This paper examines the proposed Code of Conduct for Research (CCR) in South Africa, developed by the Academy of Science of South Africa (ASSAf) to complement the Protection of Personal Information Act 4 of 2013 (POPIA). The global landscape of data protection has seen increasing legislation, including the GDPR (EU), PIPEDA (Canada), CCPA (California), and Brazil's General Data Protection Law. POPIA, South Africa's primary data protection instrument, aims to balance the right to privacy with the right to access information. Codes of conduct, under Chapter 7 of POPIA, provide sector-specific guidance for interpreting and complying with POPIA. The proposed CCR, submitted to the Information Regulator, aims to enhance legal certainty, promote accountability, and safeguard research participants and data. This article provides background on POPIA, discusses the role of codes of conduct, and critically analyzes the proposed CCR, highlighting resolved and unresolved issues, along with a new concern regarding an exception for genetic data. The authors analyze the proposed CCR's handling of consent (specific versus broad), special personal information, the classification of researchers as responsible parties, and the avoidance of conflicting terminology. The historical context of POPIA's development, influenced by international guidelines, is presented, emphasizing the need for a comprehensive code of conduct to clarify its application in research.

The authors extensively review the literature surrounding previous drafts of the CCR, noting criticisms and suggestions from various academics. These concerns included the definitions of special personal information, responsible party, public interest, and the interpretation of consent as broad or specific. The authors cite several papers that highlight shortcomings in the previous drafts regarding the repurposing of research data for commercial use and the challenges of establishing open-access genomic databases within the POPIA framework. This review establishes the context for evaluating the improvements and remaining shortcomings of the proposed CCR.

The authors employ a qualitative legal analysis methodology. They meticulously examine the proposed CCR, comparing it to previous drafts and analyzing its alignment with POPIA. This involves a detailed examination of specific clauses, definitions, and interpretations of key concepts such as consent, data identifiability, and the status of researchers as responsible parties. The analysis considers both the legal and practical implications of the proposed CCR. The authors draw extensively on prior academic work critiquing the previous drafts, referencing relevant case law (such as the Single Resolution Board v. European Data Protection Supervisor case) to contextualize their analysis within the broader international discussion of data protection in research. The authors' recommendations are grounded in the South African legal framework and international best practices. The methodology includes identifying resolved issues (e.g., the clarification of specific consent), unresolved issues (e.g., the contextual determination of identifiability), and new concerns introduced in the proposed CCR (e.g., the exception for genetic data). They use examples to illustrate their arguments and enhance the clarity of their legal interpretations.

The analysis reveals that the proposed CCR successfully addresses several significant shortcomings of previous drafts. Firstly, it clarifies that consent under POPIA must be specific and not broad, aligning with the act's requirements. Secondly, it correctly establishes special personal information as a subclass of personal information, subject to additional safeguards. Thirdly, it includes individual researchers as responsible parties, clarifying accountability. Fourthly, it eliminates inconsistencies in terminology by removing foreign terms like ‘anonymisation’ and focusing solely on POPIA's definition of de-identification. Finally, it shifts responsibility for adequacy determinations for cross-border data transfers to a local committee, rather than relying on foreign jurisdictions' decisions. However, the analysis identifies crucial unresolved issues. First, the proposed CCR lacks clarity on whether context is relevant in determining data subject identifiability, a critical issue for pseudonymisation and data sharing. The authors advocate for a context-specific approach, arguing that it aligns better with POPIA’s research exception. Second, the CCR fails to address a pathway for repurposing research data for commercial use, despite this being a significant policy objective in South Africa. The authors suggest incorporating guidelines for such repurposing, considering POPIA's provisions on further processing. Third, the proposed CCR lacks guidance on establishing truly open-access genomic databases. The authors propose aligning the CCR's definition of ‘open access’ with national policies and providing practical guidelines based on existing ethical and legal frameworks. A further critical finding is the introduction of a potentially illegal exception that removes genetic data from the scope of POPIA unless linked to other identifying information. This is deemed legally unsustainable and conflicts with POPIA's definition of personal information, potentially exposing researchers to legal risks.

The findings highlight the significant progress made in refining the CCR, yet the unresolved issues pose substantial challenges. The lack of clarity on identifiability can hinder international collaborations and potentially lead to non-compliance. The absence of a clear pathway for commercialization of research data limits opportunities for economic growth and innovation. Failure to address open-access genomics databases may hinder South Africa's participation in global open science initiatives and limit advancements in precision medicine. The introduction of an untenable exception for genetic data creates considerable legal uncertainty and risk for researchers. The authors' recommendations are critical for ensuring the proposed CCR effectively guides research practices while upholding data protection rights. The implications of unresolved issues extend beyond the research community, affecting data subjects’ rights and South Africa's broader policy goals in science and innovation.

The proposed CCR shows improvement but needs significant revisions before approval. The key unresolved issues—data identifiability, data repurposing, open-access databases, and the genetic data exception—require immediate attention. Addressing these concerns will ensure the CCR effectively guides ethical and legal research practices in South Africa, promoting collaboration, innovation, and upholding fundamental rights. Future research could focus on developing practical guidelines for applying the context-specific approach to identifiability, designing frameworks for responsible commercialization of research data, and establishing models for truly open-access genomic databases.

The study is limited to a legal analysis of the proposed CCR document. It does not include empirical data on research practices or stakeholder perspectives. Further research could involve empirical investigation to assess the practical implications of different approaches to data handling and to gather diverse viewpoints on the proposed CCR.