IBM Clinical Development Blog

South Africa's POPI Act: What Does it Mean for Clinical Research?

[fa icon="calendar"] Aug 3, 2015 3:57:00 PM / by Dianne Chatterton

Topics: South Africa

The POPI (Protection of Personal Information) Act is an effort to align South African privacy laws with international standards.


 The POPI Act is a hot topic right now in South Africa and stands to send waves across the world. What is it? The POPI, or Protection of Personal Information act, is a new privacy law that applies to all companies collecting, storing, or processing personal information. This includes the three tiers of government.

In addition to protecting the information they hold about people and employees, organizations in South Africa must now safeguard the information they hold about companies, business partners, vendors, suppliers, and so on. The burden of complying with the law is going to be a difficult one, in part because of the extremely broad brush definition of ‘personal information.'

Elevating South Africa to the Global Stage 

The goal of POPI is to bring a uniformed standard to South Africa in order to allow homegrown businesses to play and compete at a global level, and also attract and make it easier for international organizations to work with South African companies. The bill brings South Africa in line with international norms on the protection of data privacy, thereby allowing the flow of personal information to South Africa from other nations with data protection regimes. This is particularly important for services such as data or call center outsourcing and IT software solution providers who host such information in South Africa for foreign organizations. However, local organizations with foreign operations must take heed of the data protection regulations in those foreign jurisdictions to ensure they comply when exchanging customer or employee information with South Africa.

Quick Enforcement Timeline

Another big takeaway for businesses handling PI in South Africa is that organizations are expected to be fully compliant with the new bill within one year of its enactment. This poses a particular challenge, not necessarily from an infrastructure perspective, but for employees who are going to have drastic changes in the way this kind of information is handled. With punishments being steep - involving fines, and even (in some cases) jail time, training employees on standards and practices for the new legislation will be crucial to successful POPI compliance.

eClinicalOS, Patient Privacy, and the POPI Act

As an Electronic Data Capture system for clinical research, eClinicalOS handles large volumes of patient information. This puts eCOS at the center of discussions on the protection of personal information. Having been involved in high-level security measures since the company's inception, Anu Virkar, VP of Quality and Compliance at Merge Healthcare’s eClinicalOS division, thinks eClinicalOS’s compliance with POPI will not require any changes to our systems and procedures, as we are compliant with some of the most stringent global legislation.

 “We have ongoing PHI (personal health information) and PII (personally identifiable information) internal staff training to the highest standards,” said Virkar.  “In addition to the US and FDA Part 11 standards, the EU’s “Annex 11” law has in place some of the strictest privacy standards for personal information in the world. Places like India, Germany, Brazil and now China and Japan have very rigid standards of retention and sharing of PI, and we are compliant with all of them."  

Virkar also added, “eClinicalOS will have no problem complying with POPI, and can even consult with partner organizations in the steps to become compliant.”

Have questions about the POPI act (or other data privacy and security issues)? Contact us!



If you're not an eCOS user yet, get more information and sign up for your personal tour below!

New Call-to-action

Share this post

Dianne Chatterton
Written by Dianne Chatterton