Does POPIA regulate DNA processing?
How medical institutions and research facilities should treat human biological specimens in light of POPIA: Part 1
With the enactment of the Protection of Personal Information Act 4 of 2013 (“POPIA”), a fundamental question is posed for medical institutions and medical research facilities in South Africa – does a human’s biological specimen fall within the scope and ambit of POPIA which requires such institutions and facilities to process such specimens in accordance with the principles of POPIA?
A human biological specimen is any material derived from a human such as blood, urine, tissues, organs, saliva, DNA/RNA, hair, nail clippings, or any other cells or fluids - whether collected for research purposes or as residual specimens from diagnostic, therapeutic, or surgical procedures. Given the nature of healthcare services that many healthcare institutions run, the processing of human biological specimens occurs on a daily basis.
The ultimate question to unlocking whether human biological specimens fall within the application of POPIA is to apply the test of application of POPIA contained in section 3(1) of POPIA. Section 3(1) provides that POPIA applies to the processing of personal information that is entered in a record by, or for a responsible party domiciled in South Africa.
If we are to now apply this test, the following conclusions can be drawn:
- processing means any operation or activity concerning personal information, and includes inter alia the collection, receipt, recording, collation, storage, alteration, use, dissemination, distribution, erasure, or destruction of such personal information. Therefore, any removal, storage and possession of human biological specimens would constitute processing in terms of POPIA.
- personal information is given a wide definition which relates to an identifiable, living natural person and includes information relating to a person's physical or mental health well-being, as well as biometric information. POPIA defines biometrics as a technique of personal identification that is based inter alia on DNA analysis. Therefore, personal information would only apply to a living natural person who can be identified and would include his or her blood type or DNA. POPIA would not apply to a deceased person.
- entered in a record means, regardless of its form or medium, any recorded information, including in writing, on a computer, software, device, label, or book. Therefore, in order for personal information to find application in terms of POPIA, it must be recorded or entered into a record.
- domiciled in South Africa would simply mean that the responsible party is conducting the processing activity in respect to personal information within South Africa.
It must be made clear that POPIA does not apply to the physical biological specimen itself (i.e. the blood sample, organ, or tissue in isolation) as such personal information is only contained within the specimen. The specimen may indeed contain blood type information or DNA genetic information about a person, but it is only when such information is tested/analysed and entered in a record by or for a responsible party does it trigger the application of POPIA (if it is linked to an identifiable living natural person). Of course, the name and identity number of the person to which the specimen relates is in itself personal information and within the realm of POPIA.
Now that we have identified above that human biological specimens do find application in terms of POPIA in circumstances as delineated above, the question then turns to what steps medical institutions and medical research facilities who process this personal information on a daily basis have to do in order to comply with POPIA. This question will be evaluated in Part 2 of this article series.
See part 2 here.Contact Marco to discuss Data Privacy matters