Abstract
This article considers the practical question of how research institutions should best structure their legal relationship with the human genomic data that they generate. The analysis, based on South African law, is framed by the legal position that although a research institution that generates human genomic data is not automatically the owner thereof, it is well positioned to claim ownership of newly generated data instances. Given that the research institution exerts effort to generate the data, it can be argued that it has a moral right to claim ownership of such data. Combined with the fact that it has an interest in having comprehensive rights in such data, it appears that the prudent policy for research institutions is to claim ownership of the human genomic data instances that they generate. This policy is tested against two opposing policy positions. The first opposing policy position is that research participants should own the data that relate to them. However, in light of data protection legislation that already provides extensive protections to research participants, bestowing data ownership on research participants would offer little benefit to such individuals, while leading to significant practical problems for research institutions. The second opposing policy position is that the concept of ownership should be abandoned in favour of data custodianship. This opposing position is problematic, as avoiding reference to ownership is a denial of legal reality and hence not a useful policy. Also, avoiding reference to ownership will leave research institutions with limited legal remedies in the event of appropriation of data by third parties. Accordingly, it is concluded that the wisest policy for research institutions is indeed to explicitly claim ownership of the human genomic data instances that they generate.
Keywords: Custodianship, data generation, human genomic data, moral right, ownership
1. INTRODUCTION
We are witnessing a rapid increase in the volume of human genomic data.1 However, given the relative novelty of this new type of legal object, there are debates in many countries over the exact legal nature of human genomic data—in particular, whether such data can be owned, and if so, by whom. Some have argued that data are not susceptible of ownership since they are not capable of exclusive control by a putative owner.2 For example, university X may be in possession of one instance of person Y's human genomic data, but Y can provide a blood sample to a genomics research study of university Z, which will then also be in possession of an instance of Y's human genomic data. Y does not even need to donate blood again, as the data instance in X's possession can simply be copied. The data instance in X's possession can be copied an infinite number of times (subject to practical limitations) and even published online in the style of the Harvard Personal Genome Project.3 Are any claims of ownership of Y's human genomic data legally tenable in light of these realities? Surely, Y has a legitimate interest in controlling what happens with his or her genomic data.4 If such an interest is recognised by the law, does it not imply that Y has ownership in his or her genomic data? And where does this leave X that invested effort and resources in sequencing Y's genome?
In this article, I consider the practical question of how research institutions should best structure their legal relationship with human genomic data. My analysis is presented in two parts: The first part is a positivist legal analysis of whether human genomic data can be owned, and if so, by whom. Once it has been established what the current law is, I propose my answer to the main research question (of how research institutions should best structure their legal relationship with human genomic data), substantiate my answer, and defend it against potential counterarguments. My analysis is based in South African law, but I suggest that many of the principles are applicable more broadly in other countries.
2. THE LEGAL LANDSCAPE
2.1. Understanding ownership
Ownership is the most comprehensive set of rights that a person can have in an object, and it is in principle enforceable against anyone else—regardless of who they are.5 Ownership can be understood as a bundle of rights6 entailing (in very general terms) the right to use an object, the right to enjoy the fruits of the object, and the right to dispose of an object. However, ownership is not absolute.7 It is always qualified depending on the nature of the owned object and the context. For example, I may be the owner of my car, but I cannot drive it on a public road without a driver's licence. And while driving my car on a public road (assuming I have a driver's licence), I must adhere to the many rules of the road. I can decide to destroy my car, but I may not do so by setting fire to it in my backyard, as this would contravene municipal waste disposal and fire hazard ordinances. But the legal fact that I am the owner of my car means that nobody else may, without my consent, take my car keys and drive my car around or destroy it. If someone does so in contravention of the law, there will be civil and criminal consequences. So, despite the numerous rules that qualify ownership of an object in certain contexts, ownership provides a broad range of default legal rules that govern who may do what with a particular object. In this sense, ownership can be perceived as a vital legal safety net.
2.2. Can data be owned?
An object's susceptibility of being controlled is often viewed as the preeminent condition for its susceptibility of ownership.8 How does this apply to data? Data often seem ubiquitous, like the air around us, and the vast oceans—beyond human control, and thus not susceptible of ownership. But, if one fills a gas cylinder with air, or fills a bottle with seawater, then the air or water becomes part of an object that is indeed susceptible of ownership. Can the same be done with data? Yes, when data are recorded in a computer file—a single data instance—the data are brought within human control. However, one might argue that this does not settle the question about the control of data, because—different from the gas cylinder filled with air, or the bottle of seawater—data are intangible and can be reproduced indefinitely and can thus be published online and downloaded by any number of people. Consider again the example used in the introduction above. University X is in possession of an instance of person Y's human genomic data. Does this amount to control of such data? It can be argued that the answer is 'no', since Y can provide a blood sample to a genomics research study of university Z, which will then be able to generate its own instance of Y's human genomic data; and perhaps Y is a data altruist who publishes his or her genomic data online for anyone in the world to access.
I suggest that, despite the tangible/intangible difference, this argument commits the same category error as with the ocean versus bottle of seawater example above. Having control over a bottle of seawater does not mean that one is claiming Poseidon‐like control of the ocean. Similarly, control over Y's human genomic data that are recorded in a computer file is not a claim to control Y's human genomic data generally—only the specific instance of it on the computer file. This is entirely compatible with the fact that other persons also control their respective instances of the same data, as data is nonrivalrous—one person using data in no way depletes the data, nor prevents other persons from using it.9
Accordingly, once the object that is the candidate of the ownership inquiry is conceptually pinned down as a data instance—not to be confused with data generally—control (and thus ownership) becomes realistic. In light of this conceptual clarity, I next explore how data ownership has been dealt with in South African caselaw and academic literature.
2.3. Data ownership in South African caselaw and academic literature
It is well‐established in South African law that confidential information can be owned.10 For information to be confidential it must be (a) useful in the sense that it must be capable of application in trade or industry, (b) of economic value to the person seeking to protect it, and (c) known only to a restricted number of people, and not be public knowledge or public property.11 For example, a medical scheme brokerage firm can claim ownership of all the information of clients that it collects.12 Does this mean that such clients cannot provide the same information to anybody else, as their information is now owned by the firm? Of course not. The firm can only claim ownership of the instance of the information of a client that it has collected, not the information of a client in general. Accordingly, the clients are at liberty to provide the same information about themselves to anybody else.
But can information be owned if it is shared with outside parties, for example, if it is sold to other firms? In a case that dealt with electronic point‐of‐sale data, which have obvious usefulness and economic value, the South African Competition Tribunal treated such data as private property that can be bought and sold.13 It is interesting that the Competition Tribunal did not even find it necessary to consider whether electronic point‐of‐sale data constitute confidential information. However, provided that the sale agreements prohibit the purchasers from further sharing the electronic point‐of‐sale data or making such data public, the electronic point of sale data remain known only to a restricted number of people, and thus clearly constitute confidential information.
The essence of the caselaw discussed above is that information can be owned, provided that it is useful, valuable, and remain known only to a restricted number of people. Importantly, there is no caselaw that explicitly excludes non‐confidential information from being owned.
Academic literature in South African property law lends support to the position that not just confidential information, but information more generally can be owned. Njotini examines the historical development of the concept of an object of property rights in South African law, and suggests that property rights should expand to include information qua object.14 Erlank suggests that ‘digital objects’, such as websites email addresses, bank accounts, e‐books, smartphone apps, and digital music, are indeed the objects of ownership in extant law.15 In a recent article, Thaldar et al. focus specifically on human genomic data.16 The authors suggest that a human genomic data instance fulfils all the general criteria for an object to be susceptible of private ownership in South African law.17 These criteria are that an object must be (a) useful and valuable; (b) not merely part of something else; (c) not part of a human body; and (d) capable of human control.18 Accordingly, there is a solid theoretical basis for recognising private ownership in instances of human genomic data. It follows that such data instances can be sold or out‐licenced like any other digital asset—subject, of course, to other rights that may apply to such data, such as data protection rights.
2.4. Excursus: Ownership and intellectual property rights
It is important to differentiate ownership of data from intellectual property rights related to data, such as copyright and patents. Most pertinently, the objects of rights entailed by each of these legal concepts in the context of human genomic data are different: The object of ownership is genomic sequence data as contained in a computer file—i.e., a data instance. The object of copyright is a genomic dataset, which is a compilation of the genomic sequence data of multiple individuals.19 The object of patent rights is an invention, which in certain jurisdictions, such as the European Union and likely South Africa, can be a gene sequence that has a proven functional application.20 Note however, that in other jurisdictions, such as the United States and Australia, naturally occurring gene sequences are not patentable.21
Ownership of data and the various intellectual property rights related to data are best conceived of as separate layers of rights related to data, interacting with each other, rather than replacing or subsuming one another.22 Accordingly, patenting a gene sequence (assuming it is permissible in one's jurisdiction) does not mean that one becomes the owner of the gene sequence—these are different legal concepts, each with its own rules. Patenting a gene sequence provides one with patent rights, but it does not change who owns the gene sequence qua data instance. Similarly, ownership of an object to which an invention pertains is not a prerequisite for obtaining a patent in such an invention. Accordingly, the need to give attention to the ownership of genomic data remains, irrespective of whether such genomic data are incorporated into a dataset or have a proven functional application that makes such data patentable.
2.5. Who owns human genomic data?
Since it has been established that human genomic data instances are susceptible of ownership, the next question is: who owns such data instances? The question of who owns an object must be answered with reference to the rules of property law. If a new object N is made from or produced by another object M, the owner of M would typically also acquire ownership in N. Is a newly generated human genomic data instance made from or produced by DNA? If so, the default legal position in South African law would be that the newly generated human genomic data instance would be owned by a research institution, as the statutory position in South Africa is that the research institution to whom human biological material is donated acquires exclusive rights in such material.23 However, this does not assist much, as it would be inaccurate to state that a human genomic data instance is made from or produced by DNA. More accurately, a human genomic data instance is a description of DNA, analogous to an entomologist studying a newly discovered insect and making extensive notes and sketches that describe the insect. However, the analogy is of limited validity, as the entomologist will automatically have intellectual property rights (in the form of copyright) in his or her descriptive notes, while no intellectual property rights vest in respect of a human genomic data instance, as it is machine‐generated. My point is that there is no existing rule in property law that determines who owns a newly generated human genomic data instance. It is a new object that was neither made from nor produced by any antecedent object. Accordingly, as concluded by Thaldar et al., a newly generated human genomic data instance is res nullius,24 meaning that it does not belong to anyone—at least not at its genesis.
This conclusion has an important consequence: The first person to take effective control of res nullius with the intention of being its owner immediately becomes its owner.25 Since the research institution that conducts the sequencing is presumably already in control of the human genomic data instance, such a research institution is best placed to legally claim ownership of such newly generated data instance.26 Building on this conclusion, Swales et al. suggest that South African research institutions should claim ownership of the data that they generate to ensure that they have the legal means to effectively protect such data.27 In the next section of this article, I elaborate on this argument and consider possible counterarguments.
3. THE WISDOM OF CLAIMING OWNERSHIP OF HUMAN GENOMIC DATA
3.1. The sweat of one's brow
As the generator of the human genomic data, a research institution is the entity that invested effort and resources in generating the data. As such, based on classic Lockean property theory, the research institution has a moral right to be the owner of the human genomic data instance that it generated. Furthermore, research institutions generally have an interest in being able to conduct research and continue to do so with as little unnecessary cost and interruption as possible. Thus, it makes practical sense for research institutions to place themselves in a position that would afford them with the most comprehensive set of rights in the human genomic data instance that they have generated—while, at the same time, being cognisant and respectful of their legal and ethical duties towards research participants. Based on a combination of moral entitlement and self‐interest, it appears that the prudent course of action for research institutions would be to proactively claim ownership of the human genomic data that they generate.
How should this be accomplished in practice? I suggest that the research institution should make its ownership claim clear to all interested parties. This would include, first, a clear policy that is available online to its employees and any outside party; second, by explicitly stating in informed consent forms that the research institution will be the owner of the resulting human genomic data instances; and third, by maintaining the integrity of its ownership of its human genomic data by including relevant ownership clauses in data transfer agreements.28 An example of such a data ownership clause can be found in the freely available data transfer agreement template developed by Swales et al.29
But, what about the research participants—do they not have a stronger legal and moral claim to ownership of the human genomic data that relate to them? Moreover, should the concept of ownership of human genomic data not rather be abandoned in favour of custodianship? In the following subsection, I analyse these opposing views to thesis that research institutions should claim ownership of the human genomic data instances that they generate. Through this analysis, I suggest that the thesis gains clarity and proves its robustness.
3.2. The first opposing position: Research participants as data owners
Given that a human genomic data instance relates to an individual research participant, should he or she not be deemed the owner by virtue of this personal connection with the data? The answer must be ‘no’. The acquisition of ownership is determined by the rules of property law. Property law provides for a closed number of ways in which ownership can be acquired, and the existence of a personal connection between a person and an object is not one of them. Note, however, that having a personal connection with an object is not necessarily legally irrelevant—it may indeed be legally relevant, but in another branch of the law, namely data protection law.
South African data protection law is codified in the Protection of Personal Information Act (POPIA).30 POPIA applies to personal information, which is information that relates to and that identifies or can identify a person, and therefore includes a person's genomic data. POPIA provides for a wide array of data protection rights that persons—data subjects in data protection law terminology—can exercise with respect of their personal information, in the same mould as the European Union's General Data Protection Regulation (GDPR).31 These rights include the rights (i) to have one's personal information processed in accordance with POPIA's eight conditions for processing of personal information; (ii) to be notified if one's personal information is being collected, or has been accessed by an unauthorised person; (iii) to establish whether a person holds one's personal information; (iv) to request where necessary, the correction, destruction or deletion of one's personal information; (v) to object, on reasonable grounds, to the processing of one's personal information; (vi) to object to the processing of one's personal information for purposes of direct marketing; (vii) to not be subjected to automated decision‐making based on one's personal information (under certain circumstances); (viii) to submit a complaint to the Information Regulator regarding the alleged interference with the protection of the personal information; and (ix) to institute civil proceedings regarding the alleged interference with the protection of their personal information.
Some of these data protection rights have characteristics that resemble ownership, in the sense that they correspond to a lesser or greater degree with rights that are part of the ownership bundle of rights. Examples are (a) the data protection right to have one's personal information deleted,32 which corresponds with the right of an owner to destroy the owned object; (b) the data protection right to have one's personal information processed only if a legal ground for processing it is present, such as consent by the data subject,33 which can be perceived to correspond with the scenario where an owner agrees to transfer the right to use the owned object to another person, such as in the case of loan for use. However, these few instances of resemblance should not lull one into confusing data protection rights with ownership, or into thinking that data protection rights are somehow indicative of ownership. Although some data protection rights resemble ownership, they stem from a different branch of the law and have different natures and functions. For example, while ownership can in principle be transferred from one person to another, it is not possible to transfer one's data protection rights, as they are bound to one's personality. The proper legal relationship between data protection rights and ownership is that if any data protection right comes into conflict with ownership, the data protection right will trump ownership.34 The existence of data protection rights in no way influence the acquisition of ownership.
However, the idea that research participants own the data that relate to them is found in the controversial35 material transfer agreement that was published by the South African Minister of Health in 2018 (SA MTA).36 In clause 3.3 it states that the ‘donor remains the owner of the material until such materials are destroyed’.37 ‘Materials’ in turn is defined as including both biological samples and data.38 The choice of words in clause 3.3 is strikingly contradictory, as a donor per definition transfers ownership and does not remain the owner.39 If ownership remains with persons who provide biological samples from their bodies, they cannot be donors and the transaction cannot be a donation. The bad drafting aside, it should be noted that the SA MTA provides that it is only a ‘framework’,40 meaning that its substantive provisions need not be followed. Moreover, there are good reasons why clause 3.3 of the SA MTA should not be followed: (1) The idea that research participants can acquire ownership in the data generated from their biological samples is in conflict with primary legislation and thus legally impermissible; and (2) even if it were legally permissible for research participants to acquire ownership in the data generated from their biological samples, there would be very little if any benefit to the research participants, while there would be significant downsides to the research institution. I analyse these reasons seriatim.
I commence with the idea that research participants can acquire ownership in the data generated from their biological samples. To the extent that the word ‘materials’ in the SA MTA pertains to data, it can be divided into (a) data directly collected from research participants, such as their medical history, and (b) data generated using biological samples collected from research participants, such as genomic data. In the case of (a), clause 3.3 of the SA MTA can be applied, as there is nothing in South African law that would in principle militate against research participants being the owners of the data collected from them. However, the same does not apply in the case of (b), as (b) entails the collection of biological samples from research participants, which triggers section 60(4) of the National Health Act.41 This section prohibits persons who donate biological samples from their bodies from receiving any kind of reward for such a donation. This would likely render unlawful receiving ownership of one's newly generated genomic data instance.42 It can potentially be argued that the value of such ownership is so trivial that the law should ignore it. This may depend on the type of research. For example, the cost of sequencing a single gene is significantly less than the cost of sequencing a whole genome, which costs several hundred US dollars depending on the platform. But, as highlighted by Thaldar and Shozi, South African courts view the theft of goods in the amount of less than ten US dollars as non‐trivial and sufficient for a guilty verdict.43 Accordingly, the cost of generating the data should be truly insignificant to be legally deemed trivial and of no legal consequence. It follows that the legal tenability of clause 3.3 of the SA MTA is probably limited to (a) data directly collected from research participants, and (b) data that are generated using biological samples collected from research participants and that truly have insignificant value. However, with respect to data that are generated using biological samples collected from research participants and that have non‐trivial value—which would for practical purposes be all human genomic data instances—agreeing with research participants that they will acquire ownership in the data instances that are generated from the samples that they donated, would likely be unlawful and void.
Even if it were legally permissible for research participants to be the owners of data instances that are generated from their donated samples and that have non‐trivial value, I suggest that a policy of bestowing ownership of their genomic data instances on research participants would offer little or no benefit to research participants over and above the comprehensive data protection rights that they already enjoy in terms of POPIA, while presenting considerable practical obstacles for research institutes. To understand these obstacles, one should be cognisant of the different scopes of application between data protection law and ownership. While data protection rights exist exclusively in respect of research data that qualify as personal information (research data from which research participants can be identified), ownership rights are not similarly limited, and extend to non‐personal information. In this light, consider the following scenario: A genetics research group is doing research on a specific human gene and have sequenced the alleles of tens of thousands of South Africans. Before sharing their research data, they intend to deidentify the data—i.e., ensure that none of their research participants can be identified from the allelic and associated data. Deidentification is often implemented by researchers so as to share the data more easily—especially across national borders. While the research participants qua data subjects in data protection law need not consent to such deidentification and have no data protection rights in respect of deidentified data, the research participants qua owners in property law retain their rights in their data, irrespective of whether it is identifiable or deidentified. In fact, the very act by a researcher of deidentifying data without a research participant's consent would infringe such a research participant's ownership rights.
Now consider the following quotidian facts: I borrow a friend's car to drive to the supermarket. Upon returning from the supermarket, I must return the car to my friend. There is of course also the possibility of extending the borrowing of the car, by asking my friend's permission to use the car for a further period or for a further specified task. From a legal perspective, I never become the owner of the car. I just have a right to use it. But, if I wilfully continue to use my friend's car beyond the agreed borrowing period, I would be unlawfully appropriating the property of another—i.e., I would be committing theft. Would this change if I remove the car's number plates and scratch out the engine number? Can I, by removing the identifying elements of the car, argue that the car has ceased to be owned by my friend, that the car is now free‐for‐all and that I am not committing theft? Clearly, not.
The same applies to research data. Hence, from the perspective of the genetics research group in the scenario sketched above, there are none of the typical benefits of deidentifying research data if the data are owned by the research participants. This is clearly a serious limitation on the researchers.
Can the genetics research group approach their institutional research ethics committee to provide permission to create and share a deidentified version of their allelic dataset—given the enormous effort that obtaining consent from tens of thousands of research participants would entail? The answer is ‘no’. The institutional research ethics committee will be powerless to assist researchers in this regard, for the simple reason that once research participants are endowed with ownership, it falls beyond the remit of research ethics committees to limit such ownership in any way, as that would be an ultra vires encroachment in the field of property law. For example, if a research ethics committee allows the sharing of the deidentified dataset of alleles with a research collaborator without the consent of each one of the tens of thousands of research participants, such sharing remains an unlawful violation of the research participants’ ownership rights. Furthermore, the members of the research ethics committee would be opening themselves up to criminal prosecution (as accessories to theft) in their personal capacities. (Given that the dataset contains the allelic data of tens of thousands of research participants, it is unlikely that it can be argued that the value of the dataset is insignificant. Therefore, the risk of criminal prosecution would be real.)
The solution from the perspective of the research institution would be to require research participants (qua owners) from the outset to consent to deidentified versions of their (owned) data to be made and used freely by the research institution. However, then research participants will be owners in name only—but to what end? Clearly, the idea of research participants as data owners offers little benefit, if any, at significant cost.
3.3. The second opposing position: Abandoning the concept of ownership
Should ownership of genomic data not be abandoned altogether? This is indeed what was proposed by the Academy of Science of South Africa (ASSAf) in a 2018 report on the ethical, legal and social implications of genetics and genomics in South Africa.44 The ASSAf report suggested that ownership of human biological samples and genomic data should be ‘avoided’ and replaced with ‘custodianship’. The reason for the proposed move away from ownership seems to be an ideological commitment to perceiving human biological samples and genomic data as a kind of natural resource, akin to the country's water resources and gold deposits, which should be managed by the state in the public interest. This natural resource view of human biological samples and genomic data has been criticised as insufficiently respectful of individual rights.45
It is also worth pointing out that the natural resource view provides a basis to argue against private ownership of human genomic data, but not necessarily for the non‐existence of ownership altogether. Instead, it provides a basis for arguing in favour of the public ownership of human genomic data. However, given that human genomic data may already be privately owned, for instance if a research institution claimed ownership of the genomic data sequences that it generated, public ownership of such data would require the expropriation of such data by the state.46 This may require an excessive amount of state resources to accomplish, which raises the question of whether the public interest in fair access to research data cannot be served in less drastic ways, such as through policy initiatives to promote data sharing.
Instead of confronting the issue of expropriation, the ASSAf report proposes an ostrich policy of ‘avoiding’ ownership.47 However, in our law, human genomic data are susceptible of private ownership, and whether a specific human genomic data instance is owned and by whom are legal facts that can be proven in a court of law. Thus, avoiding reference to ownership is a denial of reality and hence not useful policy. Consider a scenario where a research institution generates human genomic sequence data, but decides to shun ownership and instead declares that it is the ‘custodian’ of the data that it generated. Say someone, person X, who has lawful access to the data, such as a research collaborator or a student, makes a copy of the file containing the relevant data on her own memory stick and deletes the original file from the research institution's system. X declares herself the owner of the data contained in the file on the memory stick. What are the legal consequences of these actions?
First, had the research institution been the owner of the file, X's actions would have been theft. Note that section 12 of the Cybercrimes Act provides that the common law crime of theft must be interpreted so as to not exclude the theft of incorporeal property.48 Moreover, had the research institution been the owner of the file, the research institution would also have had civil remedies. The research institution would be able to claim the file back from X—or anyone to whom X might have transferred it—using the ancient but efficient actio rei vindicatio. However, in the scenario under consideration, the research institution failed to claim ownership. Consequently, no theft was committed (something that is not owned cannot be stolen) and the research institution cannot use the actio rei vindicatio to reclaim the file. The research institution would need to rely on contractual remedies against X—if it has any available. Contractual remedies are, however, limited in scope. For example, if X transferred the file to a third person, such a person would not be bound by the contract between the research institution and X.
This is not the end of the research institution's woes. Given its express failure to claim ownership, the data was owned by no one. The fact that X has taken effective control of the data instance and has the intention to own it, means that X acquires ownership in the data instance through appropriation. This is the same as catching a wild animal like a dove that belongs to no one. The first person to take effective control of the dove with the intention of owning it, acquires ownership in it. The fact that someone declared himself or herself the ‘custodian’ of all the doves that are flying around in a market square is of no legal consequence. The research institution can attempt to insert clauses in its contracts with, among others, collaborators and students, in an attempt to stop them from claiming ownership of data that is within the research institution's deemed ‘custodianship’. However, this is weaker than if the research institution had acquired ownership. A contract will only provide civil remedies against the counterparty, not against any third parties who may come into possession of the data.
4. CONCLUSION
The only way in which a research institution can ensure that it has the full force of the law behind it—especially in a situation where someone surreptitiously takes human genomic data from the research institution's systems—is to ensure that its legal status as owner of its research data is unassailable. This does not mean that the research institution will have carte blanche to do with the data as it pleases. In our contemporary society, absolute ownership does not exist—ownership is always qualified. A research institution's ownership of human genomic data will be qualified in two pertinent ways: First, the research institution is subject to ethics oversight. All the health research that the research institution intends to conduct with the human genomic data that it generated must be approved by its health research ethics committee, which is mandated to protect the interests of research participants.49 Secondly, the research institution must also comply with POPIA. POPIA applies to all data that can—through the use of a reasonably foreseeable method by the research institution—identify the research participants (the data subjects). Whenever this is the case, the research institution and the relevant principal investigator are responsible parties in terms of POPIA,50 with all the legal duties of a responsible party in relation to data subjects. In these ways, the research institution's ownership of its research data is clearly a qualified ownership. Yet, such qualified ownership is necessary to overcome the practical problems associated with the alternatives to research institution ownership of human genomic data, as highlighted in this article.
The concept of data custodianship might still prove useful. Beyond its (rather rudimentary) ordinary meaning of someone who looks after data, it could be defined in the public policy context as referring to this rich collection of legal rights and duties that a research institution qua data owner has in respect of its data. But what is clear is that a research institution can only be an effective data custodian if it is also empowered as the data owner. Accordingly, it would be wise for South African research institutions to explicitly claim ownership of all human genomic data instances that they generate.
FUNDING
Work on this article was supported by the US National Institute of Mental Health and the US National Institutes of Health (award number U01MH127690) under the Harnessing Data Science for Health Discovery and Innovation in Africa (DS‐I Africa) program. The content of this article is solely the author's responsibility and does not necessarily represent the official views of the US National Institute of Mental Health or the US National Institutes of Health.
CONFLICT OF INTEREST STATEMENT
The author has no financial, personal, academic or any other interest that could be construed as a potential conflict of interest in the subject matter of this manuscript.
ACKNOWLEDGMENTS
The author is grateful to Banele Mhlongo and Judy Parker for their insightful comments while developing the article. Any errors are the author's own.
Biography
Donrich Thaldar, PhD, is a full professor at the School of Law, University of KwaZulu‐Natal, Durban, South Africa. His research interests are biolaw and bioethics, with a focus on new reproductive technologies and genetics research. He also has a law practice, where he focuses on strategic litigation in biolaw. He served as legal counsel in several landmark cases in the field of biolaw in South Africa, including South Africa's first case of posthumous conception and the case that struck out the country's legal prohibition on non‐medical pre‐implantation sex selection.
Thaldar, D. (2025). The wisdom of claiming ownership of human genomic data: A cautionary tale for research institutions. Developing World Bioethics, 25, 16–23. 10.1111/dewb.12443
Footnotes
Bansal, V., & Boucher, C. (2019). Sequencing Technologies and Analyses: Where Have We Been and Where Are We Going? iScience. 18.
Toomey, J. (2023). Property's Boundaries. Virginia Law Review. 109.
Harvard Medical School. (nd). The Harvard Personal Genome Project: We are Open for Science. Retrieved August 4, 2023, from https://pgp.med.harvard.edu
McGuire, A., L., Roberts, J., Aas, S., & Evans, B.J. (2019). Who Owns Medical Data in a Medical Information Commons? Journal of Law Medicine & Ethics, 47(1), 62‐69.
Pope, A., Du Plessis, E., & Badenhorst, P.J. (2nd Ed.). (2020). The Principles of the Law of Property in South Africa: Private Law. Cape Town, South Africa: Oxford University Press Southern Africa.
Pearly Beach Trust v Registrar of Deeds 1990 (4) SA 614 (C) [South Africa].
Daniels v Scribante [2017] ZACC 13, 2017 (4) SA 341 (CC) [South Africa].
Toomey, op. cit. note 2.
Vassilakopoulou et al. observe that characterising data as nonrivalrous could be an oversimplification. They highlight that under certain circumstances data can be anti‐rivalrous, signifying that the value of data escalates for all users as it is utilised by an increasing number of them. Vassilakopoulou, P., Skorve, E., & Aanestad, M., (2016). A Commons Perspective on Genetic Data Governance: The Case of BRCA Data. Research Papers. 136.
Curemed CC v Van Onselen [2015] ZAGPPHC 176 [South Africa].
Experian SA v Haynes 2013 (1) SA 135 GSJ [South Africa].
Curemed CC v Van Onselen, op. cit. note 10.
Competition Commission v British American Tobacco South Africa (Pty) Ltd (2009) ZACT 46 [South Africa].
Njotini, M. (2017). Examining the ‘Objects of Property Rights’: Lessons from the Roman, Germanic and Dutch Legal History. De Jure, 50(1), 136–155.
Erlank, W. (2015). Introduction to Virtual Property: Lex Virtualis Ipsa Loquitur. Potchefstroom Electronic Law Journal, 18(7), 2525‐2559.
Thaldar, D.W., Townsend, B.A., Donnelly, D.‐L., Botes, M., Gooden, A., van Harmelen, J., & Shozi, B. (2022). The Multidimensional Legal Nature of Personal Genomic Sequence Data: A South African Perspective. Frontiers in Genetics. 13.
Ibid.
Ibid.
Ibid: Copyright Act 98 of 1978 [South Africa]. Retrieved December 3, 2023, from https://www.gov.za/documents/copyright-act-16-apr-2015-0942
Thaldar, et al., op. cit. note 16; Directive 98/44/EC of the European Parliament and of the Council on the legal protection of biotechnological inventions (1998). Retrieved December 3, 2023, from https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31998L0044; Patents Act 57 of 1978 [South Africa]. Retrieved December 3, 2023, from https://www.gov.za/documents/patents-act-9-apr-2015-0827
Association for Molecular Pathology v Myriad Genetics Inc. 569 U.S. 576 (2013) [United States]; D'Arcy v Myriad Genetics Inc [2015] HCA 35 [Australia].
Thaldar et al., op. cit. note 16; Swales, L., Botes, M., Donnelly, D.‐L., & Thaldar, D. (2023). Towards a Data Transfer Agreement for the South African Research Community: The Empowerment Approach. South African Journal of Bioethics and Law, 16(1), 13–8.
Thaldar, D.W., & Shozi, B. (2021). The Legal Status of Human Biological Material Used for Research. South African Law Journal, 138(4), 881–907; National Health Act. (2003). Regulations regarding the General Control of Human Bodies, Tissue, Blood, Blood Products and Gametes, GN R180, Government Gazette 35099, 2 March 2012. [South Africa]. Reg 26 Retrieved December 03, 2023, from https://www.gov.za/sites/default/files/gcis_document/201409/35099rg9699gon180.pdf
Thaldar, et al., op. cit. note 16.
Reck v Mills [1989] ZASCA 155, [1990] 1 All SA 560 (A) [South Africa].
Thaldar, et al., op. cit. note 16.
Swales, et al., op. cit. note 22.
Swales, et al., op. cit. note 22.
Swales, L., Ogendi, P., Botes, M., Townsend, B., Donnelly, D.‐L., Abdulrauf, L., & Thaldar, D. (2023). A Data Transfer Agreement Template for South Africa. (1.0). Zenodo.
South African Government. (2013). Protection of Personal Information Act 4 of 2013. Retrieved July 20, 2023, from https://www.gov.za/documents/protection-personal-information-act
Regulation of the European Parliament and of the Council. (2016). General Data Protection Regulation. Official Journal of the European Union Legislations Series. 119. Retrieved July 20, 2023, from https://gdpr-info.eu/
Ibid: s 24.
Ibid: s 11.
Thaldar, et al., op. cit. note 16.
Labuschaigne, M., Dhai, A., Mahomed, S., Behrens, K., Nienaber, A., Moodley, K., Cleaton‐Jones, P., Olckers, A., Maepa, N., & Penny, C. (2019). Protecting Participants in Health Research: The South African Material Transfer Agreement. South African Medical Journal, 109(5), 353; Thaldar, D.W., Botes, M., & Nienaber, A. (2020) South Africa's New Standard Material Transfer Agreement: Proposals for Improvement and Pointers for Implementation. BioMed Central Medical Ethics, 21(1), 85; Thaldar, D. (2020). One Material Transfer Agreement to Rule Them All? A Call for Revising South Africa's New Standard Material Transfer Agreement. Humanities & Social Sciences Communications, 7(1), 105.
Government Gazette: Republic of South Africa: Department of Health. (2018). National Health Act: Material Transfer Agreement for Human Biological Materials. GN 719 GG 41781 of 20 July 2018. Retrieved July 20, 2023, from https://www.gov.za/sites/default/files/41781_gon719.pdf
Ibid.
Ibid.
Harms, L. (2017). Donations. (3rd Ed.). The Law of South Africa.
National Health Act: Material Transfer Agreement for Human Biological Materials, op. cit. note 36, clause 1.
South African Government. (2003). National Health Act 61 of 2003. Retrieved July 20, 2023, from https://www.gov.za/documents/national-health-act
Thaldar, et al., op. cit. note 16.
Thaldar, D.W., & Shozi, B. (2023). Is Benefit Sharing with Research Participants Lawful in South Africa? An Unexplored Question in the Governance of Genomics Research. Journal of Law and the Biosciences, 10(1).
Academy of Science of South Africa. (2018). Human Genetics and Genomics in South Africa: Ethical, Legal and Social Implications. Retrieved July 20, 2023, from http://research.assaf.org.za/handle/20.500.11911/106
Thaldar, D., Kinderlerer, J., & Soni, S. (2019). An Optimistic Vision for Biosciences in South Africa: A Response to the ASSAf Report on Human Genetics and Genomics. South African Journal of Science. 115(7/8); Kabata, F., & Thaldar, D.W. (2023). Regulating Human Genomic Research in Africa: Why a Human Rights Approach is a More Promising Conceptual Framework than Genomic Sovereignty. Frontiers in Genetics. 14.
Kabata & Thaldar, op. cit. note 45(ii).
Academy of Science of South Africa, op. cit. note 44.
Government Gazette: Republic of South Africa. (2020). Cybercrimes Act 19 of 2020. Retrieved July 20, 2023, from https://www.gov.za/sites/default/files/gcis_document/202106/44651gon324.pdf
Republic of South Africa: Department of Health [South Africa]. (2nd Ed.). (2015). Ethics in Health Research: Principles, Processes and Structures. Retrieved July 20, 2023, from https://www.health.gov.za/wp-content/uploads/2022/05/NHREC-DoH-2015-Ethics-in-Health-Research-Guidelines.pdf
Protection of Personal Information Act op. cit. note 30; Swales, L., Thaldar, D., & Donnelly, D.L. (2022). Why Research Institutions Should Indemnify Researchers Against POPIA Civil Liability. South African Journal of Science, 118(3/4).