Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Consumers Protection

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Consumers Protection
23Jun

Towards Regulation of App-Based Health Data in Africa

Author CIPESA Posted on

By Edrine Wanyama |

Digital health technologies are reshaping healthcare delivery across Africa. App-based systems now connect patients, clinicians, pharmacies, laboratories, and public health agencies, creating new opportunities to improve access, efficiency, and coordination of care. At the same time, they generate large volumes of highly sensitive health data, much of it moving across platforms, providers, and in some cases, national borders.

A new Policy brief by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) examines the critical need for robust governance of app-based health data in Africa.

The brief highlights significant health data governance gaps, which include the lack of health-specific AI regulation, fragmented legal, policy and institutional frameworks, and the unresolved distinction between wellness tracking and clinical care. These gaps fundamentally undermine health data handling and management standards, with flaws in consent, accountability, and cross-border data management requirements.

Across the continent, digital health applications now span multiple functions within health systems, from clinical management systems and electronic medical records (EMR) platforms to pharmaceutical logistics and supply chains. Alongside these systems, AI-enabled and specialist care platforms are expanding diagnostic and treatment capacity. Patient-facing applications are also expanding, particularly in chronic care, maternal health, and home-based services.

While these innovations are improving access to services and efficiency, they also introduce significant governance risks. Health data is among the most sensitive categories of personal data, capable of revealing medical history, reproductive health, mental health status, and genetic information. In app-based systems, this data is often processed by multiple actors, including developers, health providers, cloud infrastructure providers, and third-party analytics firms, many of which are not visible to users.

In practice, consent is often weak or poorly understood, data sharing arrangements are opaque, and users have limited visibility or control over the use of their information. This creates risks not only to privacy, but also to trust in digital health systems.

These risks are compounded by fragmented legal and institutional frameworks. Although many countries have enacted data protection laws and digital health policies, enforcement remains uneven and coordination between health ministries, data protection authorities, and digital regulators is often weak. This creates a persistent governance gap between the rapid expansion of app-based health systems and the capacity of institutions to regulate them effectively.

At the continental level, emerging frameworks such as the Africa Centres for Disease Control and Prevention (CDC) and global guidance such as the World Health Organization (WHO) Digital Health Strategy set important normative directions for secure, rights-respecting health data governance. However, translating these commitments into enforceable national systems remains limited, particularly in relation to interoperability, cross-border data flows, and platform accountability.

The brief calls for the adoption of a strategic governance architecture grounded in seven data governance principles, namely:

  1. Data sovereignty that reflects African public health priorities, democratic oversight and defined accountability mechanisms;
  2. Cross-border data flows where adequate and comparable safeguards exist and support reciprocal recognition arrangements among Data Protection Authorities (DPAs);
  3. Consent, purpose limitation, and data minimisation that enable individuals to make informed decisions about participation and ensure secondary uses are subject to transparency and safeguards;
  4. Interoperability and standardisation of systems to ensure integration and portability;
  5. Governance of AI-based health tools that require algorithmic impact assessments, independent audits and ongoing monitoring;
  6. Equity and inclusion to ensure systems do not further exclude vulnerable and marginalised communities; and
  7. Accountability and institutional coordination through clear allocations of responsibilities across institutions, consistent oversight, enforcement, and compliance monitoring.

The principles are consistent with the CDC Health Data Governance Framework. Together with other continental instruments, they can support a harmonised, rights-respecting and secure health data governance in Africa.

The brief presents recommendations for various stakeholders which, if implemented, could foster a progressive and trustworthy digital health ecosystem in Africa. Among theses include:

For the African Union and Regional Bodies

  • Support implementation of the Africa CDC Continental Health Data Governance Framework through clear timelines, monitoring mechanisms, knowledge sharing platforms, and technical assistance for member states.
  • Develop a continental health-app certification framework, recognised across participating jurisdictions, covering consent requirements, interoperability standards, cybersecurity safeguards, data governance obligations, and algorithmic accountability.
  • Facilitate regional data trust zones through reciprocal recognition agreements among Data Protection Authorities, enabling secure and accountable cross-border health data flows for disease surveillance, research collaboration, and pandemic preparedness.

For National Governments and Health Ministries

  • Enact or strengthen health-specific data governance legislation that addresses the full data lifecycle in app-based health systems, including consent, purpose limitation, data minimisation, retention, breach notification, and cross-border transfers.
  • Establish regulatory sandboxes to assess the safety, effectiveness, and governance implications of emerging digital health technologies before large-scale deployment.

For  Data Protection Authorities

  • Conduct risk-based audits and impact assessments of high-impact health applications, including privacy, security, and algorithmic fairness, where AI systems are deployed.
  • Develop sector-specific guidance on the processing of health, biometric, and demographic data, including standards for research use, secondary use, and commercial processing.
  • Enter into reciprocal recognition arrangements with counterpart DPAs across Africa to support coordinated enforcement and trusted cross-border data flows.

For Health Service Providers

  • Formalise data processing agreements with health app vendors and third-party processors, including provisions on security, breach notification, audit rights, and liability.
  • Strengthen workforce capacity through regular training on health data governance, cybersecurity, incident reporting, and the responsible handling of sensitive health information.
  • Implement strong authentication, access-control, and encryption measures to protect patient information throughout its lifecycle.

For App Developers and Platform Operators

  • Embed privacy-by-design and security-by-design principles throughout the development, deployment, and operation of health applications.
  • Provide clear and accessible consent mechanisms that enable users to understand and control how their health data is collected, shared, retained, and reused.
  • Conduct regular testing and independent assessments of digital health tools to identify and address bias, accuracy concerns, and performance disparities across African populations.

For Health Service Consumers and App Users

  • Exercise rights over personal health data, including rights of access, correction, portability, and deletion where provided under applicable legal frameworks.
  • Use health applications that comply with relevant regulatory requirements and recognised data protection standards.
  • Report suspected data breaches, misuse of personal information, or harmful automated decision-making outcomes to relevant regulators and oversight bodies.

Please read the full Policy Brief here.

21Feb

How the MTN Group Can Improve its Digital Human Rights Policy and Reporting

Author CIPESA Posted on

CIPESA Writer |

These proposals are made to the MTN Group in respect of its Digital Human Rights Policy. The proposals commend the positive elements of the Policy including the proclamation to respect the rights of users including in privacy, communication, access and sharing information in a free and responsible manner. The submission points to areas where the telecoms group can further improve its role in the protection of human rights.

The United Nations Guiding Principles on Business and Human Rights (UNGPs) enjoin corporate entities to act with due diligence to avoid infringements on human rights. They also provide ways through which adverse impacts on human rights can be addressed. It is therefore commendable that MTN developed a Digital Human Rights Policy and is open to commentary and suggestions for  strengthening its implementation. It is imperative that MTN takes proactive and consistent measures to comply with international human rights instruments such as the UNGPs, the leading global framework focused on business responsibility and accountability for human rights, which were unanimously endorsed by States at the United Nations in 2011.

Some of the Principles that MTN needs to pay close attention to include the following:

 Principle 11: Business enterprises should respect human rights. This means that they should avoid infringing on the human rights of others and should address adverse human rights impacts with which they are involved.

Principle 13: The responsibility to respect human rights requires that business enterprises (a) Avoid causing or contributing to adverse human rights impacts through their own activities, and address such impacts when they occur; (b) Seek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts.

Principle 15. In order to meet their responsibility to respect human rights, business enterprises should have in place policies and processes appropriate to their size and circumstances, including:

(a) A policy commitment to meet their responsibility to respect human rights;

(b) A human rights due diligence process to identify, prevent, mitigate and account for how they address their impacts on human rights;

(c) Processes to enable the remediation of any adverse human rights impacts they cause or to which they contribute.

Principle 23:  In all contexts, business enterprises should:

  1. Comply with all applicable laws and respect internationally recognised human rights, wherever they operate;
  2. Seek ways to honour the principles of internationally recognised human rights when faced with conflicting requirements;
  3. Treat the risk of causing or contributing to gross human rights abuses as a legal compliance issue wherever they operate.

Respect for digital rights is also stipulated in the Declaration of Principles on Freedom of Expression and Access to Information in Africa of 2019 which MTN needs to be cognisant of as part of efforts to ensure that it upholds respect for human rights.

CIPESA Proposals to the MTN Group
The MTN Group is a market leader in various service areas in several countries where it has operations. It is also a key employer and tax payer, and by facilitating the operations of other sectors,  MTN is a key contributor to the Gross Domestic Product (GDP) and to the health of the respective countries’ economies. It is crucial that the company develops and effects a robust Digital Human Rights Policy. Notably, MTN has trailed other operators, such as Orange, Millicom and Vodafone in rolling out a digital rights policy, and in transparency reporting.

While MTN last year issued its inaugural transparency report as part of its annual reporting, there are areas of concern for which we make the following recommendations:

  1. Provide more granular and disaggregated data about the number and nature of requests MTN receives from government agencies. At present, it is not clear how many of those requests relate to the release of users’ identifying data, how many were on metadata, and how many were on rendering support to communication monitoring and interception. Besides providing such a breakdown, MTN should also explain how many requests, if any, were not adhered to and why. Further, the report should indicate which particular government departments made the requests and whether all their requests were backed by a court order.
  2. Provide more nuanced information in reporting on the Digital Human Rights Policy to enable the contextualisation of country-specific explanations of government requests. In the last report, for instance, it is difficult to comprehend the information on government requests from Uganda. Given that Uganda is one of the countries where MTN has the largest number of subscribers, and given that country’s human rights record, the numbers are inexplicably few (12 in total) compared to Congo Brazzaville (1,600), eSwatini (3,661), Ghana (1,642), Guinea Conakry (6,480), Ivory Coast (4,215), Nigeria (4,751), Rwanda (602), South Africa (15,903), South Sudan (1,748), Sudan (5,105), and Zambia (8,294).
  3. In its transparency reporting on implementation of its Digital Human Rights Policy, MTN should reflect on the role of local laws and regulations in enabling or hampering the realisation of digital human rights. What elements are supportive and which ones are retrogressive? Which grey areas need clarification or call for repeal of laws?
  4. Include in the MTN transparency report a detailed and analytical section on network disruptions, as these are highly controversial and have wide-ranging economic, public service and human rights impacts yet they are becoming endemic in many of the countries where MTN operates. Further, MTN should include information on whether it received (or demanded – as we propose it should) written justifications from regulators (or government officials and bodies who issue shutdown orders) for the shutdown orders, including citation of the specific laws and provisions under which they are issued and the situation that warranted invoking the disruption. Additionally, the MTN Group should commit to scrutinise each demand, order or request and challenge them if they are not clear, specific, written, valid or do comply with national laws. It should also keep a written record of such demands, orders or requests.
  5. The MTN Policy and reporting should have a section and actions dedicated to inclusion of marginalised groups, a key area being enabling access and accessibility for persons with disabilities. Research conducted by CIPESA showed that, in countries where it operated, MTN had not taken any deliberate efforts to make its services more accessible to persons with disabilities. Beyond the additional section, MTN should appoint / designate Inclusion and Human Rights Ambassadors, and build the capacity of internal teams to facilitate engagement and compliance with digital accessibility obligations.
  6. MTN should take a proactive stance in making its Digital Human Rights Policy, including country-specific transparency information, well publicised among users, civil society and government officials in the respective countries. This will aid the growth of knowledge about MTN policies, inspire other companies to respect human rights, and draw feedback on how MTN can further improve its human rights policies and practices.
  7. MTN should develop relationships with, and have proactive and sustained engagements with civil society, consumer groups and governments on the implementation of its Digital Human Rights Policy. Such engagements should not only be post-mortem after-the-fact reviews of reports after their publication but should be continuous and feed into the annual reporting. This engagement should also include external experts and stakeholders in the conduct of regular human rights due diligence as envisaged by Principle 15 of the UNGPs. Such engagements could also relate to raising concern on the national laws, policies and measures which pose a risk to digital rights.
  8. As part of due diligence, MTN should periodically assess and examine the impact of its enforcement of its terms and service, policies and practices to ensure they do not pose risks to individual human rights, and the extent to which they comply with the UNGPs and are consistent with its Digital Human Rights Policy. Such assessments are essential to determining the right course of action when faced with government requests and other potential human rights harms.
  9. MTN should add to its Policy and make public its position on network disruptions and outline a clear policy and the procedures detailing how it handles information requests, interception assistance requests, and disruption orders from governments.
  10. Support initiatives that work to grow access, affordability, and secure use of digital technologies, and speak out about any licensing obligations and government practices that undermine digital rights.
  11. Join key platforms that collaboratively advance a free and open internet and respect for human rights in the telecommunications sector, such as the Global Network Initiative (GNI), endorse the GSMA Principles for Driving Digital Inclusion for Persons with Disabilities, and align with local actors on corporate accountability (such as the Uganda Consortium on Corporate Accountability).
  12. MTN should at a minimum, provide simple and clear terms of service, promptly notify users of decisions made affecting them, and provide accessible redress mechanisms and effective remedies.
  13. MTN should institutionalise its commitment to digital rights by putting in place a governance structure at the country level with oversight at a senior level, train its employees on the policy, and create awareness among its customers to ensure the realisation of the policy.

CIPESA stands ready to continue to engage with MTN on ways to improve and effect its Digital Human Rights Policy. We can be contacted at [email protected].