LibGuides: Digital Scholarship Centre: POPIA for researchers

About POPIA in higher education

Section 60 of the POPIA allows an industry to issue a Code of Conduct which must apply the principles of the POPIA to that industry. Such a Code for public universities was commissioned by USAf in 2018. The decision was motivated by the desire to:

optimise how personal information is used in the Higher Education Industry (HEI),
increase the level of the protection of privacy and level of compliance,
ensure uniform and industry-appropriate implementation of the POPIA, and
to align the IR and the HEI’s approach to information governance.

Read the full POPIA Industry Code of Conduct: Public Universities. Or use USAf's POPIA cheat sheet:

POPIA cheat sheet
POPIA Code of Conduct for Research On 1 July 2021, the Protection of Personal Information Act (POPIA or the Act), No. 4 of 2013, will come into effect. The Act will have implications for all research activities that involve the collection, processing, and storage of personal information. POPIA provides for the development of Codes of Conduct to guide the interpretation of the Act with respect to a particular sector or class of information. Codes of Conduct are particularly important for providing for prior authorisations in terms of Section 57 of POPIA for the sector to which it applies. Prior authorisations are required for using unique identifiers of personal information in data processing activities, and for sharing special personal information or the personal information of children with countries outside of South Africa that do not have adequate data protection laws. In order to understand and functionally interpret the provisions of POPIA for the research community in the Republic of South Africa (South Africa), the Academy of Science of South Africa (ASSAf) is leading a process to develop a Code of Conduct (Code) for research under the Act. A Code can be developed by the Information Regulator or by a public or private body deemed ‘sufficiently representative’ of the bodies in respect of the particular class of information or sector to which the Code will apply. During 2020, ASSAf was approached by scientists in South Africa to consider the development of a Code for research, and public events were held during Open Access Week in October 2020, and Science Forum South Africa in December 2020, to further discuss the role of ASSAf in this regard. A Commentary published in this issue sets out the full rationale for the development of the Code by ASSAf and details the consultation process to date. Within the research setting, POPIA regulates the processing of personal information for research purposes, and the flow of data across South Africa’s borders to ensure that any limitations on the right to privacy are justified and aimed at protecting other important rights and interests. The new regulatory system that POPIA establishes will function alongside other legislation and regulatory structures governing research in South Africa, as outlined below. The law which takes precedent will be that which provides the most comprehensive protections to the rights of individuals in South Africa. This paper sets out the key discussion points in relation to the development of the Code. It is intended as a paper that can support further stakeholder consultation and public engagement in the process of developing a Code which meets the needs, and is representative of, the South African research community.
Seven essential instruments for POPIA compliance in research involving children and adolescents in South Africa
Hertzog, L., Wittesaele, C., Titus, R., Chen, J. J., Kelly, J., Langwenya, N., Baerecke, L., & Toska, E. (2021). Seven essential instruments for POPIA compliance in research involving children and adolescents in South Africa. South African Journal of Science, 117(9/10). https://doi.org/10.17159/sajs.2021/12290

POPIA for researchers

The Protection of Personal Information Act of 2018 (POPIA) applies to research activities that involve identifiable personal information of individuals or organisations. Considering the impact that research has on participants' right to privacy is not just a POPIA obligation, it is also an integral part of research ethics.

Universities South Africa (USAf)

USAf created a POPIA Industry Code of Conduct: Public Universities, including infographics to make it easier for researchers to understand and comply with the act. The following information is based on their infographic POPIA for researchers, published February 2021.

De-identify when you can	De-identification is when you store the personal information of research participants in an unidentifiable format. Here are some alternatives to identifying research participants:
	Collect anonymous research data If your project does not require that you know the identity of the research participants, don't collect information that identifies them.	De-identify the information as soon as you can Sometimes, you may need to know who the research participants are initially, but not for the duration of the project. If you permanently de-identify information, POPIA doesn't apply.	Mask the identity of the research participants (pseudonymisation) You could also mask the research participants' identity by using pseudonyms. POPIA will still apply, but this is a great way to make the information secure.
Collect as little as possible	Make sure that the personal information you collect is relevant to your project. Ask yourself: Why are you collecting personal information? How are you planning to use it? Can you achieve your goals without having to collect personal information?
Be transparent	Ensure that research participants are well informed about the purpose of the research and how you are using their personal information. Make sure that your fellow researchers are aware of the privacy risks for the research participants and the steps they must take to mitigate those risks. Document the steps in your research data management plans in a verifiable and transparent way and make sure that everybody understands their roles.
Keep information safe	Always safeguard your research data against unauthorised access, use, loss, or destruction. For example: Use a secure environment for storing and sharing files. Make sure that you follow your university's policies and procedures for storing and retaining research data. Encrypt sensitive research data. Make sure you have secure back-ups. Restrict access to identifiable personal information to people on a 'need-to-know- basis. figshare enables you to keep your information safe.
Ask for help	Contact us if you have queries about your responsibilities. We can connect you with Directorate: Research Development for further support.