Promoting Effective and Inclusive ICT Policy in Africa

Tag Archives: Digital Health

  HomeCollaboration on International ICT Policy for East and Southern Africa (CIPESA)  /  Digital Health
23Jun

Towards Regulation of App-Based Health Data in Africa

Author CIPESA Posted on

By Edrine Wanyama |

Digital health technologies are reshaping healthcare delivery across Africa. App-based systems now connect patients, clinicians, pharmacies, laboratories, and public health agencies, creating new opportunities to improve access, efficiency, and coordination of care. At the same time, they generate large volumes of highly sensitive health data, much of it moving across platforms, providers, and in some cases, national borders.

A new Policy brief by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) examines the critical need for robust governance of app-based health data in Africa.

The brief highlights significant health data governance gaps, which include the lack of health-specific AI regulation, fragmented legal, policy and institutional frameworks, and the unresolved distinction between wellness tracking and clinical care. These gaps fundamentally undermine health data handling and management standards, with flaws in consent, accountability, and cross-border data management requirements.

Across the continent, digital health applications now span multiple functions within health systems, from clinical management systems and electronic medical records (EMR) platforms to pharmaceutical logistics and supply chains. Alongside these systems, AI-enabled and specialist care platforms are expanding diagnostic and treatment capacity. Patient-facing applications are also expanding, particularly in chronic care, maternal health, and home-based services.

While these innovations are improving access to services and efficiency, they also introduce significant governance risks. Health data is among the most sensitive categories of personal data, capable of revealing medical history, reproductive health, mental health status, and genetic information. In app-based systems, this data is often processed by multiple actors, including developers, health providers, cloud infrastructure providers, and third-party analytics firms, many of which are not visible to users.

In practice, consent is often weak or poorly understood, data sharing arrangements are opaque, and users have limited visibility or control over the use of their information. This creates risks not only to privacy, but also to trust in digital health systems.

These risks are compounded by fragmented legal and institutional frameworks. Although many countries have enacted data protection laws and digital health policies, enforcement remains uneven and coordination between health ministries, data protection authorities, and digital regulators is often weak. This creates a persistent governance gap between the rapid expansion of app-based health systems and the capacity of institutions to regulate them effectively.

At the continental level, emerging frameworks such as the Africa Centres for Disease Control and Prevention (CDC) and global guidance such as the World Health Organization (WHO) Digital Health Strategy set important normative directions for secure, rights-respecting health data governance. However, translating these commitments into enforceable national systems remains limited, particularly in relation to interoperability, cross-border data flows, and platform accountability.

The brief calls for the adoption of a strategic governance architecture grounded in seven data governance principles, namely:

  1. Data sovereignty that reflects African public health priorities, democratic oversight and defined accountability mechanisms;
  2. Cross-border data flows where adequate and comparable safeguards exist and support reciprocal recognition arrangements among Data Protection Authorities (DPAs);
  3. Consent, purpose limitation, and data minimisation that enable individuals to make informed decisions about participation and ensure secondary uses are subject to transparency and safeguards;
  4. Interoperability and standardisation of systems to ensure integration and portability;
  5. Governance of AI-based health tools that require algorithmic impact assessments, independent audits and ongoing monitoring;
  6. Equity and inclusion to ensure systems do not further exclude vulnerable and marginalised communities; and
  7. Accountability and institutional coordination through clear allocations of responsibilities across institutions, consistent oversight, enforcement, and compliance monitoring.

The principles are consistent with the CDC Health Data Governance Framework. Together with other continental instruments, they can support a harmonised, rights-respecting and secure health data governance in Africa.

The brief presents recommendations for various stakeholders which, if implemented, could foster a progressive and trustworthy digital health ecosystem in Africa. Among theses include:

For the African Union and Regional Bodies

  • Support implementation of the Africa CDC Continental Health Data Governance Framework through clear timelines, monitoring mechanisms, knowledge sharing platforms, and technical assistance for member states.
  • Develop a continental health-app certification framework, recognised across participating jurisdictions, covering consent requirements, interoperability standards, cybersecurity safeguards, data governance obligations, and algorithmic accountability.
  • Facilitate regional data trust zones through reciprocal recognition agreements among Data Protection Authorities, enabling secure and accountable cross-border health data flows for disease surveillance, research collaboration, and pandemic preparedness.

For National Governments and Health Ministries

  • Enact or strengthen health-specific data governance legislation that addresses the full data lifecycle in app-based health systems, including consent, purpose limitation, data minimisation, retention, breach notification, and cross-border transfers.
  • Establish regulatory sandboxes to assess the safety, effectiveness, and governance implications of emerging digital health technologies before large-scale deployment.

For  Data Protection Authorities

  • Conduct risk-based audits and impact assessments of high-impact health applications, including privacy, security, and algorithmic fairness, where AI systems are deployed.
  • Develop sector-specific guidance on the processing of health, biometric, and demographic data, including standards for research use, secondary use, and commercial processing.
  • Enter into reciprocal recognition arrangements with counterpart DPAs across Africa to support coordinated enforcement and trusted cross-border data flows.

For Health Service Providers

  • Formalise data processing agreements with health app vendors and third-party processors, including provisions on security, breach notification, audit rights, and liability.
  • Strengthen workforce capacity through regular training on health data governance, cybersecurity, incident reporting, and the responsible handling of sensitive health information.
  • Implement strong authentication, access-control, and encryption measures to protect patient information throughout its lifecycle.

For App Developers and Platform Operators

  • Embed privacy-by-design and security-by-design principles throughout the development, deployment, and operation of health applications.
  • Provide clear and accessible consent mechanisms that enable users to understand and control how their health data is collected, shared, retained, and reused.
  • Conduct regular testing and independent assessments of digital health tools to identify and address bias, accuracy concerns, and performance disparities across African populations.

For Health Service Consumers and App Users

  • Exercise rights over personal health data, including rights of access, correction, portability, and deletion where provided under applicable legal frameworks.
  • Use health applications that comply with relevant regulatory requirements and recognised data protection standards.
  • Report suspected data breaches, misuse of personal information, or harmful automated decision-making outcomes to relevant regulators and oversight bodies.

Please read the full Policy Brief here.

11Mar

Human Rights Implications of Health Care Digitalisation in Kenya

Author CIPESA Posted on

By CIPESA Writer |

The evolution of digital health is largely driven by technological advancements, the quest for more efficient healthcare, and the growing demand for available, accessible, affordable and quality services. The United Nations’ 2030 Agenda for Sustainable Development recognises the transformative potential of Information and Communications Technology (ICT) in fostering human progress, bridging digital divides, and creating knowledge societies. Despite technological advancements, the World Health Organization (WHO) notes that many countries, including Kenya, have yet to fully leverage digital health for positive outcomes. 

​​The transition from the National Health Insurance Fund (NHIF) to the Social Health Insurance Fund (SHIF) presents a policy shift towards realising Universal Health Coverage (UHC) in Kenya. However, this transition has faced significant challenges that impact the right to health, particularly for vulnerable and marginalised groups (VMGs). A major concern within this transformation is the role of digitalisation in health care management and its implications for service delivery. 

It is against this background that the Collaboration on International ICT Policy for East and Southern Africa (CIPESA), the Danish Institute for Human Rights and the Kenya National Commission on Human Rights (KNCHR) undertook a human rights impact assessment on digitalisation of the health care sector in Murang’a, Laikipia, Kisii and Homabay counties in Kenya. The assessment included the NHIF to SHIF transition, digitalised solutions in the sector and their potential impacts especially on Vulnerable and Marginalized Groups (VMGs) to access quality health care.

This report presents the findings of the assessment which was conducted through literature review and field data collection, as elaborated in the methodology section below. The report highlights the positive impacts of digitalisation of health services, pressing challenges, and impacts on the state of healthcare. It also provides targeted and actionable recommendations for improving the effectiveness, inclusivity, and human rights compliance of digital health initiatives in Kenya.

As an integral part of a human rights-based approach, this assessment took a gender-responsive approach to adequately reflect the experiences of women and to understand gender relations within households and communities. It included a gender-responsive context analysis and representative participation in engagements as well as the conceptualisation, adaptation, and utilisation of existing public sector digital infrastructure for enhanced gender responsiveness.

A Human Rights-Based Approach to public sector digitisation should include Human Rights Impact Assessments (HRIA) in the conceptualisation, development, implementation, and monitoring of digital solutions, and the results thereof should be made publicly available. As such, HRIA is often called for, but examples of such assessments are hard to come by, making few public examples of HRIA of public digitalisation products. Therefore, this assessment documents and shows outcomes that may serve as a model and practical guidance for conducting future human rights impact assessments in the public sector in Kenya and beyond.

Read the full report here.

03May

Does Kenya’s Digital Health Act Mark A New Era for Data Governance and Regulation?

Author CIPESA Posted on

By Edrine Wanyama |

In October 2023, Kenya enacted the Digital Health Act which seeks to promote the safe, efficient and effective use of technology for healthcare and to enhance privacy, confidentiality and security of health data. It also provides for the safe transfer of personal, identifiable health data and medical records to and from health facilities within and outside Kenya, and the development of standards for provision of m-Health, telemedicine, and e-learning.

While Kenya enacted the Data Protection Act earlier in 2019, the dedicated digital health law is a positive step towards addressing the potential data privacy challenges related to health data. The law could deliver dividends for the e-health sector by leveraging data and technology to devise interventions and solutions that improve health services delivery.

In a recent brief, CIPESA analyses the Digital Health Act and what it portends for health data governance in Kenya. As the brief notes, if rightly implemented, the law will offer lessons in proper health data governance, while ensuring the rights of data subjects and the principles of data protection are respected and promoted.

The new law is the latest addition to Kenya’s policy and legal initiatives that aim to buttress the health care system including through technology and improved data governance. Others include the National eHealth Policy 2016-2030 and the Guidance Note on the Processing of Health Data developed by the data protection authority.

The Digital Health Act presents an opportunity for strengthening patient data protection while making strides in addressing privacy challenges by emphasising the need to comply with the Data Protection Act, 2019. The law has set the pace for health data governance in Africa as it deals with data related to medical insurance, physician notes and diagnosis, medical records on current and past health history, and health data governance. Appropriate data governance will provide safeguards against breaches and misuse such as in disease surveillance, research and innovation.

Section 4 of the Act emphasises the data principles to be applied to health data: treating health data as a strategic national asset; safeguarding privacy, confidentiality and security of health data for information sharing and use; facilitating data sharing and use for informed decision-making at all levels; and using the digital health eco-system to serve the health sector and to facilitate, in a progressive and equitable manner, the highest attainable standard of health.

Data, including health data, requires specialised agencies to guarantee its protection. The Digital Health Act establishes a Digital Health Agency which is charged with establishing and managing an integrated health information system. The system will ensure quality assurance in the health sector, since it will be guided by data protection principles, scalability and interoperability, efficiency and effectiveness, simplicity and accessibility, and consistency. The Digital Health Agency will potentially promote accountability and transparency in the health sector.

While integrated data and information management systems offer numerous benefits, they also pose risks of abuse and privacy violations, especially during pandemics such as Covid-19, when there was surveillance on individuals based on health data. During the surge of Covid-19, several countries such as Kenya and Uganda adopted measures to contain the virus but with adverse impacts on data protection and privacy. It is imperative therefore that the Digital Health Agency takes all necessary measures to ensure that the Integrated Health Information System robustly guards against unauthorised access, processing, use and transfer of individuals’ private health information within the country as well as across its borders. 

Section 45 on e-Waste Management offers indications in the right direction for the management of e-waste in the health sector. It also provides pointers to promoting the use of sustainable models for e-waste management through public-private partnerships. Nevertheless, in promoting reuse and lifetime extension of e-waste in health data, the law potentially creates opportunities where e-health data may be used unfairly by unscrupulous individuals.

The Digital Health Act is a progressive move towards appropriate regulation of digital health services in Kenya. It points to the relevance of technology in enhancing health care amidst the growing significance of personal data, its protection, management and governance. Other countries in the region could borrow from Kenya’s example to enact similar legislation on digital health and health data governance.

Read the full brief here.