A long overdue and much needed revised draft version of South Africa’s Ethics Guidelines – last updated in 2015 – has been released to select “stakeholders” for comment, but rather than providing more comprehensive guidance, it’s likely to introduce regulatory confusion, write Donrich Thaldar and Ciara Staunton in TimesLIVE.
Health research ethics are important, aimed at protecting those who participate in health research projects, all of which must be approved by an institutional health research ethics committee.
These committees are guided by the national Ethics Guidelines, which are developed and occasionally revised by the National Health Research Ethics Council (NHREC).
Over the past few years, the South African research community gradually adapted to Popia – the Protection of Personal Information Act – and the Academy of Science of South Africa (ASSAf) initiated a project to develop a code of conduct for research in terms of Popia.
After two years of development and public consultation, this proposed code is currently being considered by the Information Regulator, Popia’s implementation agency.
Once approved by the regulator, ASSAf’s code – and the code alone – will govern the use of personal data in research, including health research. The governance of personal data is at present consolidated in Popia and its implementation mechanisms.
However, the NHREC seems not to properly appreciate that the data governance landscape in South Africa has fundamentally changed since Popia entered into full operation in mid-2021.
While the draft guidelines refer to ASSAf’s code, at the same time they set themselves up as a parallel personal data governance framework in conflict with ASSAf’s code and Popia.
Three examples of this will suffice.
In the draft guidelines, the NHREC introduces its own set of data-related definitions that are completely different from the definitions in Popia and the ASSAf code.
For example, whereas Popia and ASSAf’s code speak of “de-identification”, the draft guidelines speak of “anonymisation”; whereas ASSAf’s code speaks of “pseudonymised” information, the draft guidelines speak of “coded” information. This will not only confuse the research community, but the implication is that it could become a parallel data governance framework.
Parliament decided on the data protection terminology the country must use when it enacted Popia. Let’s just all use the same terminology!
The second example relates to what the draft guidelines term “anonymised” information.
This is defined as information that is “irrevocably stripped of direct identifiers”.
This seems to correspond with Popia’s information that has been de-identified to the extent that it cannot be re-identified.
According to the draft guidelines, a data subject must still have a limited right to withdraw his or her information – even if it has been “anonymised”. This makes no sense. How will a researcher know which information to withdraw if the information is irrevocably stripped of direct identifiers?
Once information has been “anonymised”, it is impossible for a data subject to have it withdrawn, because it cannot be identified as relating to the research subject. This indicates that some of the proposed changes need further consideration.
The third example relates to how the NHREC misinterprets Popia. The draft guidelines state that Popia provides that research participants “must consent to data sharing”. This is incorrect.
Consent is only one of multiple potentially lawful grounds for data sharing. The NHREC proceeds to state that Popia requires that data sharing should occur only if the receiving country has similar legal provisions for data protection.
This is also incorrect.
An adequate level of protection is only one of the lawful grounds under which cross-border sharing of personal data can occur.
If not revised, the draft guidelines could set up an alternative data governance framework in opposition to Popia and ASSAf’s code.
This is ethically unacceptable and legally untenable. If the NHREC proceeds on this road of conflict, its draft guidelines will face litigation.
The NHREC should officially withdraw its draft guidelines and go back to the drawing board.
The NHREC’s mandate is to provide minimum standards for health research ethics in our country – not to set up an alternative data governance framework in conflict with Popia and ASSAf’s code.
Parliament decided on the data protection terminology the country must use when it enacted Popia.
Let’s just all use the same terminology!
Thaldar is a professor at the School of Law, University of KwaZulu-Natal. Staunton is an honorary research fellow at the School of Law, University of KwaZulu-Natal.
See more from MedicalBrief archives:
Health Research Ethics: Safeguarding the Interests of Research Participants
Ethics challenge for Sub-Saharan Africa big data research
Research imperialism shows need for functioning SA research ethics oversight body