Blog

Data sharing is important for genomic research in Africa. However, the lack of data protection has created tension between the push to openly share human research data with balancing the legal, ethical, social and technical challenges with doing so. Earlier this year, a two-day workshop was held for experts coming from a wealth of backgrounds to discuss the challenges in how to govern data sharing. Ciara Staunton, first author of an Open Letter, now summarises the key challenges identified at the workshop.

There has been considerable investment and development in genomic research and biobanking in Africa in recent years. A key part of this research is the collection, storage and sharing of biological samples and health related data. The sharing of data can optimise the use of the data, promote new research on existing data sets and encourage innovation.

Despite this push towards open science, the ethical debate on the use of broad consent in Africa is ongoing, as well as the privacy protections that must be in place for research participants. While these conversations are ongoing, many jurisdictions across the world have begun to strengthen their data protection regulations. These regulations seek to safeguard the rights of data subjects while encouraging the sharing of the data, so there is now tension between open science on the one hand and the privacy concerns of data subjects on the other.

While these regulations are to be welcomed in improving the rights of data subjects, there are general legal frameworks that seek to govern the use of all types of personal information. They thus regulate at a high level and lack sector specific guidance. Despite this, they will have a considerable impact on the sharing of health data for research. South Africa (SA) is one country that has sought to regulate the protection of personal information through the Protection of Personal Information Act (POPIA) No 4 of 2013.

Due to come into force in 2020, it will strengthen the protection of personal information in SA, but it will also have considerable impact on the sharing of personal information, both within South Africa and across South Africa’s borders. It was increasingly obvious that the impact of POPIA was a concern for researchers in SA and there was a need to consider the impact of POPIA on the sharing of health data.

To identify and discuss challenges and opportunities in the governance of data sharing for genomic and health research data in SA, a two-day meeting was convened in February 2019 in Cape Town, SA. Over 30 participants with expertise in law, ethics, genomics and biobanking science were drawn from academia, industry, and government, primarily from SA and also from the continent more broadly.

The workshop discussed a number of significant challenges relating to the governance of data sharing of genomic and human research data in SA, and Africa more broadly, and identified a number of actionable next steps.

Regarding the challenges, first the ongoing ethical debate on the use of governance of broad consent was discussed but it was noted that broad consent is currently being used for many genomic studies in Africa. Any use of broad consent must be done in conjunction with community engagement. The workshop also heard that the legal status of broad consent under POPIA is unclear, but many of those present were of the opinion that a purposive interpretation of POPIA would permit the use of broad consent.

Second, participants discussed the challenges facing institutions in complying with the new provisions under POPIA. Major concerns related to the lack of adequate training for researchers on these issues, as well as the lack of clear guidelines from government regarding the specific regulatory requirements of managing health-related data, and the lack of management structures for the use of personal information.

Third, there was considerable concern expressed about the capacity of research ethics committees (RECs) as currently constituted to review such research protocols. Fourth, resource constraints were identified as a cross cutting issue that could impact upon compliance, the capacity of RECs as well as the functioning of the Office of the Information Regulator.

Fifth, it was clear that any discussions on this topic must include the private sector and a key concern for industry relates to the ownership of data. So, the importance of compliance with the GDPR if researchers in SA want to access EU funding was discussed, but the requirements of the GDPR do differ from POPIA.

The workshop identified key steps necessary to address some of these challenges. It was clear that there is a need for a Code of Conduct on the use of health data for research under POPIA. It was felt that a national policy on data access should be developed in conjunction with the Department of Science and Technology (DST) and built into the Department of Health’s ethics guidelines. Policy toolkits on POPIA and the GDPR were called for to guide researchers in navigating their roles and responsibilities.

As a first step in addressing some of these issues, many of the participants developed a Position Paper arguing that a purposive interpretation of POPIA permits the use of broad consent. The work of this group is continuing, and they are engaging with the development of policy related to POPIA in South Africa.