In today’s highly digitalised society, where large amounts of data are being collected and processed, the need for guidelines on health data governance can not be overemphasised. Health data is profoundly sensitive and breach of privacy can cause significant harm to concerned individuals and affect health outcomes. Such guidelines should regulate how data is collected, how and where it is stored, who can share or process it, and what they can do with the data.

As global interest in the regulation of health data picks pace, it is instructive to revisit how health data collected during massive data collection exercises has been handled in some African countries. This examination is crucial to appreciate the key challenges faced in safeguarding the privacy and security of health-related data. This can provide pointers to the areas that require regulation and strengthening of practices.

In this June 2023 Brief, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) recounts how measures related to tracking and monitoring people’s movements, communications and health data by the Kenyan and Ugandan governments and private entities during the Covid-19 pandemic were deemed to have breached the right to privacy, lacked sufficient oversight, and did not respect data protection principles.

Based on experiences from Kenya, South Africa, and Uganda, the Brief cites recommendations by the Transform Health Coalition, on the need for “common regulatory standards to harness the potential, and manage the risks, of health data sharing within and across borders, ensuring data is used for public good and prioritising equity, whilst protecting individual rights”. 

Furthermore, the Brief puts forward pointers on how African governments can balance the responsibility to protect personal health data with the importance and value of sharing it for public good purposes such as research, innovation and health planning:

  • Develop clear and comprehensive privacy rights-respecting guidelines on health data through consultative processes that involve different private, civil society and public sector actors.
  • Regional and global cooperation in devising the guidelines is key to share best practices and promote cross-country cooperation and harmonisation of regulations.
  • The health data regulations should clearly and robustly embed all the high-level data protection principles. For health data specifically, it must only be processed for a period not longer than is necessary to achieve the intended purpose.
  • The guidelines should provide for assessment by independent bodies of applications and systems that collect health data for their privacy / data protection credentials.
  • The guidelines should include provisions on data collection, storage, sharing during pandemics and other health emergencies.
  • Government, private companies and medical facilities should be transparent about what data they hold, who they share it with, how they process and store it, and who accesses it and for what purpose.
  • Developers of health apps should embrace privacy by design when developing applications that collect, store or process health data. They should also have internal data governance policies that highlight the steps to ensure that the data they collect and process is secure.
  • Establish accountability mechanisms for apps and health data collectors and ensure data protection authorities proactively enforce them.
  • Government bodies should be transparent about all public–private partnerships they enter that entail data collection, storage and data sharing.
  • The regulations should encourage data sharing and reuse at national level, as well as cross-border sharing but provide mechanisms for ensuring the integrity of data that is shared.
  • Require health data collectors to have privacy policies written in plain language describing their data governance protocols and privacy credentials.
  • The regulations should require data collectors and processors to implement appropriate, timely and effective measures to demonstrate compliance with personal data processing regulations.

Read the Brief here.