The proposed Code of Conduct for Research in South Africa: despite good progress, unresolved issues remain

The article situates the proposed Code of Conduct for Research (CCR) within the global rise of data protection frameworks (GDPR, PIPEDA, CCPA, LGPD) and focuses on South Africa’s Protection of Personal Information Act 4 of 2013 (POPIA), which balances privacy (a constitutional right) with access to information. POPIA binds responsible parties to eight conditions for lawful processing and anticipates sector-specific codes of conduct to clarify application. ASSAf’s proposed CCR, published for public comment in May 2023, applies to all responsible parties processing personal information for research and aims to ensure legal certainty, promote accountability, and safeguard participants and data. The article’s purpose is to provide background to POPIA, explain the role of codes of conduct, and critically assess the proposed CCR against prior drafts from legal and practical perspectives, highlighting issues resolved, issues insufficiently addressed (identifiability, commercial repurposing, open access genomics), and a new problematic proposal concerning genetic data.

The paper reviews the historical development and structure of POPIA: South Africa lacked specific data protection law until recommendations by the South African Law Reform Commission (2009) led to the POPI Bill (2009) and enactment of POPIA in 2013, with staged commencement culminating in enforcement from 1 July 2021. POPIA establishes eight conditions for lawful processing (accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, and data subject participation), with rights for data subjects and duties for responsible parties. The review explains Chapter 7’s codes of conduct, which must operationalize POPIA’s conditions for sector contexts. It traces ASSAf’s CCR drafting process: first draft (2021) and second draft (2022) drew academic critiques on consent scope, treatment of special personal information, definition of responsible party, meaning of public interest, and whether POPIA allows broad consent; later critiques addressed repurposing research data for commercial use and feasibility of open access databases. Comparative references include international instruments (OECD Guidelines, Council of Europe Convention) and EU practice, noting debates on identifiability (e.g., SRB v EDPS, 2023). This body of literature frames the assessment of the proposed CCR’s alignment with POPIA and research practice.

The article employs a doctrinal legal and policy analysis. It compares the proposed CCR (third public draft submitted 19 April 2023) with prior drafts, interpreting them against POPIA’s statutory text and purpose, related South African policy (e.g., National Open Science Policy draft), and pertinent international jurisprudence and guidance (e.g., EU SRB v EDPS case; ICO positions). The authors identify resolved issues, remaining gaps, and newly introduced conflicts, and provide normative recommendations for revisions to ensure legal compliance and practical usability for the research sector.

Resolved issues in the proposed CCR: (1) Consent under POPIA is specific, not broad; the CCR now states consent must relate to a specifically defined study. (2) Special personal information is a subclass of personal information, requiring compliance with section 11 plus additional safeguards (sections 27, 35). (3) Researchers, including individual researchers and entities making joint decisions, are recognized as responsible parties. (4) Terminology is aligned with POPIA: references to anonymisation and foreign tests are removed; de-identification is used consistently. (5) Adequacy for cross-border transfers will be locally determined: ASSAf will establish a committee to develop adequacy criteria for research contexts instead of relying on EU adequacy decisions. Unresolved issues: (1) Identifiability standard—CCR does not clarify whether identifiability is context-specific (by the dataset holder) or context-agnostic (by someone, somewhere). The authors argue POPIA implies a context-specific approach, citing section 15(3)(e) allowing publication of de-identified data while retaining identifiable originals. (2) Lack of a clear pathway for repurposing research data for commercial use, despite POPIA’s further processing provisions (sections 15(2), 15(3)); a structured assessment pathway is recommended. (3) Open science and open access genomics databases—CCR mischaracterizes “open access” by allowing restrictions (e.g., paywalls, DACs) and provides no guidance for constructing truly open access genomics databases; alignment with the draft National Open Science Policy and practical guidance is urged. New problematic proposal: A special exception for genetic data in Annexure A (1.5) treats unlinked genetic data as non-personal information. The authors argue this is legally unsustainable under POPIA because personal information includes biometrics, which encompass DNA analysis; POPIA’s de-identification test turns on reasonably foreseeable methods of re-identification, not probability. They recommend striking this exception to avoid legal invalidity and risks to researchers.

The analysis demonstrates that the proposed CCR significantly improves compliance clarity for researchers but still omits critical guidance affecting daily research practice and legal risk. Clarifying identifiability as context-specific would align with POPIA’s structure and enable lawful sharing of pseudonymised datasets to collaborators without overextending POPIA’s scope to holders lacking re-identification means. Establishing a defined pathway for commercial repurposing of research data would harmonize POPIA’s further processing rules with national policies promoting research commercialization, offering case-by-case assessment criteria and transparency. Aligning the CCR’s definition of open access with national open science policy and providing implementation guidance for open access genomics databases would translate policy commitments into practice while safeguarding participants through informed consent, comprehension assessments, downloader registration, and use declarations. Finally, removing the proposed genetic data exception is necessary to maintain consistency with POPIA’s inclusion of DNA analysis within biometrics; retaining it would undermine data subject rights, create regulatory confusion, and expose researchers and institutions to litigation. Overall, the findings support targeted revisions to ensure the CCR provides legally sound, practical guidance for South African research and international collaboration.

The proposed CCR makes substantial strides by correcting earlier drafts: confirming specific consent, clarifying special personal information as a subclass requiring additional authorization, recognizing researchers as responsible parties, aligning terminology with POPIA, and localizing adequacy determinations for cross-border transfers. However, key gaps persist: the CCR should adopt a context-specific identifiability standard with practical examples; create a clear pathway for repurposing research data for commercial use; and align with open science by properly defining open access and offering guidelines to establish truly open access genomics databases. The newly introduced exception treating unlinked genetic data as non-personal conflicts with POPIA and should be removed prior to approval. Addressing these issues would enhance legal certainty, protect data subjects, and facilitate responsible research and data sharing in South Africa.

The article is a doctrinal legal analysis without empirical data. It notes the absence of South African case law directly addressing identifiability in pseudonymised data, which limits definitive interpretation and necessitates reliance on statutory analysis and comparative references. Conclusions are specific to the South African legal context under POPIA and may not generalize to other jurisdictions.