With the enactment of the Protection of Personal Information Act 4 of 2013 ("POPIA"), a fundamental question is posed for medical institutions and medical research facilities in South Africa – does a human's biological specimen fall within the scope and ambit of POPIA which requires such institutions and facilities to process such specimens in accordance with the principles of POPIA?
A human biological specimen is any material derived from a human such as blood, urine, tissues, organs, saliva, DNA/RNA, hair, nail clippings, or any other cells or fluids - whether collected for research purposes or as residual specimens from diagnostic, therapeutic, or surgical procedures. Given the nature of healthcare services that many healthcare institutions run, the processing of human biological specimens occurs on a daily basis.
The ultimate question to unlocking whether human biological specimens fall within the application of POPIA is to apply the test of application of POPIA contained in section 3(1) of POPIA. Section 3(1) provides that POPIA applies to the processing of personal information that is entered in a record by, or for a responsible party domiciled in South Africa.
If we are to now apply this test, the following conclusions can be drawn:
- processing means any operation or
activity concerning personal information, and includes inter alia
the collection, receipt, recording, collation, storage, alteration,
use, dissemination, distribution, erasure, or destruction of such
personal information. Therefore, any removal, storage and
possession of human biological specimens would constitute
processing in terms of POPIA.
- personal information is given a wide
definition which relates to an identifiable, living natural person
and includes information relating to a person's physical or
mental health well-being, as well as biometric information. POPIA
defines biometrics as a technique of personal identification that
is based inter alia on DNA analysis. Therefore, personal
information would only apply to a living natural person who can be
identified and would include his or her blood type or DNA. POPIA
would not apply to a deceased person.
- entered in a record means, regardless of
its form or medium, any recorded information, including in writing,
on a computer, software, device, label, or book. Therefore, in
order for personal information to find application in terms of
POPIA, it must be recorded or entered into a record.
- domiciled in South Africa would simply mean that the responsible party is conducting the processing activity in respect to personal information within South Africa.
It must be made clear that POPIA does not apply to the physical biological specimen itself (i.e. the blood sample, organ, or tissue in isolation) as such personal information is only contained within the specimen. The specimen may indeed contain blood type information or DNA genetic information about a person, but it is only when such information is tested/analysed and entered in a record by or for a responsible party does it trigger the application of POPIA (if it is linked to an identifiable living natural person). Of course, the name and identity number of the person to which the specimen relates is in itself personal information and within the realm of POPIA.
Now that we have identified above that human biological specimens do find application in terms of POPIA in circumstances as delineated above, the question then turns to what steps medical institutions and medical research facilities who process this personal information on a daily basis have to do in order to comply with POPIA. This question will be evaluated in Part 2 of this article series.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.