Court dismisses appeal against matric results publication ruling: What this means for health research

Image source: photonphoto – 123RF.com

The full court judgment of 12 December 2025 — which set aside the Regulator’s enforcement notice against the Department of Basic Education over the publication of matric results — is now the controlling judgment in South African data protection law, subject to any further appeal.

The full court of three judges, led by Mooki J (with Molopa-Sethosa J and Morgan AJ concurring), found that the Regulator’s appeal enjoyed no reasonable prospect of success, and ordered the Regulator to pay costs. While the IR can, in principle, still petition the Supreme Court of Appeal directly under section 17(2)(b) of the Superior Courts Act, the practical chances of the SCA granting leave to appeal are low.

This judgment deals a heavy blow to the 'motivated intruder' test in South Africa. That test was never part of PoPIA — it was imported by assumption from European bureaucratic guidance. Our courts have all but completely closed the door on that assumption.

Primary & Secondary Education

Matric results to be published in newspapers, media as usual: High Court rules

15 Dec 2025

A uniquely South African test

The full court judgment articulates a clear, uniquely South African standard for what counts as “personally identifiable information” under the Protection of Personal Information Act 4 of 2013 (PoPIA): information is personally identifiable only where it permits, without any particular diligence and without more, the ability to identify a particular person.

The court expressly rejected the Regulator’s speculative re-identification theory as “fanciful”. That kind of argument depends on diligence and effort, and diligence is not the test.

The standard is not a diligent person trying to re-identify you. The standard is whether an ordinary person, in the ordinary course of events and without more, would be able to identify the data subject.

A new era for health research

Donrich Thaldar, Professor of Law at the University of KwaZulu-Natal

The judgment answers the long-standing question in health research: To de-identify (sometimes referred to as anonymise) a health dataset, does one need to: (a) permanently remove all data that a “motivated intruder” can potentially use to re-identify the dataset; or is it sufficient to (b) replace the direct identifiers (such as names and contact detail) with a code (a pseudonym)?

In the latter case (b), the typical health researcher who uses the dataset, will not know the identity of the persons in the pseudonymised health dataset—but there will be a theoretical possibility of re-identification by someone who is willing to go out of their way to re-identify the dataset. Under the South African standard now confirmed, (b) pseudonymisation is the answer. Permanent removal (a) is not required.

For health researchers, this is transformational. A pseudonymised genomic dataset — the kind on which precision medicine depends — is, on the new South African standard, non-personal information for PoPIA purposes. Triangulation against external datasets might in theory re-identify participants, but that theoretical possibility is no longer enough to bring the data within PoPIA’s reach.

South African researchers can now — subject to ethics clearance — lawfully share, analyse, and re-use pseudonymised genomic, clinical, and registry data with a degree of freedom that their European counterparts simply do not enjoy. This is a competitive advantage — and a public-health opportunity — that South Africa should embrace.

South Africa now has the regulatory space to become a genuine hub for ethical, large-scale health and genomic research — work that can save lives and address disease burdens that disproportionately affect our continent. The court has given us a standard that is rigorous and workable, and it is worth defending.