Seven essential instruments for POPIA compliance in research involving children and adolescents in South Africa

PUBLISHED: 29 September 2021 Compliance with South Africa’s Protection of Personal Information Act (POPIA) is a foremost governance challenge for research involving high-risk and vulnerable groups such as children and adolescents. It remains unclear what constitutes adequate safeguards to protect the personal information of the child under this new law. To meaningfully adhere to the principal aims of POPIA, researchers must understand and address the implications of this legislation on research governance practices. Navigating the additional POPIA compliance requirements within established research projects additionally raises questions about how research can use POPIA to build on existing research governance mechanisms without extreme additional burden on research teams.

We invite readers to explore a series of best practices in safeguarding the personal information of children, adolescents, and young people (0-24 years old) -a key age group that represents nearly half of South Africa's population in 2021. We will discuss possible actions which can be taken to ensure POPIA effectively builds on existing data protection mechanisms for research projects at all stages of the research cycle. These actions promote compliance to POPIA throughout the data life cycle. Our objective is to stimulate a broader conversation on how to improve the protection of children's and adolescents' sensitive personal information in South Africa and inform considerations that need to be addressed by the POPIA Research Code of Conduct.
We join the POPIA discussion as a research group generating evidence that influences social and health policy and programming for young people in sub-Saharan Africa. Our contribution draws on our work adhering to multiple transnational governance frameworks imposed by national legislation such as data protection regulations, funders, and academic institutions. This has involved the use of several research governance mechanisms. In this Commentary, we summarise seven essential instruments to assist research projects involving children and adolescents to achieve POPIA compliance.

POPIA and research with children and adolescents
Since July 2021, researchers have been mandated to comply with South Africa's newly ratified Protection of Personal Information Act (POPIA), No. 4 of 2013. This Act has implications for all research involving vulnerable populations such as children and adolescents. Compliance mechanisms must be adapted to secure children's and adolescent's rights to privacy while balancing other rights and interests such as participating in research of public interest. Under POPIA, the ban on processing personal information relating to a child has research-specific exceptions that clarify the terms under which children's data can be processed. This is stated in Section 35 alongside regulations on prior consent of a competent person for data collection, with specific provisions in Section 11. Nevertheless, the scientific community is uncertain about which specific mechanisms to implement towards POPIA compliance within their research projects and what concrete changes are needed to research governance structures and processes. POPIA triggers additional complexity for transnational research collaborations requiring a reconciliation with other data protection regulations such as the European Union's General Data Protection Regulation (GDPR). POPIA mentions that 'appropriate' and 'adequate' safeguards should be implemented to protect the personal information of minors. It remains unclear what constitutes appropriate and adequate for protecting the personal information of children, adolescents and young people (0-24 years old) 1 who represent nearly half of the South African population 2 .
As researchers, it is our ethical obligation to safeguard the rights and interests of research participants. We must also comply with national legislation, regulations and Codes of Conduct imposed by governments, research institutions, and funders. The roll-out of POPIA has created an opportunity to implement improved safeguards for the secure processing of personal information in our research. We have been adjusting our research governance, ethics, and data management processes to meet regulatory frameworks across multiple countries, research institutions, and studies. This has resulted in the development and use of seven essential instruments that are aligned with our vision to generate rigorous evidence for the public interest.
Stimulated by recent discussions initiated by the Academy of Science of South Africa (ASSAf) and the development of the POPIA Code of Conduct for Research 3 , we propose instruments to support POPIA compliance in the context of research with children and adolescents. Our objective is to: (1) share our research group's experience in safeguarding the protection of children and adolescent's personal information; (2) outline the seven essential instruments employed by our team to comply with POPIA and GDPR ( Figure 1); and (3) stimulate a discussion on how to improve the protection of sensitive personal information within research contexts in South Africa.
The following research governance and data management instruments were constructed in the context of our research consortium primarily located in South Africa and the UK. Not limited to, but primarily focusing on data collected in South Africa, our vision is to generate scientifically rigorous evidence to influence policy and programmes to support children and adolescents to reach their full potential. Supported by various funders, we work in close collaboration with policy and programming stakeholders such as UNICEF, WHO, UNDP, the South African and other African governments. These instruments were constructed to safeguard personal information in longitudinal social science studies and randomised trials, including a large cohort of adolescents living with HIV, a cohort of adolescent mothers and their children, and several studies of parenting programmes in low-and middle-income countries.

Instrument 1: Enhanced ethical approval from research ethics committees
Ethical responsibility to our research participants is our foremost concern. Nevertheless, ethical clearance processes from existing research ethics committees may no longer be sufficient in the era of increased digitalisation. Research ethics committees are demanding increasingly detailed information about the handling of personal information and in some cases will make favourable ethical approvals contingent on the opinion of an information regulator such as an institution's information officer, who may or may not be involved in research ethics committees directly. Acquiring clearance for processing personal information from recognised authorities should be regarded as equally important (in terms of timelines, resourcing, and compliance) to acquiring ethical clearance from existing research ethics committees. Each must be held in continuous review and monitored simultaneously.
Section 34 of POPIA prohibits the processing of personal information of minors unless provisions of Section 35 are applicable. To meet these special provisions, ethical approvals from institutional review boards are key to confirming whether the research and processing of personal information are appropriate and for the public interest. Some ethical parameters may be set out in research ethics applications enabling researchers to ensure personal information provided by data subjects is protected in accordance with principles of ethical research and protection of personal information. Our ethical and methodological procedures are informed by over 12 years of fieldwork experience in multiple South African provinces 4 and other studies working with vulnerable populations in comparable contexts 5,6 , and are summarised below: 1. Obtain ethical clearance from suitable research ethics committees.
2. Obtain consent of each individual involved at each stage of data collection.
a. Consent must be provided by a competent person where data subject is a minor, followed by participant assent.
b. Consent forms must clearly identify institutions and lead investigators responsible for data management: cleaning, analyses and sharing.
3. Maintain data subject's confidentiality in line with consent form.
4. De-identify data sets at earliest opportunity and minimise the risk of re-identification.

5.
Limit access to personally identifiable information on a 'need-toknow' basis.
6. Appropriate retention of personal information records for historical, statistical, and research purposes with sufficient safeguards against the records being used for unauthorised purposes.
7. Responsible parties should take measures to ensure that personal information is always secure throughout data collection, processing, migration, storage, sharing, archiving, and dissemination.
8. Mechanism for personal information to be withdrawn at request by the data subject and competent person.
9. Data subjects are interviewed by trained interviewers in private locations to maximise confidentiality.

Instrument 2: Informed consent for use of personal information and voluntary participation
The process of obtaining informed and voluntary consent from research participants is central to conducting ethical research. 7 In basic terms, it aims to ensure individuals are adequately informed about the risks and benefits prior to providing voluntary consent for participation. In the context of research with children and adolescents under the age of 18, consent is also a process of dialogue with caregivers in respect DMP, data management plan; PIIA, personal information impact assessment of their child's rights. With the roll-out of data protection regulations, researchers should also use this process to inform children and their caregivers about their rights regarding their personal information and privacy. 8 This renders the informed consent process a fundamental instrument for enabling data subjects to be informed about the risks and benefits of providing personal information prior to providing voluntary consent.
When working with vulnerable groups, such as children and adolescents, power relations and additional considerations should be accounted for. Informed consent, and assent in the case of those under 18, should be obtained from data subjects and a competent person prior to data collection. When approaching caregivers whose children might be eligible for a study, it must be clear that they are a competent person who can allow their child's personal information to be processed by a data operator and responsible party. Data collectors must be cognisant about the inherent power discrepancy at play throughout the data life cycle. This is particularly important in South Africa, where adolescents and caregivers may have low literacy rates. 9 To mitigate the effect of low literacy rates, information sheets and consent forms should be constructed using accessible language. Both documents should always be read aloud to the data subjects and competent person in their chosen language. Ample opportunities should be offered for the data subject and competent person to ask questions and decide about participation. Continuous consent should be obtained by requesting consent prior to each research activity and phase. If a participant withdraws consent or requests for their data to be withdrawn, the data operator should regain consent for the processing of any personal information that was previously collected.
POPIA places emphasis on the 'specific' expression of informed consent by the data subjects. Researchers should ensure that data subjects are informed about: (1) which data protection regulations govern the handling of personal information in the research, (2) the nature of data that will be collected, (3) how it will be processed, (4) where it will be stored, (5) what security measures will be in place to protect the data, (5) who will have access to personal information, (6) how long their data will be retained, and (7) how a data subject may request for their data to be updated or removed. Particularly in longitudinal studies, researchers should ensure explicit permission from data subjects is obtained to contact them in the future.

Instrument 3: Capacity building and knowledge cocreation
POPIA triggers the need for capacity sharing spaces for researchers and potentially research participants. Such spaces empower individuals to learn about their rights and equip researchers to obtain essential research skills. It also facilitates opportunities to enter discussions with POPIA experts about the implications on research. Several opportunities were mechanised in our team to simultaneously build understanding about the provisions of POPIA while moving towards compliance throughout the studies within our research group.
First, an internal forum with experts was established to provide capacitybuilding for our team. These focused on topics such as: special categories of data, specific provisions for research, data sharing, and demonstrating POPIA compliance to research ethics committees and information regulators. These training sessions were instrumental to enhance understanding of the Act and its implications on research and stimulated an internal POPIA-informed audit in our research governance documents and protocols.
Second, to assess what adaptations each study should implement to ensure POPIA compliance, a research governance team was established within our research group. Study leads of each study completed risk assessments in their data management plans for the research governance team to identify the type and format of personal information collected within each study, including high-risk information. 3 Finally, the research governance team proceeded to identify training needs of data operators and data collectors. The team implemented several data security enhancement processes such as direct uploading of data onto protected servers using end-to-end encryption instead of password-protected laptops. However, being POPIA compliant during remote data collection -due to COVID-19 safety requirements -requires reflections on: (1) how researchers provide participants with a copy of the informed consent forms when working in resource-limited settings, (2) how to maintain and track the process of consent (verbally, text messages and voice recordings) for each phase of data collection, including when providing referrals, and (3) ensuring participants have contact details for the research team, ethics committees and responsible parties. Importantly, it is critical to reflect how one can ensure confidentiality of sharing informed consent forms given the high rates of sharing of mobile devices in South African homes. 10 Compliance requires strengthening existing consent processes when sharing a copy of the informed consent forms via mobile text, deciding on safe mechanisms to share consent audio recordings with the participant without breaching their privacy and confidentiality. These considerations introduce additional administrative tasks for data collectors who need ongoing support in transition to meeting POPIA's requirements.

Instrument 4: Data management plan
To ensure each study within the research consortium has ownership of their data management practices, each study maintains: (1) a data management plan and (2) personal information impact assessments. This ensures that each document is tailored to the unique requirements of each study within the research group. The development of a data management plan assists study teams to make decisions about how research data will be handled throughout the data life cycle (i.e. collection, processing, analysing, preserving, sharing, and archiving). Carefully planning and agreeing on how data will be managed at the outset, and keeping this in review, minimises data protection risks and enhances the public benefit of research. This document should be brief to promote its use and adherence and cover at least four key elements (Table 1). Data management plans should be treated as living documents, to be maintained throughout the data life cycle, triggered by key research cycle events: (1) when substantive changes in data needs arise, (2) at scheduled timepoints, and/or (3) at key study stages. Table 1: Four key elements of a data management plan Element Indicative questions

Data collection and description
Will you produce original data and/or use existing data? Where and how will you get your data? What types and format of data will you collect and how will you describe them?

Data curation and storage
Where will you store your data? How will you organise and name your data files? How large are your data?

Data security
What provisions for secure storage and transfer of sensitive data are in place? Are the data safely stored in repositories for long-term preservation?
4. Data sharing and reuse How and where will you share your data during and after the study? What are your plans for long-term data sharing and preservation?

Instrument 5: Personal information impact assessment
Conducting a personal information impact assessment (PIIA) is an instrumental process for evaluating compliance with POPIA when processing special category data. Unlike GDPR, POPIA does not contain equivalent provisions for data protection impact assessments. However, POPIA does outline that an information officer may conduct a PIIA to evaluate whether adequate measures are enacted to comply with POPIA. Given that our research involves a vulnerable population, each study maintains both a data protection impact assessment and PIIA to ensure that safe and lawful processing of personal information are embedded in each study by design. Importantly, this enables researchers to demonstrate and ascertain effective compliance with each regulation. It is advised that emphasis be placed on the rights and interests of the data subjects whose personal information is being processed when completing these assessments. PIIAs call on the responsible party to consider the necessity and proportionality for processing personal information. It also includes a risk assessment detailing the potential risks to data subjects, so the effectiveness of risk mitigation measures can be reviewed. Each study also has a personal data workflow which captures and presents the flow of all personal information throughout the life cycle of the project ( Figure 2). As with data protection impact assessments, this assessment should then be reviewed by a relevant authority. In tandem with the data management plan, PIIAs should be maintained as living documents.

Instrument 6: Collaboration and data sharing agreements
Successful research collaborations are built on mutual respect, cooperation, trust, and communication. Nevertheless, a collaboration and data sharing agreement between collaborating research partners may be useful to clarify terms of (co-)ownership and (joint) responsibility for research data. Throughout years, our research group has maintained such an agreement to facilitate transparency and fairness for treatment of data, to ensure compliance with legal and ethical obligations and to ensure that parties take appropriate technical and organisational measures to protect the security and confidentiality of data.
This agreement has evolved to also clarify roles and responsibilities for processing personal information under POPIA and GDPR. POPIA stipulates that South African research institutions may only transfer personal information if the 'third party' is subject to a 'law, binding corporate rules or binding agreement' (Section 71 (1)(a)) which provide an adequate level of protection for the handling of the personal information. In the context of our research projects, this agreement outlines the parameters through which data from children, adolescents, and young people can be shared between the collaborating institutions and which legislations govern this. Therefore, this agreement demonstrates that South African research data may be transferred to a third party governed by GDPR, which provides an appropriate level of protection for the personal information of data subjects. It is important to signal a few important elements in this instrument. First, it is set up as a contractual document among all relevant parties, therefore institutional representatives need to be involved. It is important that the agreement clarifies names of entities and differentiates between the research collaboration and individual studies. For example, the agreement may include a 'memorandum of understanding' template which individual studies may use to enter a collaboration with NGOs for research. Additional addenda may be included in reference to processes unique to individual studies governed the agreement. Additionally, a 'data use undertaking' template may be included to ensure that both parties use consistent terms for sharing data with external data users.

Instrument 7: Data collection, processing, and storage
POPIA highlights the importance of implementing secure measures to protect personal information throughout data collection, processing, and storage. To do this effectively, this must be adequately resourced and budgeted for, and additional support may be required from services within research institutions and technical experts.
During restrictions imposed by the COVID-19 pandemic, researchers have transitioned from face-to-face to remote data collection, enhancing the digitalisation of data collection processes. This demands the implementation of proportionate security measures, and our team uses reliable open-sourced data collection platforms such as REDCap and Open Data Kit. Both have sufficient technical capabilities and functionalities for data collection processes with end-to-end encryption technologies. Research institutions may have their own processes for evaluating the level of security of third-party services, devices, and tools, reducing demand on research teams to resource this expertise internally. Both the security and information protection compliance should be assessed before use. Low-tech techniques (e.g. concealing sensitive information by using unique identifiers or pseudonyms) may also be used to ensure security of personal data. Electronic data captured should be submitted to servers daily, and data should be encrypted between the data collection device and the data servers. Finally, specific protocols may be developed to support POPIA compliant governance of data collection, processing, and storage, defining procedures and parameters for: (1) data retention, (2) data de-identification, and (3) management of access credentials to enable responsible parties to establish common and compliant standards. This data management work needs to be well resourced, as it incorporates additional layers of research governance required by POPIA and data protection regulations beyond South Africa.

Conclusion
POPIA presents an opportunity for researchers to further safeguard the rights and interests of research participants. Although POPIA must be read and applied alongside other relevant legislation for research 11 , we advocate that researchers consider adjusted instruments to protect the personal information of children and adolescents that are consistently applied to all research projects. The seven instruments outlined here should be taken as complementary and adaptive and are a response to the risks brought by the increased datafication in research. Despite challenges faced by their implementation, including the increased resource needs, we share them as examples of positive practices, to densify the 'Discussions on POPIA' series, and to achieve the wider goal of safeguarding children's and adolescents' personal information in research.