| Protection of Personal Information Act No. 4 of 2013 (POPIA) |
The POPI Act is intended to promote the right to privacy as stipulated in the Constitution, while at the same time protecting the flow of information and advancing the right of access to and protection of information. It regulates the processing of personal information in South Africa. Personal information is a sub-right of the right to privacy, found in s14 of the South African Constitution:
Privacy: 14. Everyone has the right to privacy, which includes the right not to have:
(a) their person or home searched,
(b) their property searched,
(c) their possessions seized; or
(d) the privacy of their communications infringed.
Privacy is not an absolute right and may be subject to justifiable limitations.
The POPI Act establishes the rights and duties that are designed to safeguard personal information. In terms of the POPI Act, the legitimate needs of the HSRC to collect and use personal information to execute its mandate are balanced against the right of individuals to have their privacy, in the form of their personal information, respected.
Read more here
Watch a short video on POPIA in SA
| Protecting personally identifying information |
Personal information refers to a record of any kind containing information that can (though a reasonably foreseeable Method) be used to identify an individual. It is information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to name/ID No., race/gender/sexual orientation, pregnancy, marital status, physical/mental health, age, national/ethnic/social origin, disability, religion/beliefs/culture, language, email address/contact numbers, location/physical address, education/medical/financial/criminal or employment history, photos/video footage/voice recordings/biometrics, personal opinion/view/preferences.
POPIA applies to processing of personal information by public and private entities domiciled in South Africa or where information processing (whether automatic or not) takes place within South Africa.
POPIA does not apply for the processing of personal information that has been de-identified: such information must be in a state that it can no longer be re-identified. It also does not apply to the processing of information processed for purely household use.
De-identified information is information which cannot be linked, through any foreseeable method to an individual. De-identify information, in relation to personal information of a Data Subject, means to delete any information that - identifies the Data Subject; can be used or manipulated by a reasonably foreseeable method to identify the data subject; or can be linked by a reasonably foreseeable method to other information that identifies the data subject, and ‘deidentified’ has a corresponding meaning.
| Data Anonymisation |
Variables in a data set can directly or indirectly refer to personal and institutional information that will compromise confidentiality. Anonymisation refers to various methods that can be used to ensure that individual respondents can’t be identified, e.g., deleting variables, categorising/recoding variables to express the content in more general terms, removing relationships between variables or summarising/aggregating variables.
| Management of records (Consent forms, paper questionnaires) |
Records management is the supervision and administration of digital or paper records, regardless of format. The goal of records management is to help an organisation keep the necessary documentation accessible for both business operations and compliance audits. Records management is a process of ensuring the proper creation, maintenance, use and disposal of records to achieve efficient, transparent, and accountable governance. Sound records management implies that records are managed in terms of an organisational records management programme governed by an organisational records management policy.
Documentation may exist in contracts, memos, paper files, electronic files, reports, emails, videos, instant message logs or database records. Before data can be curated, there must be documented proof of consented participation of data subjects (i.e., mandatory documents such as email contract(s) and consent forms). Consent forms are documents where research participants must provide their consent for their data to be shared, sharing the data without receiving consent could have litigation implications.
There must be contracts and proof of permission granted for HSRC to preserve and share the data (if the HSRC does not own the copyright to the data). This is very important because without a permission letter, we cannot share the data. The minimum requirement is that HSRC researchers who are not part of the initial project team may re-use the data after project completion. This must be articulated in the contracts with the funders and collaborators.
Paper records may be stored in physical boxes on-premises or at a storage facility. Digital records may be stored on storage media in-house (T-drive, Knowledge Tree, RMS) or in the cloud. This include any document that will enhance the understanding and facilitate the use of the data, e.g. data collection instruments and reports.
Read more of Records Management here
