Senegal Elections: CIPESA and AfricTivistes Engage Key Stakeholders on Content Moderation

By Abdou Aziz Cissé, Laïty Ndiaye and CIPESA Staff Writer |

The postponement of Senegal’s presidential elections in February 2024 escalated political tensions in the west African country. In response, the Ministry of Communication, Telecommunications and Digital Economy suspended access to mobile internet, first on February 5 as parliament debated the extension of President Macky Sall’s tenure, and again on February 13 amidst civil society-led protests. The ministry claimed that social media platforms were fuelling the dissemination of “several subversive hate messages” that incited violence. 

The February 2024 restrictions on access to mobile internet were the third instance of network disruptions in the country, which had in the past kept the internet accessible during pivotal moments including elections. Last year, Senegal restricted access to the internet and banned TikTok, amidst opposition protests.

It is against this backdrop that the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), in partnership with AfricTivistes, organised a workshop on platform accountability and content moderation on February 8, 2024. The workshop held in the capital Dakar examined the efficacy and impact of content moderation and discussed the opportunities for stakeholder collaboration and common approaches for advancing internet freedom in Senegal. 

As at September 2023, there were over 18 million internet subscribers in Senegal. Participants at the workshop acknowledged that the growth in user numbers had fueled online disinformation and hate speech, which are threatening social cohesion. However, they also raised concerns about the disproportionate responses, notably network disruptions instituted by the government, which undermine freedom of expression, access to information and citizen participation. 

According to Ababacar Diop, a Commissioner with the Personal Data Protection Commission (CDP), efforts to curb the spread of harmful and illegal content online had seen the Commission partner with popular social media platforms to explore mechanisms to effectively regulate content. He added, however, that since the platforms are not domiciled in Senegal, the partnership’s effect has been limited. Besides being the authority responsible for personal data protection, the CDP’s mandate includes ensuring that technology does not pose a threat to the rights and lives of citizens. 

The CDP’s engagements with platforms complemented user reporting of harmful and illegal content and the trusted partner programme. However, participants noted that user reports and trusted partner programmes are heavily subjective, with users and partners sometimes flagging content as inappropriate or dangerous “solely based on their opinions”. “Moderation policies by platforms and governments must be alive to differing contexts and opinions,” said Serge Koué, a blogger and Information Technology expert. Moreover, algorithm-based content moderation measures are also prone to the same challenge, as they do not understand local context and languages, according to Pape Ismaïla Dieng, Communication and Advocacy Officer at AfricTivistes.

The complexities in content moderation were further highlighted with case studies from Nigeria and Uganda. In 2021, former Nigerian President Muhammadu Buhari announced a countrywide ban on Twitter following the deletion of a tweet from his account about the Biafra civil war. Twitter claimed the tweet violated the platform’s policy on “abusive behaviour.” Twitter was blocked from operating in the country following this face-off. In October 2021,the government issued several conditions for lifting the ban. It required Twitter to set up a local office, pay tax locally and cooperate with the Nigerian government to regulate harmful tweets. The platform remained banned in the country until January 2022. 

In Uganda, during the 2021 election period, Facebook and Twitter suspended the accounts of various pro-government individuals over what Facebook described as “Coordinated Inauthentic Behaviour (CIB)” to suit the online narrative interests of the ruling party. The platforms’ actions  sparked the ire of President Yoweri Museveni who responded by stating in a national address that, “If you want to take sides against the (ruling party), then that group will not operate in Uganda,” adding that, “We cannot tolerate this arrogance of anybody coming to decide for us who is good and who is bad.” A day later on January 11, 2021, access to social media was blocked and two days later the internet as a whole was blocked as citizens prepared to go to the polls. Facebook remains blocked to-date. 

The experiences from Nigeria and Uganda highlighted not only the role of public figures as perpetrators of harmful content but also the impact of the unchecked power of governments to censor and restrict access to platforms in direct response to content moderation based on platforms’ Community Standards.

During the workshop, Olivia Tchamba, Meta’s Public Policy Manager for Francophone Africa, stated that the platform was committed to striking a balance between giving users a voice and ensuring the predominance of reliable information. She added that regulation coupled with responsible user behaviour should be the norm. 

CIPESA’s Programme Manager Ashnah Kalemera also reiterated that content moderation requires a multi-stakeholder and multi-faceted approach not only involving platforms and regulators but also users. 

The workshop, which was attended by 25 participants including journalists, social media influencers, human rights defenders and staff of civil society organisations, called on platforms to ensure their terms of use are available in multiple languages, increase transparency in their content moderation processes, and promote awareness and understanding among African users of recourse mechanisms. 

They also emphasised that consolidating efforts such as by civil society, the CDP and Meta’s Oversight Board in line with national laws and international human rights standards, would help create a social media ecosystem that upholds freedom of expression and privacy, among other rights. 
Whereas the Senegalese Constitutional Court ruled against the postponement of elections, a new date for the polls is yet to be determined. The dialogue during CIPESA’s and AfricTivistes workshop is critical as tensions continue to simmer online and offline, and sets the pace for similar engagements in other African countries set to go to the polls during 2024 and the push for increased tech accountability.

A Decade of Internet Freedom in Africa: Report Documents Reflections and Insights from Change Makers

CIPESA Writer |

Over the last decade, Africa’s journey to achieve internet freedom has not been without challenges. There have been significant threats to internet freedom, evidenced by the rampant state censorship through
internet shutdowns, surveillance, blocking and filtering of websites, and the widespread use of repressive laws to suppress the voices of key actors.

However, amidst all this, there is a community of actors who have dedicated efforts towards advancing digital rights in the continent with the goal of ensuring that more Africans can enjoy the full benefits of the internet.

As part of our efforts recounting the work of the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) over the years, we are pleased to share this special edition report: A Decade of Digital Rights in Africa: Reflections and Insights from 10 Change Makers, where we document reflections and insights from ten collaborators who have been instrumental in shaping Africa’s digital and Internet freedom advocacy landscape over the last ten years.

These changemakers have demonstrated change by advocating for a more free, secure, and open internet in Africa and working to ensure that no one is left behind.

Read the full report: A Decade of Digital Rights in Africa: Reflections and Insights from 10 Change Makers!

Meet the Changemakers

‘Gbenga Sesan, the Executive Director of Paradigm Initiative, is an eloquent advocate for internet freedom across the continent, leading efforts to push back against repressive laws and promoting digital
inclusion while speaking truth to power. He continues to champion the transformative power of technology for social good and to drive positive change in society.

Arthur Gwagwa is a Research Scholar at Utrecht University, Netherlands, and a long-standing advocate for digital rights and justice. His work in the philanthropic sector has been instrumental in supporting various grassroots initiatives to promote internet freedom in Africa. Similarly, his pioneering research work and thought leadership continue to inspire and transform the lives of people in Africa.

Edetaen Ojo, the Executive Director of Media Rights Agenda, is a prominent advocate for advancing media rights and internet freedom. Known for his strategic vision and dedication to media freedom, he pioneered the conceptualisation and development of the African Declaration on Internet Rights and has been a key voice in shaping Internet policy-making in Africa.

Emilar Gandhi, the Head of Stakeholder Engagement and Global Strategic Policy Initiatives at Meta, built a strong foundation in civil society as an advocate for Internet freedom. She is a prominent figure in technology policy in Africa whose expertise and dedication have made her a valuable voice for inclusivity and responsible technology development in the region.

Dr. Grace Githaiga, the CEO and Convenor of Kenya ICT Action Network (KICTANet), has been a leading
advocate for media freedom and digital rights in Africa. Her tireless advocacy in shaping internet policy has earned her recognition for her pivotal roles in championing internet freedom, digital inclusion,
multistakeholderism, and women’s rights online.

Julie Owono, the Executive Director of Internet Sans Frontières (Internet Without Borders), is a passionate and respected digital rights advocate and thought leader in the global digital community. She is not only a champion for internet freedom in Africa but is also a symbol of hope for many communities standing at the forefront of the battle for internet freedom and connectivity in Africa.

Neema Iyer, the founder of Pollicy, is well known for her advocacy efforts in bringing feminist perspectives into data and technology policy. Her dynamic and multi-faceted approach to solving social challenges exemplifies the potential of data and technology to advance social justice and promote digital inclusion and internet freedom in Africa.

Dr. Tabani Moyo, the Regional Director of the Media Institute of Southern Africa (MISA), is a distinguished
media freedom advocate and influential leader in guiding a community of changemakers in Southern Africa. He has played an extensive and formidable role in pushing back against restrictive and repressive laws, supporting journalists under threat, empowering young Africans, and shaping internet governance policies.

Temitope Ogundipe, the Founder and Executive Director of TechSocietal, has been a champion for digital rights and inclusion in Africa. She is an advocate for women’s rights online and uses her expertise to contribute to the development of youth and address digital inequalities affecting vulnerable groups across the continent.

Wafa Ben-Hassine, the Principal Responsible Technology at Omidyar Network, is a recognised human rights defender and visionary leader dedicated to promoting human rights and responsible technological
development. Her relentless advocacy and valuable contributions to defending digital rights, civil liberties, and technology policy continue to inspire many across the continent.

Join the Report Launch Webinar:

When: January 31, 2024
Time: 14:00-16:00 (Nairobi Time)
Location: Zoom (Register here)
After registering, you will receive a confirmation email containing information about joining the webinar.

Updated: Watch the report launch webinar.

Ongoing Power Cuts Set Back South Africa’s Gains on Digital Access 

By Tusi Fokane |

Over the last 15 years, South Africa has been caught in the midst of  an energy crisis with 2023 marking the most challenging period. The country experienced record-breaking power cuts, resulting in 300 days of load shedding at an economic cost of ZAR 1 billion per day (USD 55 million).  The power cuts which in some instances run up to eight hours a day have impacted South African society in various ways including through a rise in crime, reduced access to economic opportunities, health care, education and essential government services. There have also been concerns raised on the impact of load shedding on access to the internet. 

Internet access concerns fueled by the power cuts have included data affordability, availability of pre-paid internet packages, and convenience of access.  Whilst telecommunications companies have taken steps to minimise access disruptions, by investing in increased security, back-up, and alternative sources of energy, experts have warned that the continued power disruptions would exacerbate the digital divide, particularly for rural and poor communities. As part of efforts to avert the crisis, in May 2023,  the Independent Communications Authority of South Africa (ICASA), established a committee to assess the impact of load shedding on consumers of electronic communications, broadcasting, and postal services towards informing regulatory interventions for the sector.  

Meanwhile, according to the Institute for Security Studies (ISS) telecommunications companies are lobbying for the declaration of the sector as a national strategic asset under the Critical Infrastructure Protection Act. The law deems a sector critical if it is essential for the economy, national security, public safety and the continuous provision of basic public services.

A Fracturing Digital Access Divide 

An estimated 79 percent of the South African population has access to the internet, predominantly through their mobile devices. Access to the internet, particularly in the post-Covid-19 environment, increased reliance on the sector as internet access facilitated many digital activities such as remote work and e-learning. However, the frequency of load shedding affects digital gains particularly for small businesses and students, leaving those without access to alternative sources of power, often unable to access internet services effectively.  According to Accountability Lab, citizens who can afford extra internet data, generators, and solar panels are managing to cope with the power outages. However, the Lab notes a widening of the gap between “digital haves and have-nots” and stresses that ”with limited access to online education and work options, citizens who are already struggling to afford the cost of living find themselves further behind.” Activists have warned that any load shedding mitigation undertaken by mobile network operators should not come at the expense of poor consumers who run the risk of being charged more for data services. 

Indeed, in a country with one of the highest inequality levels in the world, and an unemployment rate of 42 percent, there are concerns that continued load shedding is contributing to inequality and deepening the digital divide. Lower-income households have resorted to staying up until midnight waiting to benefit from “internet happy hours” where data packages are offered at cheaper rates than daytime packages.

Money Spent on Mitigating Load Shedding Could be Used to Expand Rural Access

Telecommunications service providers have not been spared from the consequences of the power cuts. The country’s second-largest mobile operator – MTN South Africa – reportedly spent ZAR 6.6 billion ( USD 360 million) on improvements to its network in 2023. Competitor, Vodacom, is set to increase its annual infrastructure spend to  ZAR 12 billion (USD 654 million) to strengthen its network. The investments will go towards back-up power systems (additional batteries, fuel and generators, and alternative energy sources) at their base stations and data centres. In addition, operators face increased security costs, due to theft and vandalism at their sites including the potential theft of high-capacity batteries which can fetch high values on the black market. 

The investment into back-up systems and batteries is key as longer periods of load shedding often result in batteries not charging sufficiently, affecting network availability, particularly in rural areas.  ICASA was recently taken to task by Members of Parliament for not conducting effective oversight in ensuring access to adequate network coverage. It was noted that service providers generally take their time to get to rural areas when there is a breakage or theft of cables or batteries, which undermines network stability in affected communities. The Select Committee Chair on Public Enterprises and Communication highlighted that internet access “is now no longer a matter of privilege but rather a right to have reliable signal” adding that ICASA needs to be firm and ensure that communications services are consistently provided. 

However, further challenges remain in rural areas which still face insufficient infrastructure deployment. Network operators concede that ongoing load shedding diverts much-needed capital away from rural infrastructure projects and new technologies. Concerns have also been raised on the negative impact to consumers, who will likely carry the additional costs through higher tariffs. Higher income earners have invested in fibre and wireless solutions to maintain connectivity during load shedding, but this comes with the additional costs of installing uninterruptible power supply (UPS). Some experts suggest that satellites, coupled with alternative energy sources, may be more resilient during higher stages of load shedding, or in the event of a total grid collapse. 

Industry stakeholders, through the Association of Comms and Technology have been lobbying for increased government support through policy reform and fuel subsidy rebates in order to avert a digital doomsday scenario where digital networks fail as a result of ongoing power cuts. The industry eagerly awaits the outcome of the ICASA committee on the impact of load shedding on the communications sector, which will hopefully also provide some relief to South African internet users.

CIPESA Launches Framework to Assess ICT Accessibility for Persons with Disabilities in Africa

By Frank Kisakye |

In many instances, persons with disabilities are unable to use digital technologies because these technologies lack “digital accessibility,” namely the ability of a website, mobile application, or electronic document to be easily navigated and understood by a wide range of users, including those with visual, auditory, motor or cognitive disabilities. The issue is especially key in African countries, where persons with disabilities contend with various forms and layers of exclusion, contradicting the potential for inclusion promised by technology despite one of the pillars of the 2030 Agenda for Sustainable Development Goals (SDGs) pledging to “leave no one behind.”

Against this background, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) hosted experts from multiple countries in a webinar to discuss developments pertaining to efforts aimed at enhanced digital inclusion for persons with disabilities. The webinar also served to commemorate the International Day for Persons with Disabilities on December 4, for which CIPESA launched its revised Disability and ICT Accessibility Framework Indicators: A Framework for Monitoring the Implementation of ICT Accessibility Laws and Policies in Africa.

Speaking at the webinar, Dr. Abdul Busuulwa, a lecturer at Kyambogo University Institute for Special Needs (Uganda) and also a CIPESA board member, noted that there are several tools and devices that mitigate barriers to accessibility for users with visual, physical, hearing, intellectual, and psychosocial disabilities. He also highlighted the accessibility guidelines published by the Web Accessibility Initiative of the World Wide Web Consortium which are  aimed at making web content more accessible for persons with visual and hearing impairment, learning disabilities, cognitive limitations, limited movement, speech disabilities, photosensitivity, and combinations of these.

However, the spectrum for ensuring digital access for persons with disabilities is expansive. Titilola Olatunde-Fasogbon, a senior associate at Udo Udoma & Belo-Osagie (Nigeria), noted that in addition to the technical aspects of inclusion, such as websites, more deliberate efforts need to be made by stakeholders in the information ecosystem.  Olatunde-Fasogbon pointed out the role of media houses and the need for more investment into meeting the needs of persons with disabilities as part of broadcasting, such as through more sign language interpretation, subtitling, dubbing for non-English speakers or audio-to-text options, as well as provisions for alternate text for non-text content.

She added that governments also need to ensure that policies and laws align to enhance digital inclusion for excluded communities and that they should be at the forefront of driving such policies. Further, that for digital inclusion to be realised for persons with disabilities, civil society organisations must pursue more collaborative efforts with governments as “governments are obligated to offer the much-needed tax-related policies, tax holidays for commercial companies involved in digital inclusion beyond just passing the laws.”

Collaborative efforts were also emphasised by Dr. Diana Msipa, Manager, Disability Unit at the University of Pretoria (South Africa), who stressed that digital inclusion efforts should even be more deliberate for persons with disabilities in rural areas as they face numerous exclusions such as limited availability of infrastructure and public resources, as well as scarce economic opportunities. Dr. Msipa called for more conscious efforts to make it mandatory for governments and organisations to translate adverts, engage sign language interpreters, and use of non-complex language, among other measures, to ensure information reaches audiences often excluded.

Further efforts at Diversity, Equity, and Inclusion (DEI) also need to be part of narratives on digital inclusion for persons with disabilities, including through more employment opportunities and leadership positions for persons with disabilities. Dr. Karen Smit, Manager of Disability Unit at Vodacom (South Africa) stated that, “Employers should embrace an inclusive culture so that staff with disabilities can feel they belong. Senior leaders must speak about disability, and ongoing awareness raising must be conducted with management and all staff.” 

Dr. Smit noted that solutions for digital inclusion already exist for mainstream devices and called for more stakeholders, including private sector actors, to pursue awareness initiatives and campaigns on their existence.  She noted that  Safaricom – a subsidiary of Vodacom – introduced the Interactive Voice Response (IVR), a mobile money (M-PESA) solution that enables the visually impaired and blind customers to be in control of their M-PESA transactions.

Similar sentiments were expressed in a 2020 CIPESA report – Access Denied How Telecom Operators in Africa Are Failing Persons With Disabilities, which found that while there are various efforts to increase ICT usage in Africa, there is limited information about what telecom companies are doing to promote digital accessibility. 

While there may be efforts aimed at improving digital inclusion, these need to be assessed regularly. CIPESA’s Revised Disability and ICT Accessibility Framework notes that an accessible web also benefits people without disabilities, for example, older people with changing abilities, people using a slow/expensive Internet connection; and people with “temporary disabilities” such as a broken arm or poor eyesight. The framework implores companies, governments, and organisations to conduct a self-diagnosis on whether they meet the threshold of the five broad disability and ICT accessibility framework indicators which include legal and regulatory, accessibility framework for public access, mobile communication accessibility, television, video programming accessibility, and web accessibility.  

The five indicators were informed and crafted around key provisions within national laws, policies, and international human rights instruments on ICT and Disability. Other international ICT Accessibility standards, such as The Web and Mobile Content Accessibility Guidelines developed by the World Wide Web Consortium, informed the indicators.

It is anticipated that this framework will be useful for monitoring and measuring public and private stakeholders’ compliance and implementation of inclusion obligations and inform research, advocacy, and capacity building on ICT for persons with disabilities in the region. 

In addition, the assessment informs planning for different interventions at country and regional levels since it reveals areas that need further interventions. It can also highlight good practices that can help inspire other countries that may still be far in the journey or still struggling with certain aspects of improving their disability digital rights.

Panelists encouraged Disability Rights Organisations, policymakers, mobile network operators, researchers, and academia interested in advancing the rights of persons with disabilities to utilise the framework as a key pillar in their digital accessibility and inclusion efforts.

Here is the Disability and ICT Accessibility Framework Indicators: A Framework for Monitoring the Implementation of ICT Accessibility Laws and Policies in Africa

Patient Data Privacy in the Age of Telemedicine: Case Studies from Ghana, Rwanda and Uganda

By CIPESA Writer |

With the increasing adoption of digital tools in healthcare provision in Africa, these case studies on e-health startups in Ghana, Rwanda and Uganda show how countries are dealing with privacy implications around patient data.  

Telemedicine is broadly defined as the delivery of healthcare services including diagnosis, treatment, research, education and evaluation to communities and individuals over long distances using information and communication technologies.  

A variety of other terms such as e-health, e-medicine, and tele-health are sometimes used interchangeably to mean the same thing as telemedicine. Remote delivery of healthcare services using telecommunications infrastructure helps overcome various barriers where access to quality healthcare is still a challenge. They ensure that no matter the patient’s location, they can still access timely care via telephone consultations with a physician, or obtain an express pick-up service of diagnostic tests and home delivery of results, or online access to prescription drugs. This is increasing equity in healthcare access for many in Africa. 

Covid-19, A Blessing in Disguise

Following the outbreak of Covid-19 in 2020, many African countries instituted some of the harshest containment measures to stop the spread of the disease. Entire economies were shut, from markets to schools to public transportation, and any activity that involved people getting into physical contact with one another was severely restricted. 

During the period, healthcare-seeking behaviour changed, since hospitals were at the epicentre of the crisis, receiving patients and hosting isolation centres. As a result, many African governments increased their reliance on digital technologies to contain the spread of the virus. Some of the measures included increasing digital transformation efforts, expansion of e-government services, mobile money services, and internet access. Furthermore, ministries of health relied on digital technologies and mobile applications for contact tracing, ambulance management, delivery of drugs, and awareness creation, and encouraged citizens to seek medical care online. This dramatically increased the visibility and popularity of hitherto unknown e-health startups and led to the rapid development of new ones.

For example, Uganda’s Rocket Health, a telemedicine start-up in existence since 2012, saw a dramatic increase in the number of subscribers. Similarly, Ghana’s mPharma, a startup that originally specialised in running a network of online pharmacies, diversified its services from simply delivering drugs to facilitating patient-physician telephone consultations. Also, Rwanda’s e-government Portal Irembo became the de facto hub for ordering Covid-19 tests and applying for and renewing Mutalle des sante, the country’s community-based health insurance scheme.

With a doctor-to-patient ratio of 0.2 physicians per 1,000 people compared to a global average of 1.6 as of 2018, the appeal of telemedicine in Sub-Saharan Africa is not surprising, given the enormous gap in healthcare providers. In addition, the increasing access to mobile phones (43%) and internet penetration (46%) in Sub-Saharan Africa are a great enabler of the surge in e-health adoption.

Patients’ Data Privacy Concerns

Inevitably, the increasing adoption of telemedicine is generating questions about the quality of care and the protocols in place to safeguard and protect patients’ health data. Until recently, there were few legal and policy guidelines regulating the use of telemedicine in most African countries. Bodies such as the World Health Organization (WHO), the African Union (AU), and the Africa Centres for Disease Control and Prevention (CDC) have in the recent past published digital transformation strategies to leverage the current surge in digitalisation. 

However, while several countries have enacted data protection laws and policies, they tend to be broad in outlook and are not focused specifically on e-health, the data it generates or how to safeguard it. Likewise, despite several African Ministries of Health drawing up Digital Health Strategies (see for instance UgandaMalawi and Ghana), measures to safeguard digital patient data privacy and protection have not been extensively elaborated. 

A 2021 study assessing the attitudes of telemedicine users in Sub-Saharan Africa found that trust, data safety and privacy concerns were among the biggest worries users had about telemedicine platforms. While the study revealed a wide usage of telemedicine technology across the region, it also showed that technological, organisational, legal and regulatory, individual, financial, and cultural issues were major barriers to the successful implementation of telemedicine in the region. Moreover, concerns regarding patients’ security, privacy and protection of medical data were highlighted as major barriers to the adoption of e-health technology as they created doubt for both clinicians and patients in terms of protection against potential abuse of patients’ data and unlawful disclosure of confidential medical records. 

A Closer Look at Select Telehealth Startups and their Data Privacy Policies 

Most e-health apps have long and elaborate Terms of Use and data privacy policies to assure users of their data privacy and security. These policies may differ from one app to the other, depending on the services provided, the nature of the operation of the start-up (for example, some are Public-Private-Partnerships where governments have a stake) and the legal framework in the country of operation. However, some terms of use are too long and stepped in too much legalese that most users do not read them or when they do, may not sufficiently understand the provisions or their implications. 

  1. Rocket Health (Uganda)

Rocket Health is a telemedicine service offered by The Medical Concierge Group (TMCG) Ltd. It offers teleconsultations, an online pharmacy with home delivery of medicines, laboratory services, and clinic services. Recently, it opened a number of physical clinics around Kampala. 

Rocket Health’s popularity exploded following the outbreak of Covid-19, moving from a few thousand virtual consultations a year to about 400,000. The company charges a USD 3 consultation fee and USD 1.5 for drug delivery, making it affordable to a majority of its clientele. Currently, the company reports over one million interactions facilitated with up to 80,000 active users. Since its inception, Rocket Health has grown its reach to 42,597 voice call users, 6,862 WhatsApp users, and 40,000 followers via the different social media platforms through which its services are also available.

In 2022, Rocket Health raised more than USD 5 million from investors and commenced scaling up its operations. The Medical Concierge Group Africa has now set up shop in Kenya and Nigeria to enable it to venture into more tele-health innovations and plans are underway to expand their portfolio to other African countries.

Users mostly access Rocket Health Services through its website or by downloading the Rocket Health Android app on their smartphones. In addition, the service can be accessed through a USSD service (*280#) for those with feature phones, and through chat on its social media channels on WhatsApp, Facebook and X.

Rocket Health collects and processes an enormous amount of data from its clients. It is worth examining how the company guarantees the safety and privacy of its patients’ data. The company has an extensive data privacy policy on its website that explains in detail the data it collects, how it collects it, and how it uses it. The policy states that “TMCG may collect some information from other third-party applications such as Facebook, Twitter, when you subscribe to our services, participate in surveys, login into our websites using a third-party login system (including, but not limited to, Facebook, Twitter, etc.), or otherwise communicate with us”. 

 The company adds that it takes precautions to protect collected personal information from loss, misuse, unauthorised access, disclosure, alteration, or destruction, taking into account the risk level and the nature of the data. However, it adds that clients “are responsible for taking every reasonable precaution on your end to protect any unauthorised person from accessing your TMCG account.”

 The c companies also adds a disclaimer that “…due to the design of the internet and other factors outside our control, we cannot guarantee that communications between you and our servers will be free from unauthorised access by third parties.”

The Personal Data Protection and Privacy Act (2019) is the primary legislation governing the protection of personal data in Uganda. The law aims to safeguard the privacy of individuals’ personal information and to regulate the processing of personal data by data controllers and processors. It further spells out the obligations of data collectors, processors and controllers while handling personal data. It also regulates the use and disclosure of personal data. It specifies the rights of the data subject, including seeking consent, explanation of the nature of the data being collected and its purpose. 

Moreover, the law established the Personal Data Protection Office (PDPO) under the National Information Technology Authority – Uganda (NITA-U), mandated to oversee the implementation and enforcement of the Act, receive and investigate complaints from data subjects, and establish and maintain a data protection and privacy register. The Uganda Data Protection & Privacy Regulations 2020 provide specific rules and requirements for adherence to the Personal Data Protection and Privacy Act.

All organisations collecting personal data are required to register with the PDPO for compliance monitoring and submit annual compliance reports on how they adhere to the data protection law. 

briefing by the PDPO on data protection and privacy in Uganda’s public and private health sector stated that “Principles and obligations in the health sector Health-related data are sensitive information and the Data Protection and Privacy Act establishes them as a special category of personal data due to the possibility of discrimination based on the results of processing it.” The briefing calls on actors in the sector to adhere to the law:

All players in the health sector must be accountable to the individuals from whom data is collected (data subjects) by registering with the Personal Data Protection Office (PDPO), which is the regulator of processors and controllers of personal data. These players must also establish technical and organisation measures which demonstrate compliance, such as having a Data Protection Officer, data protection and information security policies, maintaining a record of all processing activities within the organisation, and conducting data protection impact assessments to mitigate the risks associated with the processing of personal data.

The PDPO online data protection register shows that Rocket Health’s parent company, The Medical Concierge Group Ltd, only registered with the authority in September 2023, over 10 years after its establishment.

A 2021 Privacy Scorecard report for Uganda by Unwanted Witness found that health services in the country recorded the lowest performance for robust data security, with private health facilities exhibiting the worst levels of vulnerability in compliance with data protection standards.

Image poto

Visual Credit: Unwanted Witness

In its Health Information & Digital Health Strategic Plan 2021-2025, the Uganda Ministry of Health aims to “Improve data security and disaster recovery to ensure continuous access and availability of health data as well as compliance to data protection and privacy act.” Under this goal are key strategic interventions including to:

  • Develop guidelines for data privacy and protection in the health sector including secure handling and use of data and ICT assets. 
  • Undertake a census of all data controllers in the health sector to facilitate monitoring for compliance to established guidelines. 
  • Implement security protocols for data access in the health sector.
  • Undertake capacity building of health workers on data security, privacy, and protection in conjunction with the GoU data protection office.

There is so far no publicly available evidence that the Ministry and the PDPO have started this collaboration or when it is expected to start.

  Irembo e-Government Platform (Rwanda)

 Irembo (which means ‘Gateway’ or ‘Door’ in the local Kinyarwanda language), is an e-citizen portal for the provision of various government services to the public. The portal is managed by Irembo Ltd, a local technology company, in partnership with the Government of Rwanda. Started in 2015, the Irembo portal has enabled most Rwandan government agencies to digitise their services, eliminating paperwork and long wait times. Many services in sectors such as family and social affairs, immigration, identification, land, health and education offer services on the platform. Since its launch, the platform has processed over 25 million applications worth USD 300 million.

 Some of the health services provided on the platform include ordering and paying for Covid-19 tests and purchasing Mutuelle, a popular low-cost national community-based health insurance. Irembo is regulated under the Rwandan privacy law and is required to safeguard the privacy and security of its users’ data.

Furthermore, Irembo has published its Data Privacy Policy on its website which describes how it uses and protects the personally identifiable information collected from users of the platform.  The policy states it “is not intended that the e-Government Services Online Portal can be used anonymously. But no personal information shall be collected from you, unless you provide it voluntarily.”  It adds: 

 As a general rule, we do not collect personal data about you when you visit Irembo web, unless you choose to provide such information to us. Submitting your personal data through our website is voluntary. By doing so, you are giving us your permission to use the information for the services you requested for. We collect personal data to provide you with the services you have requested, including services from third party providers. We may share the above information with Government Institutions, Ministries and Agencies in the performance of their official duties and/or providing you the services you requested for.

 The Government of Rwanda officially gazetted Law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy on October 15, 2021. This Law designates the National Cyber Security Authority (NCSA) as the supervisory authority of the law. On March 31, 2022, the NCSA officially launched its data protection office, which will spearhead all activities related to protecting the personal data of individuals in Rwanda. In August 2023, Irembo was accredited by the NCSA as a data controller and data processor, in accordance with the data protection law.

 The data protection law defines sensitive personal data as “information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.” The Rwandan constitution also provides for the right to privacy under article 23 as their fundamental right and any data collected on citizens must only be done with consent.  

 mPharma (Ghana)

The Covid-19 pandemic was also a boon to Ghana’s nascent telemedicine industry. The surge in Covid-19 cases in 2020 meant that Ghana had to institute drastic measures to contain the pandemic. These included scaling up efforts to integrate telemedicine into the mainstream healthcare system.

One of the companies that took advantage of this crisis was mPharma, a Ghanaian start up originally founded to manage prescription drug inventory for pharmacies and their suppliers. The company started providing physician consultations at its network of Mutti pharmacies and also set up online patient-doctor consulting, to reach more people, just as Rocket Health did. 

mPharma now employs hundreds of people and has since expanded its operations to Gabon, Ethiopia, Nigeria, Kenya, Zambia, Malawi and Rwanda.  In 2022, the company raised USD 35 million from investors and plans to expand into more African countries. 

mPharma’s privacy policy is remarkably similar to that of Uganda’s Rocket Health except that it goes into more detail on what happens to clients’ data in case it is to enter into a merger or is acquired by third party companies, but does not state if the data subjects have a right of refusal to such potential transfer of data.

In the event of any merger, acquisition or other arrangement whereby mPharma sells or transfers all, or a portion of its business or assets (including in the event of a reorganisation, dissolution or liquidation) to third parties, you hereby consent that your personal data held with mPharma can be transferred or assigned to third parties who may become the controllers and/or processors of your personal data that was held by mPharma prior to such merger, acquisition or other arrangement. mPharma shall at all times ensure that you are notified when your personal data is intended to be transferred to third parties in the circumstances outlined in this clause.

Ghana was one the first African countries to pass a data protection law back in 2012. Its Data Protection Commission (DPC), which enforces this law, is one of the oldest on the continent. The registration of data controllers and data processors started in January 2015. The Data Protection Act places special emphasis on health data. Article 62 states that “Personal data which relates to the physical, mental health or mental condition of the data subject shall not be disclosed except where the disclosure is required by law,” among other exceptions. 

In July, 2010, the Government of Ghana launched the national e-health strategy and is planning to  launch a digital health strategy. The national ICT Sector Policy and Strategy highlights the increasing cyber threats hindering the adoption of ICT in healthcare and calls for mechanisms for the protection of patient data.

How to ensure patient privacy and data protection 

There are significant gaps in current data protection and privacy policies of eHealth service providers in Africa regarding patient data collected. For example,

  •   Some startups in their privacy policies do not provide for protections in case of mergers or acquisitions, a common occurrence in startup ecosystems; or what the rights of the data subjects are in this situation and what privacy implications such mergers might have on clients’ data rights. 
  •     Secondly, most of the policies are written in such a careful and calibrated way to reduce as much as possible the burden of responsibility and duty of care for patient data protection, away from the company. This is the reason for multiple indemnifications and disclaimers written in the company policies. 
  •   Thirdly, the regulatory environment in terms of national data protection laws is not robust enough as it does not provide sector-specific guidance especially for very sensitive sectors such as healthcare. While the general legal regime on data protection appears strong, there is a need for specific guidelines to ensure patient privacy and data protection in the digital health context. Entire sections need to be added in National Data Protection Laws that focus on health data governance especially in digitally provided healthcare services. 
  •   There is also limited collaboration between Ministries of Health and Data Protection Authorities. There is thus far little evidence of any sanctions that have been borne by health startups that have not adhered to some of the requirements of the Data Protection Authorities, such as registering their operations with the data protection authorities and hiring data protection officers in their companies.

Data protection offices need to work more closely with ministries of health and private digital health providers to design strong regulatory frameworks that guarantee patient privacy and data safety while facilitating the growth of the telemedicine industry. 

Countries could model their digital health data protection policies on the WHO guideline recommendations on telemedicine, which calls for client-to-provider telemedicine to complement, rather than replace, the delivery of health services and in settings where patient safety, privacy, traceability, accountability and security can be monitored. In this context, WHO further states that monitoring should include the “establishment of standard operating procedures (SOPs) that describe protocols for ensuring patient consent, data protection and storage, and verifying provider licensing and credentials.”With many startup companies increasingly venturing into health services, the data protection laws need to be updated accordingly to provide more robust health data protection. 

Companies could, among other measures, take the following actions:

  •   Update their clients with information of any mergers or takeovers of their companies in case they happen, appraise them of the implications of such mergers and what role the clientele has to play, or their rights and obligations. 
  •   Any app updates or system upgrades with implications on patient data, new demands for, or changes in their data protections protocols, should be swiftly and transparently communicated to users, as well as what implications that might have on the use of these apps on their devices.
  • Conduct ongoing, consistent education of their clients on their data rights and the measures being taken to ensure the protection, privacy and integrity of medical records.
  •     Beyond just bland privacy policies and Terms of Use documents on their websites, companies need to have robust engagement and communication strategies to guide their constant interfaces with clients to ensure consistent safety and privacy of their data.