Does data protection law in South Africa apply to pseudonymised data?

Abstract

The use of pseudonymised datasets is increasingly commonplace as research institutions seek to balance data utility with data security. Yet, a crucial question arises: How does South Africa’s Protection of Personal Information Act (POPIA) govern these datasets, especially given their ambiguous state between de-identification and possible re-identification? A thorough examination of POPIA suggests that the determination of whether a pseudonymised dataset is personal information—and thus whether processing the dataset falls within POPIA’s purview—must be informed by the specific context of the responsible party in possession of the pseudonymised dataset. When a research institution retains both the pseudonymised dataset and its linking dataset, the pseudonymised dataset remains identifiable and is thus personal information that falls within POPIA’s purview. However, when only the pseudonymised dataset—without the linking dataset—is transferred to another entity, it is non-personal information in the hands of such a recipient, thus freeing the recipient from POPIA compliance. Such a delineation offers research institutions greater flexibility in sharing and using pseudonymised datasets. Importantly, because the original provider of the pseudonymised dataset (who has the means to re-identify the dataset) remains governed by POPIA, the privacy rights of data subjects are not undermined.