide or great’.
However, that is not the meaning of extensive that seems to be appropriate in this context.
In our view, the dictionary definitions that focus on extensive as meaning more detailed, thorough or comprehensive are relevant to the meaning of more extensive than in the context of s3(2)(b).
One impulse is to interpret s3(2)(b) to maximise the privacy of data subjects. If that were the case, the interpreter would ask whether chapter three of POPIA gives more protection to data subjects than the sectoral legislation.
One problem with this view is that s3(3) of POPIA makes it clear the Act must be interpreted in line with an array of purposes. Although the right to privacy is included in these purposes, the right to access to information and important interests such as free flow of information within SA and across borders also need to be considered when interpreting POPIA (s3(3) NHA).
Hence it would be incorrect to interpret the phrase more extensive than as simply meaning the legislation that provides more protection for data subjects prevails. In any event, if the intention of s3(2)(b) were to maximise protection of the data subjects in all circumstances, it would have been a simple matter for the legislature to have made its intention clear.
‘More extensive than’ in the context of s3(2) of POPIA cannot simply be a synonym for stricter legislation.
The use of the word prevail indicates that the more extensive conditions override the provisions of POPIA. In our view, the intention of s3(2)(b) is that the more intricate and detailed regulation that covers the field prevails.
Comparison to establish which regulatory pathway is more extensive
The next step is to compare the sectoral legislation regulating health research on human subjects with the conditions set out in chapter three of POPIA, to establish which regulates the field more comprehensively or extensively.
The question is whether the sectoral legislation is more extensive than chapter three of POPIA.
Chapter three of POPIA sets out eight conditions for processing personal information along with provisions for processing special personal information and data on children. Detailed analysis shows sectoral legislation is much more comprehensive than chapter three of POPIA.
In general, the specific structures for regulating health research are more rigorous than the POPIA requirements.
For example, HRECs that enforce the sectoral legislation require elaborate documentation, in contrast with POPIA, which has weak documentation requirements. Data collection and secondary use of data needs to be justified to and approved by HRECs.
The sectoral legislation also provides more detailed provisions for dealing with consent in the context of health, sex life data and children’s data than POPIA does. Sectoral legislation also contains provisions allowing data subjects to access their own records.
There are also mechanisms for data subjects to seek recourse against researchers with the aid of HRECs, the health ombudsman and ultimately the Minister of Health (s18, s81(a) and (b) NHA).
NHA, DoH guidelines and associated legislation provide more extensive conditions for lawful processing of personal information for health research than those in chapter three of POPIA.
Section 3(2)(b) of POPIA indicates that ‘the extensive conditions prevail’.
Implications of the sectoral legislation being more extensive than POPIA
The unusual structure of s3(2)(b) of POPIA requires legal interpreters to determine which legislation applies to protection of personal information in a particular field.
The concept of pre-emption, widely used in the international federalism literature, is useful here. Pre-emption is a legal doctrine dealing with determining which of two legislative regimes applies in specific circumstances.
We are justified in using the analogy of pre-emption in this context as the doctrine is simply a particular manifestation of conventional statutory interpretation, which fundamentally aims to interpret and determine the legislature’s intention.
The operative question in pre-emption is whether the national legislature intended to comprehensively cover the field or relevant subject matter when it passed the legislation.
In our context, we pose the opposite question. Did our legislature intend not to regulate specific fields or to leave them outside the ambit of POPIA?
In our view, s3(2)(b) of POPIA evinces exactly that intention in the context of fields where data are more extensively regulated than they are under chapter three of POPIA.
We have demonstrated that health research is one such field.
If the sectoral legislation for health provides more extensive conditions for processing personal information than chapter three of POPIA, that creates two possibilities. One is that when the sectoral legislation conflicts with POPIA, the sectoral legislation prevails. The second possibility, which we prefer, is that the sectoral legislation regulates health research to the exclusion of chapter three of POPIA.
That interpretation safeguards the spaces deliberately left open in the sectoral legislation and protects the coherence of the legal structures protecting health research.
The latter interpretation fits with the doctrine of pre-emption, and with our understanding of the purpose of POPIA, which was to introduce general legislation incorporating good data protection practices in fields where data protection was thinly regulated or non-existent.
Hence, our interpretation of s3(2)(b) of POPIA coheres with the view that the legislature did not intend to disturb good practices in well-regulated fields like the health research sphere. There is a research exception in POPIA specifically directed at secondary use of data in research (s27(1)(d)).
In our view, s27(1)(d) is a residual provision that applies generally across the whole gamut of researchers in society and operates outside the specific health research context.
Although there is often congruency between the sectoral legislation for health research and the conditions set out in chapter 3 of POPIA, there are circumstances in which the question of which legislation applies has practical implications for the research community.
For example, the DoH Guidelines allow research subjects to give narrow, tiered or broad consent to use of their personal data. POPIA requires consent to be specific.
In our view, the sectoral legislation applies to health research to the exclusion of POPIA. This interpretation flows from the application of s3(2)(b) of POPIA. The sectoral legislation prevails over chapter three of POPIA, which includes the consent provisions.
But POPIA also contains other chapters that potentially affect health research and include, inter alia, provisions about data transfer, automated processing and codes of conduct. The status of the provisions outside chapter three of POPIA are not clearly resolved by the application provisions of POPIA.
Conclusion
We have concluded that HRECs must continue to apply the sectoral legislation for health research to the exclusion of chapter three of POPIA. However, many difficult interpretative questions remain unresolved.
We agree that in principle, there should be a sector-wide exemption ensuring health research is regulated by sectoral legislation and HRECs to the exclusion of POPIA and the Information Regulator.
This would prevent forum shopping and allow HRECs, which are expert bodies with broad expertise in different aspects of health research, to continue to provide the service they have traditionally provided.
The legislature should make it clear that health research is excluded from the ambit of POPIA. Sectoral legislation can always be refined and improved. However, a clear legislative amendment would ensure the regulatory system for health research can retain its coherence and its independence while providing clarity for health researchers
V Brontein, Associate Professor, School of Law, University of the Witwatersrand;
D Nyachowe, Junior Researcher, Sydney Brenner Institute of Molecular Bioscience, Faculty of Health Sciences, University of the Witwatersrand.
See more from MedicalBrief archives:
POPIA is coming into force – are you ready?
Experts call for legal framework for patients’ data
Medical providers most likely to be the culprits in health data breaches