Protection of Personal Information Act in Practice: A Systematic Synthesis of Research Trends, Sectoral Applications, and Implementation Barriers in South Africa

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This article is comprehensive in its research methodology description which is becoming more popular nowadays. However, there are many small problems and one big problem mentioned below. 

1) Three research questions were mentioned but there is no supporting evidence that these three questions are important.

2) In-text citation work is very poor. The reference # are not in sequence. For example, in line #87, where are the references of #1 to #4?

3) Location of diagrams/figures and tables are in a mess. They should be put near the texts. Besides, there should have comprehensive legends, e.g. in page 6 there is a diagram but no title and legend. In addition, Figure 3.5 did not have legend or description to explain the diagram.

4) At least one figure and one table, Figure 3.4 and Table 3.2 were not referred. This must have proof checked before submission.

5) In line #161, it mentioned 'presence of additional operational elements' but no supporting document/literature about this addition. Furthermore, in line #171, it mentioned 'key' mechanisms. Why are they 'key'?

6) In Table 2.2, the country column should be sorted by continent because the analysis inside is in this direction. Besides, why are just those countries? How about the big countries like UK and US?

7) In section 3.2, why is the screening criteria from year 2014 to 2025? Justifications must be provided.

8) In line #374 and line #389, what is 'second chart' and 'third graph'? They must be the actual for table or figure #.

9) In line #394 and 395, the 'cross-sectoral contexts' and 'the retail industry' are highly different in SJR/H-index. Why was 'the retail industry' mentioned?

10) In line#403, it mentioned 'insurance' but it has quite low SJR/H-index.

11) In line #416 and 417, please explain why 'a skewed distribution in journal and conference quality'.

12) From lines #417 to 419, evidence must be provided.

13) In line #424, why 'health research emerged'? From Figure 3.6, SJR/H-index is very low for 'health' sector. Similarly, in line #434, why 'information technology' and 'insurance'? Explanations with evidence must be provided to qualify this statement.

14) One of the biggest problem is about Table 4.2. It mentioned 'multiple reviewers' were involved in the discussion judgement but no detail of such research mechanism was provided. For example, how many reviewers, their qualification, the discussion and decision process. This must be described in detail because such qualitative judgement can be more dangerous if the research mechanism has loopholes, e.g. groupthink problem. 

15) Once again, the discussion of the three research questions inside section 5 are in a mess. How do we know the truth? There are many unreferenced or unqualified or untraceable judgements inside.

16) In Table 5.1, how come the contents of first column 'Compliance Area'? 

In conclusion, this article has a very good point in introducing the mechanism of SLR but it is extremely weak in applying to the research topic.

 

 

Author Response

Comments1 1: [Three research questions were mentioned but there is no supporting evidence that these three questions are important.

Response1; [These three research questions were derived from identified gaps in existing reviews, such as the limited exploration of methodological diversity Hashmi et al [1], sector-specific implementation challenges Kandeh, Botha and Futcher [2], and evolving thematic concerns post-enforcement Netshakhuma, [3]. They were validated through an initial scoping phase and guided by the need to inform policy design, institutional compliance strategies, and future academic inquiry into privacy legislation in the Global South. 

Page 2, Line 78 -92

Comments 2 [In-text citation work is very poor. The reference # are not in sequence. For example, in line #87, where are the references of #1 to #4? (356, table 3.2)

Response [Citation in the manuscript has revised to start from 1, 

Page 2, Line 80

Comments 3 [ Location of diagrams/figures and tables are in a mess. They should be put near the texts. Besides, there should have comprehensive legends, e.g. in page 6 there is a diagram but no title and legend. In addition, Figure 3.5 did not have legend or description to explain the diagram.

Response [Figure 3.5: Citation distribution by study type. This boxplot illustrates citation frequency across qualitative, theoretical, empirical, and methodological study types, highlighting outliers and distribution patterns." 

Page 23, Line 481-482

Comments 4[ At least one figure and one table, Figure 3.4 and Table 3.2 were not referred. This must have proof checked before submission.

Response [As shown in Figure 3.4, the keyword co-occurrence network generated using VOSviewer highlights 'data privacy', 'compliance', and 'information security' as central nodes in POPIA literature." Table 3.2: provides a detailed breakdown of the methodological and sectoral characteristics of the included studies. 

Page 22, Line 433 and Page 14, Line 43

Comments 5 [In line #161, it mentioned 'presence of additional operational elements' but no supporting document/literature about this addition. Furthermore, in line #171, it mentioned 'key' mechanisms. Why are they 'key'?

Response [ Supporting literature is added and expanded, these mechanisms are considered ‘key’ as they are fundamental operational requirements mandated by nearly all comprehensive data protection regimes (e.g., GDPR, PIPEDA), ensuring enforceability and organizational accountability Botha, Eloff and Swart, [5] ; Pittman et al. [22]. 

Page 6, Line 200-203

Comments 6 [In Table 2.2, the country column should be sorted by continent because the analysis inside is in this direction. Besides, why are just those countries? How about the big countries like UK and US?

Response [Table 2.2 Countries are grouped by continent to support comparative regional analysis. Major economies with advanced data protection regimes (e.g., US, UK) were included due to their global regulatory influence. It is worth noting that the United States does not have a single comprehensive principal data protection legislation. Instead, what is obtainable is a plethora of laws enacted at both the federal and state levels to protect the personal data of US residents. 

Page 5-6, Line 193-194 (CCPA and COPPA is added to the Table 2.2)

Comments 7 [In section 3.2, why is the screening criteria from year 2014 to 2025? Justifications must be provided

Response [The period 2014–2025 was selected to capture both pre-implementation (2014–2020) and post-enforcement phases (2021 onward) of POPIA. This allows for a longitudinal assessment of evolving compliance practices and scholarly engagement 

Page 8, Line 282

Comment 8 [In line #374 and line #389, what is 'second chart' and 'third graph'? They must be the actual for table or figure #. (figure 3.5)

Response [Replaced “second chart” and “third graph” with “Figure 3.5” and “Figure 3.6” respectively

Page 23, Line 471

Comments 9 [In line #394 and 395, the 'cross-sectoral contexts' and 'the retail industry' are highly different in SJR/H-index. Why was 'the retail industry' mentioned? 

Response [ Despite lower average SJR values, retail and insurance sectors are discussed due to their critical role in processing consumer data and recurring compliance violations Veiga [12]; 2019 [15]). Health research remains central due to its ethical complexity and data sensitivity, not necessarily publication impact. 

Page 25, Line 485

Comments 10 [ In line#403, it mentioned 'insurance' but it has quite low SJR/H-index. 

Response [Sentenced revised (while finance, retail and information technology.

Page 24, Line 511

Comments 11 [In line #416 and 417, please explain why 'a skewed distribution in journal and conference quality'.

Response [The skewed distribution in publication quality (Figure 3.6) reflects variation in the maturity and visibility of sector-specific research streams rather than the intrinsic importance of the sectors themselves.

Page 25, Line 529-534

Comments 12[ From lines #417 to 419, evidence must be provided. 

Response [Evidence is shown in table 3.2

Page 14 & 25, Line 432- 433

Comments 13 [In line #424, why 'health research emerged'? From Figure 3.6, SJR/H-index is very low for 'health' sector. Similarly, in line #434, why 'information technology' and 'insurance'? Explanations with evidence must be provided to qualify this statement.

Response [Health research emerged because more literature publications are from the health sector as shown in table 3.2, Page 14

Comments 14 [ 

One of the biggest problem is about Table 4.2. It mentioned 'multiple reviewers' were involved in the discussion judgement but no detail of such research mechanism was provided. For example, how many reviewers, their qualification, the discussion and decision process. This must be described in detail because such qualitative judgement can be more dangerous if the research mechanism has loopholes, e.g. groupthink problem. 

Response [Three reviewers with expertise in data privacy, legal policy, and systematic review methodology independently assessed each study. Reviewers included a PhD candidate in Information Governance, a data protection legal scholar, and a computer science professor with SLR training. Disagreements were resolved through structured discussion sessions. Kappa inter-rater agreement was 0.82, indicating high reliability. Measures were also taken to minimize groupthink through anonymized initial scoring and iterative feedback. 

Page 28, Line 622-625

Comments 15 [Once again, the discussion of the three research questions inside section 5 are in a mess. How do we know the truth? There are many unreferenced or unqualified or untraceable judgements inside.

Response [Reference inserted. These three research questions were derived from identified gaps in existing reviews, such as the limited exploration of methodological diversity Hashmi [1], sector-specific implementation challenges Kandeh, Botha and Futcher [2], and evolving thematic concerns post-enforcement (Netshakhuma, [3]). They were validated through an initial scoping phase and guided by the need to inform policy design, institutional compliance strategies, and future academic inquiry into privacy legislation in the Global South. In addition to its role in data protection, POPIA holds strategic significance in shaping South Africa’s socio-economic development and digital transformation agenda. Mbonye, Moodley & Nyika [4], analyze POPIA’s applicability in AI‑driven environments, noting how the Act provides a legal foundation that balances innovation (e.g. AI, big data) with privacy safeguards, which is critical for responsible digital transformation. It underpins trust in digital systems, which is essential for expanding e-governance, health informatics, and financial inclusion initiatives. Moreover, POPIA’s alignment with global data protection standards positions South Africa as a reliable partner in international data cooperation and cross-border digital trade. Thus, understanding its long-term implications is vital not only for national governance but also for transnational data exchanges and ethical innovation ecosystem. 

Page 2, Line 72-87

Comments 16 [In Table 5.1, how come the contents of first column 'Compliance Area'? 

 Response [The compliance areas in Table 5.1 were inductively derived from thematic coding during data extraction. Recurring themes across sectors, such as consent management, data security, and institutional readiness, were consolidated into high-level categories for synthesis

Page 30, Line 644

Conclusion: 

While the SLR methodology demonstrated robustness, its application to POPIA literature revealed key gaps in sectoral depth, cross-national comparison, and institutional enforcement analysis areas for targeted future work

Reviewer 2 Report

Comments and Suggestions for Authors

The manuscript analyzes the implementation and compliance challenges of South Africa's Protection of Personal Information Act (POPIA) between 2014 and 2024. The author explores research trends, industry applications, and implementation barriers, providing an evidence base for policy-making, practice, and future research. The article is a systematic review study with some innovations, but it requires revision before publication:
1. The article highlights the importance of POPIA but does not sufficiently delve into its specific role and long-term significance in South Africa's socio-economic development, digital transformation, and international data cooperation. The authors should emphasize the specific role and research significance of this aspect.
2. When mentioning the consistency between POPIA and the GDPR, the authors did not conduct an in-depth analysis of the differences between the two in terms of implementation environments, regulatory mechanisms, and cultural contexts, nor did they explore how these differences might impact the effectiveness of POPIA implementation. Such comparative analysis would help highlight POPIA's uniqueness and the unique challenges it faces.
3. When analyzing research trends, although the article presents the annual changes in the number of studies, it does not delve deeply into the underlying reasons for these trends. Is the significant increase in the number of studies between 2021 and 2024 solely related to the formal implementation of POPIA, or are there other factors (such as technological developments or social events) also at play?
4. The article states, “Results indicate a gradual transition from theoretical discourse to empirical and sector-specific research, with qualitative approaches (e.g., interviews, case studies) being the most dominant.” While mentioning the shift from theoretical to empirical research, the article does not delve into the causes and implications of this shift. For example, is this shift related to the implementation phase of POPIA? Is it linked to South Africa's socio-economic environment or technological advancements? There is a lack of in-depth exploration of the underlying factors driving these trends.
5. The discussion states, “The review also highlights that while POPIA articulates overarching principles, there is a shortage of practical, operational guidance to support its implementation.” While the discussion section mentions the lack of operational guidance in POPIA implementation, it does not propose specific solutions or recommendations. How should specific compliance guidelines be developed? How can regulatory agencies' enforcement capabilities be strengthened? The lack of targeted recommendations makes the discussion content rather general.  

Author Response

Comments [1. The article highlights the importance of POPIA but does not sufficiently delve into its specific role and long-term significance in South Africa's socio-economic development, digital transformation, and international data cooperation. The authors should emphasize the specific role and research significance of this aspect.

Response [Introduction amended to emphasize the specific role and research significance of POPIA

"In addition to its role in data protection, POPIA holds strategic significance in shaping South Africa’s socio-economic development and digital transformation agenda. It underpins trust in digital systems, which is essential for expanding e-governance, health informatics, and financial inclusion initiatives. Moreover, POPIA’s alignment with global data protection standards positions South Africa as a reliable partner in international data cooperation and cross-border digital trade. Thus, understanding its long-term implications is vital not only for national governance but also for transnational data exchanges and ethical innovation ecosystems. 

Page 2, Line 78-93

Comments 2 [When mentioning the consistency between POPIA and the GDPR, the authors did not conduct an in-depth analysis of the differences between the two in terms of implementation environments, regulatory mechanisms, and cultural contexts, nor did they explore how these differences might impact the effectiveness of POPIA implementation. Such comparative analysis would help highlight POPIA's uniqueness and the unique challenges it faces.

Response [Comparative analysis has been added with the below paragraph

While POPIA and the GDPR share a similar rights-based foundation, several contextual distinctions influence their practical implementation. The GDPR operates within the European Union’s supranational regulatory infrastructure, backed by strong institutional enforcement and a culture of privacy activism. In contrast, South Africa’s implementation landscape is characterized by fragmented institutional capacity, lower levels of digital literacy, and uneven enforcement resources. Culturally, public awareness and demand for data rights remain nascent in South Africa compared to the EU. These differences create a unique compliance ecosystem for POPIA, where institutional mandates must be tailored to navigate socio-economic disparities, infrastructural limitations

Page 6, Line 200-214

Comments 3[ When analyzing research trends, although the article presents the annual changes in the number of studies, it does not delve deeply into the underlying reasons for these trends. Is the significant increase in the number of studies between 2021 and 2024 solely related to the formal implementation of POPIA, or are there other factors (such as technological developments or social events) also at play?

Response [Explained trend drivers post-2021

The surge in research output from 2021 to 2024 can be attributed to multiple converging factors beyond the Act’s enforcement. These include heightened public awareness following data breaches and cyber incidents, increased institutional demand for compliance frameworks, and the integration of privacy-by-design principles into South Africa’s broader digital economy policies. Furthermore, the growth of interdisciplinary research in law, ICT, and ethics, as well as funding incentives by regulatory bodies and universities, likely contributed to the scholarly interest. The COVID-19 pandemic also accelerated digitization, prompting more attention to digital privacy risks and legal safeguards. 

Page 23, Line 474-481

Comments 4[The article states, “Results indicate a gradual transition from theoretical discourse to empirical and sector-specific research, with qualitative approaches (e.g., interviews, case studies) being the most dominant.” While mentioning the shift from theoretical to empirical research, the article does not delve into the causes and implications of this shift. For example, is this shift related to the implementation phase of POPIA? Is it linked to South Africa's socio-economic environment or technological advancements? There is a lack of in-depth exploration of the underlying factors driving these trends.

Response [

In-dept explanation has been added.

 

The shift from theoretical to empirical research coincides with the operationalization phase of POPIA, as organizations sought practical insights to comply with the Act. This transition reflects a broader maturation of the regulatory environment and a growing demand for implementation evidence to inform institutional policies. It is also aligned with South Africa’s broader digital public policy evolution, which increasingly emphasizes evidence-based governance. Additionally, increased access to institutional case studies, interview data, and sectoral compliance reports enabled researchers to explore real-world dynamics, moving beyond conceptual analysis.

Page 33, Line 753-760

Comments 5[ The discussion states, “The review also highlights that while POPIA articulates overarching principles, there is a shortage of practical, operational guidance to support its implementation.” While the discussion section mentions the lack of operational guidance in POPIA implementation, it does not propose specific solutions or recommendations. How should specific compliance guidelines be developed? How can regulatory agencies' enforcement capabilities be strengthened? The lack of targeted recommendations makes the discussion content rather general.  

Response [

The discussion has been amended with the practical recommendations:

 

To address these implementation deficits, this review proposes the development of sector-specific compliance toolkits co-designed with stakeholders in healthcare, education, and retail. These toolkits should include practical templates for consent management, data classification protocols, and breach response procedures. Furthermore, the capacity of the Information Regulator could be enhanced through increased funding, inter-agency collaboration, and investment in regulatory technology (RegTech) to support real-time monitoring. Finally, a POPIA compliance maturity model could assist organizations in benchmarking their progress and identifying specific gaps in operational readiness.

Page 38, Line 960-977

Reviewer 3 Report

Comments and Suggestions for Authors

This paper employs a systematic literature review (SLR) method to comprehensively analyze research trends, industry applications, and implementation challenges related to South Africa's Personal Information Protection Act (POPIA) from 2014 to 2024. While it offers valuable insights, certain aspects could be further refined to enhance its academic contribution.

1. This paper examines the actual needs of data protection in South Africa, incorporating international standards such as the GDPR. However, it is recommended to adopt a developing country perspective for the research to ensure the external validity of this study.
2. In terms of research methodology, the manuscript uses the PRISMA framework to select 41 articles from 2,069. However, this sample size is too small, and it is recommended to increase the number of references by comparing different countries. Additionally, the manuscript only uses Scopus and Google Scholar, which may overlook specialized databases (such as Web of Science, ProQuest) or gray literature (government reports, industry white papers). It is recommended to supplement the sources to enhance comprehensiveness.
3. This manuscript analyzes the literature from three research questions (thematic trends, methodology, and industry distribution) in a multidimensional manner. However, other dimensions could be considered for literature research to ensure the comprehensiveness and systematic nature of the analysis of relevant issues.
4. In terms of literature research visualization, it is recommended to use professional software such as VOSviewer for visualization analysis and presentation of the sample literature.
5. The Likert scale scoring criteria in Table 4.1 (e.g., “Poor/Fair/Good”) should be specified in greater detail, such as clearly defining “Incomplete methodological description” as corresponding to “Fair.”
6. Cross-validation: The calculation of Kappa values among multiple reviewers is not mentioned; it is recommended to supplement this to validate scoring consistency.
7. Further expansion and enhancement of policy recommendations and their feasibility are required.

Comments on the Quality of English Language

The English could be improved to more clearly express the research.

Author Response

Comments 1 [This paper examines the actual needs of data protection in South Africa, incorporating international standards such as the GDPR. However, it is recommended to adopt a developing country perspective for the research to ensure the external validity of this study.

Response [Importantly, while POPIA is often benchmarked against instruments such as the GDPR, the South African context must also be situated within the broader challenges facing developing countries—namely, limited enforcement capacity, low digital literacy, and infrastructural constraints. Framing this study from a Global South perspective enhances its external validity and provides comparative insights for other developing nations undertaking similar data protection reforms.

Page 2, Line 61-66

Comments 2 [In terms of research methodology, the manuscript uses the PRISMA framework to select 41 articles from 2,069. However, this sample size is too small, and it is recommended to increase the number of references by comparing different countries. Additionally, the manuscript only uses Scopus and Google Scholar, which may overlook specialized databases (such as Web of Science, ProQuest) or gray literature (government reports, industry white papers). It is recommended to supplement the sources to enhance comprehensiveness.

Response [While Scopus and Google Scholar were selected for their accessibility and breadth, future iterations of this review should incorporate additional databases such as Web of Science, ProQuest, and EBSCOhost. Furthermore, inclusion of gray literature such as government white papers, reports by the Information Regulator, and policy briefs from privacy think tanks would enhance the completeness and real-world relevance of the review.

The 41 selected studies were from the 2,069 initially retrieved studies

Section 3.1

Comments 3 [This manuscript analyzes the literature from three research questions (thematic trends, methodology, and industry distribution) in a multidimensional manner. However, other dimensions could be considered for literature research to ensure the comprehensiveness and systematic nature of the analysis of relevant issues.

Response [Added New Subsection 5.4      

Subsection Title:
5.4 Emerging Dimensions for Future Literature Mapping

Beyond the current RQs, future literature syntheses could analyze author collaboration networks, institutional affiliations, regional policy influences, and funding sources. Such metadata analysis would illuminate the structural dynamics behind POPIA research and offer insight into academic-practitioner linkages, as well as geographic and institutional drivers of knowledge production.

Page 36, Line 896-901

Comments 4 [4. In terms of literature research visualization, it is recommended to use professional software such as VOSviewer for visualization analysis and presentation of the sample literature. (Vosviewer visualisation of co-occurrence inserted)
Response [Visualizations were generated using VOSviewer, a specialized bibliometric mapping tool that enables keyword co-occurrence analysis and thematic clustering. This enhances interpretive depth by visually identifying central terms, thematic overlaps, and emerging research clusters in the POPIA  compliance domain.

Page 22, Line 435-451

Comments 5 [The Likert scale scoring criteria in Table 4.1 (e.g., “Poor/Fair/Good”) should be specified in greater detail, such as clearly defining “Incomplete methodological description” as corresponding to “Fair.”

Response [Each criterion was rated using a three-point Likert scale: (1) Poor = missing or entirely undeveloped; (2) Fair = present but incomplete or vague (e.g., incomplete methodological description); (3) Good = clearly articulated and substantiated with appropriate detail. This schema improves transparency and scoring consistency. 

Page, Line 597-599

Comments 6 [Cross-validation: The calculation of Kappa values among multiple reviewers is not mentioned; it is recommended to supplement this to validate scoring consistency.

Response [To enhance reliability, inter-rater agreement was assessed using the Cohen’s Kappa statistic. The Kappa coefficient across reviewers for quality scoring was 0.82, indicating substantial agreement. Discrepancies were resolved through consensus discussions to ensure scoring integrity.

Page 29, Line 647-650

Comments 7 [Further expansion and enhancement of policy recommendations and their feasibility are required.

Response [To strengthen compliance and institutional readiness, this review recommends the following:
(i) Establishment of sector-specific compliance benchmarks by the Information Regulator;
(ii) Introduction of national POPIA awareness campaigns using public media and community ICT centers;
(iii) Development of an open-access POPIA compliance maturity toolkit for SMEs; and
(iv) Facilitation of data governance incubator programs at universities to build technical and legal capacity.
These interventions should be piloted through public-private-academic partnerships to ensure relevance and scalability."

Page 38, Line 973-981

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

Thanks for the numerous modifications. The modifications mentioned inside the cover letter is fine to me but some of them have not been clearly reflected inside the modified article especially comments #13 & 14.

Author Response

Comment 13 [Thanks for the numerous modifications. The modifications mentioned inside the cover letter is fine to me but some of them have not been clearly reflected inside the modified article especially comments #13 & 14.

Response 13 [ The third graph illustrates the average Scimago Journal Rank (SJR) or H-index scores across sectors revealing substantial variation in the quality and visibility of publication outlets for POPIA research. The finance and small and medium enterprise (SME) sectors dominate, both achieving the highest average scores of approximately 7. This suggests that studies in these domains are frequently published in globally recognized, high-impact venues such as IEEE or well-ranked business and information systems journals. The high rankings likely stem from the global regulatory salience of financial data protection, the technical sophistication of SME-focused compliance frameworks, and the direct relevance of these studies to international audiences concerned with cybersecurity, fintech, and e-commerce trust. Cross-sectoral studies occupy the third position with an average score of around 3.5, indicating moderate scholarly visibility. This can be attributed to their broader applicability across industries, making them suitable for multidisciplinary journals and conferences. These studies often contribute conceptual models or compliance toolkits that transcend sectoral boundaries, thereby appealing to a wider academic readership. In contrast, retail, IT, municipal governance, health, organizational compliance, universities, insurance, digital marketplaces, and energy sectors cluster at significantly lower SJR/H-index levels (below 1). Several factors likely contribute significantly lower SJR/H-index levels (below 1). Several factors likely contribute to this trend:

1. Local or niche dissemination – Many of these studies are published in South African or regional journals with lower international citation indices.
2. Applied rather than theoretical focus – Sector-specific implementation research may be tailored for practitioner audiences, limiting publication in high-impact academic outlets.
3. Lower global resonance – Certain domains, such as municipal governance or local retail, may have limited appeal beyond the national context, reducing opportunities for placement in top-tier, internationally indexed journals.
4. Emerging research maturity – In fields like digital marketplaces or energy, POPIA-focused research is still in early stages, with relatively few contributions achieving methodological or conceptual maturity that meets high-impact journal thresholds. 

  The low average for the health sector is particularly notable, given its prominence in the volume of POPIA literature. This suggests a mismatch between research quantity and the quality or ranking of publication outlets. Possible explanations include publication in specialized bioethics or public health law journals that, while thematically relevant, often have modest citation metrics compared to leading technology or law journals. Overall, the data highlights a clear stratification in publication impact, where sectors with high global regulatory relevance and technological sophistication (finance, SMEs) outperform more localized or emerging domains in scholarly visibility. This suggests a need for targeted strategies to elevate the publication profile of underrepresented sectors such as fostering interdisciplinary collaborations, adopting comparative international methodologies, and aligning research outputs with the editorial priorities of higher ranked journals.

Comments 14 [Thanks for the numerous modifications. The modifications mentioned inside the cover letter is fine to me but some of them have not been clearly reflected inside the modified article especially comments #13 & 14.

Response: Quality Assessment and Inter-Rater Reliability]

The quality assessment was designed to ensure transparency, methodological rigor, and high inter-rater reliability. Initial scoring and data extraction were performed by one researcher, after which two additional team members independently verified the results. Three reviewers each with expertise in data privacy, legal policy, and systematic review methodology and independently assessed every study against the predefined criteria in Table 4.1. The review team comprised a PhD candidate in Information Governance, a data protection legal scholar, and a computer science professor with extensive SLR experience as presented below:

• Reviewer A – PhD candidate in Information Governance, specialising in African data protection frameworks.
• Reviewer B – Legal scholar in data protection and privacy law.
• Reviewer C – Professor of Computer Science with extensive SLR and bibliometric analysis experience.

To minimise bias and potential groupthink, initial scoring was anonymised. Structured consensus meetings followed, during which reviewers justified their assessments with direct reference to the scoring criteria and supporting evidence. Disagreements were resolved through iterative discussion until full consensus was reached before final inclusion or exclusion decisions.

Inter-rater agreement was evaluated using Cohen’s Kappa statistic, which adjusts for chance agreement. The resulting coefficient was 0.82, indicating almost perfect agreement according to Landis and Koch’s (1977) benchmark scale. This high κ value confirms the consistency and reliability of the scoring process.

Kappa Calculation Method:

Please see attached PDF file. I was unable to copy the Kappa calculations.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The revised paper meets the standards for publication.

Author Response

Comment 1 [The revised paper meets the standards for publication.

Response [ Thank you and much appreciated for the comment.