● Health research ethics are important. They aim to protect people who participate in health research projects — for example, a clinical trial of a new medicine or a study to investigate the genetic causes of a certain disease.

All health research studies in South Africa must be approved by an institutional health research ethics committee. These committees are guided by the national Ethics Guidelines, which are developed and from time to time revised by the National Health Research Ethics Council (NHREC).

The last version of the Ethics Guidelines dates back to 2015, and so a revision has been overdue. The NHREC recently released the final draft of its revised Ethics Guidelines to select “stakeholders” for comment.

Rather than update and provide more comprehensive guidance, the guidelines as currently drafted will introduce regulatory confusion.

Over the past few years, the South African research community gradually adapted to Popia — the Protection of Personal Information Act. The Academy of Science of South Africa (ASSAf) initiated a project to develop a code of conduct for research in terms of Popia. After two years of development and public consultation, ASSAf’s proposed code is currently being considered by the Information Regulator — Popia’s implementation agency. Once approved by the regulator, ASSAf’s code — and the code alone — will govern the use of personal data in research, including health research. The governance of personal data is at present consolidated in Popia and its implementation mechanisms.

However, the NHREC seems not to properly appreciate that the data governance landscape in South Africa has fundamentally changed since Popia entered into full operation in mid-2021. While the draft guidelines refer to ASSAf’s code, at the same time they set themselves up as a parallel personal data governance framework in conflict with ASSAf’s code and Popia. Three examples of this will suffice.

In the draft guidelines the NHREC introduces its own set of data-related definitions that are completely different from the definitions in Popia and the ASSAf code. For example, whereas Popia and ASSAf’s code speak of “de-identification”, the draft guidelines speak of “anonymisation”; whereas ASSAf’s code speaks of “pseudonymised” information, the draft guidelines speak of “coded” information. This will not only confuse the research community, but the implication is that it could become a parallel data governance framework.

Parliament decided on the data protection terminology the country must use when it enacted Popia. Let’s just all use the same terminology!

The second example relates to what the draft guidelines term “anonymised” information. This is defined as information that is “irrevocably stripped of direct identifiers”. This seems to correspond with Popia’s information that has been deidentified to the extent that it cannot be reidentified.

According to the draft guidelines, a data subject must still have a limited right to withdraw his or her information — even if it has been “anonymised”. This makes no sense. How will a researcher know which information to withdraw if the information is irrevocably stripped of direct identifiers? Once information has been “anonymised”, it is impossible for a data subject to have it withdrawn, because it cannot be identified as relating to the research subject. This indicates that some of the proposed changes need further consideration.

The third example relates to how the NHREC misinterprets Popia. The draft guidelines state that Popia provides that research participants “must consent to data sharing”. This is incorrect. Consent is only one of multiple potentially lawful grounds for data sharing. The NHREC proceeds to state that Popia requires that data sharing should occur only if the receiving country has similar legal provisions for data protection. This is also incorrect. An adequate level of protection is only one of the lawful grounds under which cross-border sharing of personal data can occur.

If not revised, the draft guidelines could set up an alternative data governance framework in opposition to Popia and ASSAf’s code. This is ethically unacceptable and legally untenable. If the NHREC proceed on this road of conflict, its draft guidelines will face litigation.

The NHREC should officially withdraw its draft guidelines and go back to the drawing board. The NHREC’s mandate is to provide minimum standards for health research ethics in our country — not to set up an alternative data governance framework in conflict with Popia and ASSAf’s code.

Parliament decided on the data protection terminology the country must use when it enacted Popia.

Let’s just all use the same terminology!