The Protection of Personal Information (POPI) Act is similar to the European General Data Protection Regulation (GDPR) in that it aims to protect the personal information of South African citizens through improved data management processes and systems. In a research context, compliance with POPI can be divided into research data management practices and research data publishing.
Data curation
Data incorporating personal identifiers should not be stored on insecure platforms, either offline (personal or external hard drives, paper files) or online (cloud-based platforms). In the case of offline storage, storage media should be access-controlled whether by password access, file encryption, physical barriers (locked storage rooms), and where possible use a combination of access-control mechanisms. In the case of online/cloud-based storage, data containing personal identifiers should not be stored on insecure cloud platforms, but rather use a secure service, such as the UCT G-Drive. An alternative could be to use cloud storage only for datasets that have been de-identified, retaining the original datasets with disclosive information solely on access-protected offline media,
Data publication/sharing
As data publication requires the data to have been de-identified before publication, open data publishing directly complies with POPI as personal identifiers should never be shared in open data. POPI compliance in open data publishing is therefore mostly a factor of preparing the data with adequate de-identification techniques so that no personal identifiers remain in the final shared data.
