Given that humankind originated in Africa, Africans (and South Africans in particular) have significant genetic diversity. As such, there is a potential wealth of genetic information available to be mined for the benefit of not only the African continent, but potentially the world.
Unfortunately, without effective regulation, the collection and use of African genetic information could result in the unfair exploitation of the donors of this information. Due to the asymmetrical power relationships between donors and users of genetic information that is present in the fields of science and medicine, this is a sensitive issue.
Protection of Personal Information Act
The Protection of Personal Information Act 2013 (POPIA) was enacted in 2013 and finally promulgated on 1 July 2020, although enforcement will not come into effect until 1 July 2021. Non-compliant organisations may face administrative fines of up to R10 million (approximately $600,000), in addition to possible civil or criminal liability. POPIA aims to give effect to the right to privacy which is entrenched in the South African Bill of Rights and will regulate data privacy similarly to the EU General Data Protection Regulation (GDPR).
POPIA regulates the processing of personal information, including 'biometrics', which is defined as "a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognition". A data subject's biometric information is considered special personal information. Further, genetic and biometric data could include 'health information', which is considered special personal information but not further defined. In order to lawfully process special personal information, additional requirements must be met.
POPIA prohibits the processing of special personal information unless there is a general authorisation permitting such processing in terms of Section 27, which includes, among others, obtaining the data subject's consent or processing such information for historical, statistical or research purposes if sufficient guarantees are provided to ensure that the processing does not adversely affect the data subject's individual privacy to a disproportionate extent and provided that:
- the purpose serves a public interest and the processing is necessary for the purpose concerned; or
- it appears to be impossible or would involve a disproportionate effort to ask for consent.
In the absence of a general authorisation, the processing of health information will be permitted if one of the specifically authorised circumstances set out in Section 32 applies. For example, Section 32(5) of POPIA permits the processing of health information concerning inherited characteristics if a serious medical interest prevails or the processing is necessary for historical, statistical or research activity.
Unlike the GDPR, POPIA does not distinguish between or separately define genetic and biometric data. Since not all genetic information constitutes biometrics, the consideration under POPIA is whether the genetic information meets the definition of biometrics and identifies a person.
Section 13(1) of POPIA provides that "[p]ersonal information must be collected for a specific, explicitly defined and lawful purpose related to a function or activity of the responsible party". In the context of genetic information which meets the definition of biometrics and identifies a person, this means that in order to comply with POPIA, the collection of genetic information must concern a specific, explicitly defined study. POPIA precludes the collection of genetic samples in general terms where no study (ie, lawful purpose) is defined.
This is in keeping with the National Health Act (NHA) 2003, which provides that prior informed consent must be obtained before obtaining samples from a study participant. This means that such a participant must be provided with sufficient information that allows them to understand, among other things, the nature and purpose of the research and use of their genetic material.
One of the controversies that has arisen in respect of POPIA's treatment of genetic information relates to the further processing limitation – in other words, the use of a subject's genetic information under broad or blanket consent (ie, no specific project is defined or the consent is in respect of multiple, broadly defined projects). Although Section 13 appears to be relatively clear in that a specific, explicitly defined purpose must be provided for the collection of genetic information, Section 15 of POPIA makes provision for further processing.
For example, secondary research of information subsequent to collection is permitted without the need to require fresh consent from the subject, provided that the further processing is carried out solely for such purposes and will not be published in an identifiable form (and provided that such information cannot be reidentified). Despite the condition provided for in Section 15 that "further processing of personal information must be in accordance or compatible with the purpose for which it was collected in terms of section 13", the meaning of 'in accordance or compatible with the purpose' is unclear.
In all instances where POPIA requires that information not be published in an identifiable form, improved industry practices suggest that most personal information where deidentified can be reconstituted or reidentified. Especially when it comes to genetic information, practice has shown that it is possible through sequencing to reidentify a person.
It appears that further processing would be compatible with the original purpose of collecting genetic information provided that:
- the research participant has given prior consent to the further processing or use of their information, including the potential for future commercialisation, if relevant;
- the information will be used for select purposes, including research; and
- the information will not be published in an identifiable form and cannot be reidentified.
In essence, this section reflects similar provisions of the GDPR, which also allows for consent to be given for future research under certain conditions, where the ultimate use of the data may not be known at the time of collection. Further, POPIA provides for researchers to apply for an exemption from the Information Regulator to process personal information, even where it would amount to a breach of POPIA, where the public interest substantially outweighs any interference with a subject's privacy. Section 15(3)(e) of POPIA helpfully provides that research activity falls within the public interest.
However, it is also important to bear the requirements of the NHA in mind, in that Clause 10 of the Material Transfer Agreement of Human Biological Materials (MTA) published on 20 July 2018 specifically requires that:
- providing institutes must obtain informed consent from human participants to provide materials to recipient institutes to undertake a project; and
- should there be secondary uses of their materials for research other than that consented to in the originally approved protocol, additional informed consent must be obtained by way of an ongoing information sharing process which allows the donor to consent to participate and determine whether and how their biological materials and data will be used in future health research projects by the recipient institute.
Accordingly, broad secondary use of genetic material, including by large sample and data repositories such as biobanks, may fall foul of the regulations unless the requirements set out by both POPIA and the NHA for collection and further processing or secondary use have been met.
Section 18 of the POIA also provides that a researcher must notify subjects, among others, when collecting data if it intends to transfer the personal information to an international entity or foreign country. Further, the researcher must inform the subject on the level of protection afforded to the information by the receiving country so that the subject can make an informed decision as to whether to make the donation. There is an exemption provided for in Section 18(4) of POPIA, in that this requirement is dispensed with if:
- the subject has provided consent that this notification need not be provided;
- non-compliance with this requirement would not prejudice the legitimate interests of the donor subject; or
- the information will not be used in a form in which the data subject may be identified or for historical, statistical or research purposes.
Importantly, Section 57(d) of POPIA requires that a responsible party obtain prior authorisation from the Information Regulator prior to transferring any special personal information to a third party in a foreign country that does not provide an adequate level of protection for the processing of personal information. Arguably, other jurisdictions' data privacy laws would be insufficient as they would not cater for juristic persons and such prior authorisation would be required. However, this exemption is rather controversial, in that it is inconsistent with the requirements for prior informed consent provided for in the NHA and its MTA.
Based on the present POPIA drafting, it is also uncertain whether it is necessary to again obtain consent from a donor of genetic data where the researcher only later wishes to transfer the genetic data to a foreign entity or international company. It seems that this may be possible under certain conditions in that POPIA provides that if it is not reasonably practicable to obtain the consent of the data subject and the data subject would likely consent to the transfer, and the transfer is to the benefit of the data subject, the data may still be transferred out of South Africa. However, this also appears to contradict the NHA and its MTA.
It is hoped that the Information Regulator will draft a code of conduct that will clear up some of the contradictions and clarify the requirements with regard to health research and genetic data in particular.
