Protection of Personal Information Act 2013 and data protection for health research in South Africa

Key Points The Protection of Personal Information Act (POPIA) [No.4 of 2013] is the first comprehensive data protection regulation to be passed in South Africa and it gives effect to the right to informational privacy derived from the constitutional right to privacy It is due to come into force in 2020, and seeks to regulate the processing of personal information in South Africa, regulate the flow of personal information across South Africas borders, and ensure that any limitations on the right to privacy are justified and aimed at protecting other important rights and interests. Although it was not drafted with health research in mind, POPIA will have an impact on the sharing of health data for research, in particular biorepositories. It is now timely to consider the impact of POPIA on biorepositories, and the necessary changes to their access and sharing arrangements prior to POPIA coming into force.