Patient Data Privacy in the Age of Telemedicine: Case Studies from Ghana, Rwanda and Uganda

By CIPESA Writer |

With the increasing adoption of digital tools in healthcare provision in Africa, these case studies on e-health startups in Ghana, Rwanda and Uganda show how countries are dealing with privacy implications around patient data.  

Telemedicine is broadly defined as the delivery of healthcare services including diagnosis, treatment, research, education and evaluation to communities and individuals over long distances using information and communication technologies.  

A variety of other terms such as e-health, e-medicine, and tele-health are sometimes used interchangeably to mean the same thing as telemedicine. Remote delivery of healthcare services using telecommunications infrastructure helps overcome various barriers where access to quality healthcare is still a challenge. They ensure that no matter the patient’s location, they can still access timely care via telephone consultations with a physician, or obtain an express pick-up service of diagnostic tests and home delivery of results, or online access to prescription drugs. This is increasing equity in healthcare access for many in Africa. 

Covid-19, A Blessing in Disguise

Following the outbreak of Covid-19 in 2020, many African countries instituted some of the harshest containment measures to stop the spread of the disease. Entire economies were shut, from markets to schools to public transportation, and any activity that involved people getting into physical contact with one another was severely restricted. 

During the period, healthcare-seeking behaviour changed, since hospitals were at the epicentre of the crisis, receiving patients and hosting isolation centres. As a result, many African governments increased their reliance on digital technologies to contain the spread of the virus. Some of the measures included increasing digital transformation efforts, expansion of e-government services, mobile money services, and internet access. Furthermore, ministries of health relied on digital technologies and mobile applications for contact tracing, ambulance management, delivery of drugs, and awareness creation, and encouraged citizens to seek medical care online. This dramatically increased the visibility and popularity of hitherto unknown e-health startups and led to the rapid development of new ones.

For example, Uganda’s Rocket Health, a telemedicine start-up in existence since 2012, saw a dramatic increase in the number of subscribers. Similarly, Ghana’s mPharma, a startup that originally specialised in running a network of online pharmacies, diversified its services from simply delivering drugs to facilitating patient-physician telephone consultations. Also, Rwanda’s e-government Portal Irembo became the de facto hub for ordering Covid-19 tests and applying for and renewing Mutalle des sante, the country’s community-based health insurance scheme.

With a doctor-to-patient ratio of 0.2 physicians per 1,000 people compared to a global average of 1.6 as of 2018, the appeal of telemedicine in Sub-Saharan Africa is not surprising, given the enormous gap in healthcare providers. In addition, the increasing access to mobile phones (43%) and internet penetration (46%) in Sub-Saharan Africa are a great enabler of the surge in e-health adoption.

Patients’ Data Privacy Concerns

Inevitably, the increasing adoption of telemedicine is generating questions about the quality of care and the protocols in place to safeguard and protect patients’ health data. Until recently, there were few legal and policy guidelines regulating the use of telemedicine in most African countries. Bodies such as the World Health Organization (WHO), the African Union (AU), and the Africa Centres for Disease Control and Prevention (CDC) have in the recent past published digital transformation strategies to leverage the current surge in digitalisation. 

However, while several countries have enacted data protection laws and policies, they tend to be broad in outlook and are not focused specifically on e-health, the data it generates or how to safeguard it. Likewise, despite several African Ministries of Health drawing up Digital Health Strategies (see for instance UgandaMalawi and Ghana), measures to safeguard digital patient data privacy and protection have not been extensively elaborated. 

A 2021 study assessing the attitudes of telemedicine users in Sub-Saharan Africa found that trust, data safety and privacy concerns were among the biggest worries users had about telemedicine platforms. While the study revealed a wide usage of telemedicine technology across the region, it also showed that technological, organisational, legal and regulatory, individual, financial, and cultural issues were major barriers to the successful implementation of telemedicine in the region. Moreover, concerns regarding patients’ security, privacy and protection of medical data were highlighted as major barriers to the adoption of e-health technology as they created doubt for both clinicians and patients in terms of protection against potential abuse of patients’ data and unlawful disclosure of confidential medical records. 

A Closer Look at Select Telehealth Startups and their Data Privacy Policies 

Most e-health apps have long and elaborate Terms of Use and data privacy policies to assure users of their data privacy and security. These policies may differ from one app to the other, depending on the services provided, the nature of the operation of the start-up (for example, some are Public-Private-Partnerships where governments have a stake) and the legal framework in the country of operation. However, some terms of use are too long and stepped in too much legalese that most users do not read them or when they do, may not sufficiently understand the provisions or their implications. 

  1. Rocket Health (Uganda)

Rocket Health is a telemedicine service offered by The Medical Concierge Group (TMCG) Ltd. It offers teleconsultations, an online pharmacy with home delivery of medicines, laboratory services, and clinic services. Recently, it opened a number of physical clinics around Kampala. 

Rocket Health’s popularity exploded following the outbreak of Covid-19, moving from a few thousand virtual consultations a year to about 400,000. The company charges a USD 3 consultation fee and USD 1.5 for drug delivery, making it affordable to a majority of its clientele. Currently, the company reports over one million interactions facilitated with up to 80,000 active users. Since its inception, Rocket Health has grown its reach to 42,597 voice call users, 6,862 WhatsApp users, and 40,000 followers via the different social media platforms through which its services are also available.

In 2022, Rocket Health raised more than USD 5 million from investors and commenced scaling up its operations. The Medical Concierge Group Africa has now set up shop in Kenya and Nigeria to enable it to venture into more tele-health innovations and plans are underway to expand their portfolio to other African countries.

Users mostly access Rocket Health Services through its website or by downloading the Rocket Health Android app on their smartphones. In addition, the service can be accessed through a USSD service (*280#) for those with feature phones, and through chat on its social media channels on WhatsApp, Facebook and X.

Rocket Health collects and processes an enormous amount of data from its clients. It is worth examining how the company guarantees the safety and privacy of its patients’ data. The company has an extensive data privacy policy on its website that explains in detail the data it collects, how it collects it, and how it uses it. The policy states that “TMCG may collect some information from other third-party applications such as Facebook, Twitter, when you subscribe to our services, participate in surveys, login into our websites using a third-party login system (including, but not limited to, Facebook, Twitter, etc.), or otherwise communicate with us”. 

 The company adds that it takes precautions to protect collected personal information from loss, misuse, unauthorised access, disclosure, alteration, or destruction, taking into account the risk level and the nature of the data. However, it adds that clients “are responsible for taking every reasonable precaution on your end to protect any unauthorised person from accessing your TMCG account.”

 The c companies also adds a disclaimer that “…due to the design of the internet and other factors outside our control, we cannot guarantee that communications between you and our servers will be free from unauthorised access by third parties.”

The Personal Data Protection and Privacy Act (2019) is the primary legislation governing the protection of personal data in Uganda. The law aims to safeguard the privacy of individuals’ personal information and to regulate the processing of personal data by data controllers and processors. It further spells out the obligations of data collectors, processors and controllers while handling personal data. It also regulates the use and disclosure of personal data. It specifies the rights of the data subject, including seeking consent, explanation of the nature of the data being collected and its purpose. 

Moreover, the law established the Personal Data Protection Office (PDPO) under the National Information Technology Authority – Uganda (NITA-U), mandated to oversee the implementation and enforcement of the Act, receive and investigate complaints from data subjects, and establish and maintain a data protection and privacy register. The Uganda Data Protection & Privacy Regulations 2020 provide specific rules and requirements for adherence to the Personal Data Protection and Privacy Act.

All organisations collecting personal data are required to register with the PDPO for compliance monitoring and submit annual compliance reports on how they adhere to the data protection law. 

briefing by the PDPO on data protection and privacy in Uganda’s public and private health sector stated that “Principles and obligations in the health sector Health-related data are sensitive information and the Data Protection and Privacy Act establishes them as a special category of personal data due to the possibility of discrimination based on the results of processing it.” The briefing calls on actors in the sector to adhere to the law:

All players in the health sector must be accountable to the individuals from whom data is collected (data subjects) by registering with the Personal Data Protection Office (PDPO), which is the regulator of processors and controllers of personal data. These players must also establish technical and organisation measures which demonstrate compliance, such as having a Data Protection Officer, data protection and information security policies, maintaining a record of all processing activities within the organisation, and conducting data protection impact assessments to mitigate the risks associated with the processing of personal data.

The PDPO online data protection register shows that Rocket Health’s parent company, The Medical Concierge Group Ltd, only registered with the authority in September 2023, over 10 years after its establishment.

A 2021 Privacy Scorecard report for Uganda by Unwanted Witness found that health services in the country recorded the lowest performance for robust data security, with private health facilities exhibiting the worst levels of vulnerability in compliance with data protection standards.

Image poto

Visual Credit: Unwanted Witness

In its Health Information & Digital Health Strategic Plan 2021-2025, the Uganda Ministry of Health aims to “Improve data security and disaster recovery to ensure continuous access and availability of health data as well as compliance to data protection and privacy act.” Under this goal are key strategic interventions including to:

  • Develop guidelines for data privacy and protection in the health sector including secure handling and use of data and ICT assets. 
  • Undertake a census of all data controllers in the health sector to facilitate monitoring for compliance to established guidelines. 
  • Implement security protocols for data access in the health sector.
  • Undertake capacity building of health workers on data security, privacy, and protection in conjunction with the GoU data protection office.

There is so far no publicly available evidence that the Ministry and the PDPO have started this collaboration or when it is expected to start.

  Irembo e-Government Platform (Rwanda)

 Irembo (which means ‘Gateway’ or ‘Door’ in the local Kinyarwanda language), is an e-citizen portal for the provision of various government services to the public. The portal is managed by Irembo Ltd, a local technology company, in partnership with the Government of Rwanda. Started in 2015, the Irembo portal has enabled most Rwandan government agencies to digitise their services, eliminating paperwork and long wait times. Many services in sectors such as family and social affairs, immigration, identification, land, health and education offer services on the platform. Since its launch, the platform has processed over 25 million applications worth USD 300 million.

 Some of the health services provided on the platform include ordering and paying for Covid-19 tests and purchasing Mutuelle, a popular low-cost national community-based health insurance. Irembo is regulated under the Rwandan privacy law and is required to safeguard the privacy and security of its users’ data.

Furthermore, Irembo has published its Data Privacy Policy on its website which describes how it uses and protects the personally identifiable information collected from users of the platform.  The policy states it “is not intended that the e-Government Services Online Portal can be used anonymously. But no personal information shall be collected from you, unless you provide it voluntarily.”  It adds: 

 As a general rule, we do not collect personal data about you when you visit Irembo web, unless you choose to provide such information to us. Submitting your personal data through our website is voluntary. By doing so, you are giving us your permission to use the information for the services you requested for. We collect personal data to provide you with the services you have requested, including services from third party providers. We may share the above information with Government Institutions, Ministries and Agencies in the performance of their official duties and/or providing you the services you requested for.

 The Government of Rwanda officially gazetted Law Nº 058/2021 of 13/10/2021 relating to the protection of personal data and privacy on October 15, 2021. This Law designates the National Cyber Security Authority (NCSA) as the supervisory authority of the law. On March 31, 2022, the NCSA officially launched its data protection office, which will spearhead all activities related to protecting the personal data of individuals in Rwanda. In August 2023, Irembo was accredited by the NCSA as a data controller and data processor, in accordance with the data protection law.

 The data protection law defines sensitive personal data as “information revealing a person’s race, health status, criminal records, medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details.” The Rwandan constitution also provides for the right to privacy under article 23 as their fundamental right and any data collected on citizens must only be done with consent.  

 mPharma (Ghana)

The Covid-19 pandemic was also a boon to Ghana’s nascent telemedicine industry. The surge in Covid-19 cases in 2020 meant that Ghana had to institute drastic measures to contain the pandemic. These included scaling up efforts to integrate telemedicine into the mainstream healthcare system.

One of the companies that took advantage of this crisis was mPharma, a Ghanaian start up originally founded to manage prescription drug inventory for pharmacies and their suppliers. The company started providing physician consultations at its network of Mutti pharmacies and also set up online patient-doctor consulting, to reach more people, just as Rocket Health did. 

mPharma now employs hundreds of people and has since expanded its operations to Gabon, Ethiopia, Nigeria, Kenya, Zambia, Malawi and Rwanda.  In 2022, the company raised USD 35 million from investors and plans to expand into more African countries. 

mPharma’s privacy policy is remarkably similar to that of Uganda’s Rocket Health except that it goes into more detail on what happens to clients’ data in case it is to enter into a merger or is acquired by third party companies, but does not state if the data subjects have a right of refusal to such potential transfer of data.

In the event of any merger, acquisition or other arrangement whereby mPharma sells or transfers all, or a portion of its business or assets (including in the event of a reorganisation, dissolution or liquidation) to third parties, you hereby consent that your personal data held with mPharma can be transferred or assigned to third parties who may become the controllers and/or processors of your personal data that was held by mPharma prior to such merger, acquisition or other arrangement. mPharma shall at all times ensure that you are notified when your personal data is intended to be transferred to third parties in the circumstances outlined in this clause.

Ghana was one the first African countries to pass a data protection law back in 2012. Its Data Protection Commission (DPC), which enforces this law, is one of the oldest on the continent. The registration of data controllers and data processors started in January 2015. The Data Protection Act places special emphasis on health data. Article 62 states that “Personal data which relates to the physical, mental health or mental condition of the data subject shall not be disclosed except where the disclosure is required by law,” among other exceptions. 

In July, 2010, the Government of Ghana launched the national e-health strategy and is planning to  launch a digital health strategy. The national ICT Sector Policy and Strategy highlights the increasing cyber threats hindering the adoption of ICT in healthcare and calls for mechanisms for the protection of patient data.

How to ensure patient privacy and data protection 

There are significant gaps in current data protection and privacy policies of eHealth service providers in Africa regarding patient data collected. For example,

  •   Some startups in their privacy policies do not provide for protections in case of mergers or acquisitions, a common occurrence in startup ecosystems; or what the rights of the data subjects are in this situation and what privacy implications such mergers might have on clients’ data rights. 
  •     Secondly, most of the policies are written in such a careful and calibrated way to reduce as much as possible the burden of responsibility and duty of care for patient data protection, away from the company. This is the reason for multiple indemnifications and disclaimers written in the company policies. 
  •   Thirdly, the regulatory environment in terms of national data protection laws is not robust enough as it does not provide sector-specific guidance especially for very sensitive sectors such as healthcare. While the general legal regime on data protection appears strong, there is a need for specific guidelines to ensure patient privacy and data protection in the digital health context. Entire sections need to be added in National Data Protection Laws that focus on health data governance especially in digitally provided healthcare services. 
  •   There is also limited collaboration between Ministries of Health and Data Protection Authorities. There is thus far little evidence of any sanctions that have been borne by health startups that have not adhered to some of the requirements of the Data Protection Authorities, such as registering their operations with the data protection authorities and hiring data protection officers in their companies.

Data protection offices need to work more closely with ministries of health and private digital health providers to design strong regulatory frameworks that guarantee patient privacy and data safety while facilitating the growth of the telemedicine industry. 

Countries could model their digital health data protection policies on the WHO guideline recommendations on telemedicine, which calls for client-to-provider telemedicine to complement, rather than replace, the delivery of health services and in settings where patient safety, privacy, traceability, accountability and security can be monitored. In this context, WHO further states that monitoring should include the “establishment of standard operating procedures (SOPs) that describe protocols for ensuring patient consent, data protection and storage, and verifying provider licensing and credentials.”With many startup companies increasingly venturing into health services, the data protection laws need to be updated accordingly to provide more robust health data protection. 

Companies could, among other measures, take the following actions:

  •   Update their clients with information of any mergers or takeovers of their companies in case they happen, appraise them of the implications of such mergers and what role the clientele has to play, or their rights and obligations. 
  •   Any app updates or system upgrades with implications on patient data, new demands for, or changes in their data protections protocols, should be swiftly and transparently communicated to users, as well as what implications that might have on the use of these apps on their devices.
  • Conduct ongoing, consistent education of their clients on their data rights and the measures being taken to ensure the protection, privacy and integrity of medical records.
  •     Beyond just bland privacy policies and Terms of Use documents on their websites, companies need to have robust engagement and communication strategies to guide their constant interfaces with clients to ensure consistent safety and privacy of their data.

CIPESA Conducts Digital Rights Training for Ethiopian Human Rights Commission Staff

By CIPESA Writer |

The Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has conducted a digital rights training for staff of the Ethiopian Human Rights Commission (EHRC) in a programme that benefitted 22 experts from various departments of the statutory entity. 

The training was a response to the desire by the commission to build its organisational capacity in understanding and defending digital rights and CIPESA’s vision to grow the ability of African national human rights institutions (NHRIs) to monitor, protect and promote digital freedoms.

Conducted in the Ethiopian capital Addis Ababa on October 11-12, 2023, the programme aimed to build the EHRC staff’s understanding of digital rights issues and the link with traditional rights. Participants went on to brainstorm how the EHRC should strengthen human rights protection in the digital space and through the use of technology.

Dr. Abdi Jibril, the Commissioner for Civil and Political and Socio-Economic Rights at the EHRC, noted that the proliferation of digital technology has contributed positively to human rights protection. It was therefore necessary to maximise the benefits of digital technology and to expand its usage for the promotion and enforcement of human rights.

The importance of growing the capacity of NHRIs was underscored by Line Gamrath Rasmussen, Senior Adviser, Human Rights, Tech and Business at the Danish Institute for Human Rights and CIPESA Executive Director Dr. Wairagala Wakabi. African NHRIs are not always well versed with the opportunities and challenges which technology presents, which creates a need for capacity development and developing partnerships with stakeholders such as civil society. 

As legislation governing the technology domain is fast-evolving, NHRIs in many countries are playing catch up. As such, these institutions need to constantly keep updating themselves on new legislation and implications of these laws on human rights in the digital domain. The NHRIs need to  enhance their capacity to document, investigate and report on digital rights. 

The NHRIs also need to pay specific attention to the vices such as hate speech, disinformation, and technology-facilitated gender-based violence (TF GBV), that are being perpetuated with the aid of technology.

Dr. Daniel Bekele, the Chief Commissioner at EHRC, stated that social media companies and messaging platforms are not doing enough to moderate harmful content in Africa yet in other geographical regions they have invested more resources and efforts in content moderation. He said African countries need to work together in order to build a strong force against the powerful platforms. The official proposed that the African Union (AU), working with relevant governments and other stakeholders, should spearhead the development of regulations which African countries can jointly use in their engagements with the tech giants on issues such as content moderation. 

 The two-day training discussed the positive and negative effects of digital technology on human rights and how the commission’s work to enforce human rights can be strengthened through the use of digital technology.

Among other topics, the training also addressed the human rights, governance and technology landscape in Sub-Saharan Africa; public and private sector digitalisation and challenges for human rights; the link between online and offline rights; transparency and accountability of the private sector in upholding human rights; and opportunities for NHRIs to advance online rights at national, regional and international levels. It also featured deep dives into key digital rights concerns such as surveillance, online violence against women, disinformation, and network disruptions. 

At the end of the training, the EHRC staff identified key actions the commission could integrate in its annual work plans, such as digital rights monitoring, advocacy for enabling laws to be enacted, and developing tools for follow up on implementation of recommendations on digital rights by treaty bodies and the Human Rights Council. Others were collaborations with local and regional actors including media, fact-checkers, civil society organisations, and platforms; working with the police and other national mechanisms to tackle hate speech and disinformation while protecting human rights; and conducting digital literacy.

Trainers in the programme were drawn from CIPESA, the Centre for the Advancement of Rights and Democracy (CARD), the Danish Institute for Human Rights, the Centre for International Private Enterprise (CIPE), the African Centre for Media Excellence (ACME), Inform Africa, and the Kenya National Cohesion and Integration Commission (NCIC).

Meanwhile, after the aforementioned training, CIPESA teamed up with Ethiopian civil society partners to conduct a training on disinformation and hate speech for journalists, bloggers and digital rights activists. Like many African countries, Ethiopia is grappling with a significant and alarming rise in hate speech and disinformation, particularly on social media platforms. This surge in disinformation is undermining social cohesion, promoting conflict, and leading to a concerning number of threats against journalists and human rights defenders.

The proliferation of disinformation is to citizens’ fundamental rights as studies have shown that many Ethiopians feel their right to freedom of expression is compromised. The prevalence of disinformation also means that many Ethiopians lack access to impartial and diverse information.

Disinformation has been directly fueling conflict in several regions of Ethiopia. According to workshop participants and reports, both pro-government and anti-government actors have perpetuated this vice, whose real-world consequences are severe, including the loss of life and large-scale violent events.

Whereas Ethiopia in 2020 enacted legislation to curb hate speech and disinformation, the effectiveness of this law has been called into question. Some critics argue that it has not been effectively implemented and could be used to undermine citizens’ rights.

The training equipped 21 journalists, bloggers and activists with knowledge to navigate this law and with skills to call out and fight disinformation and hate speech. The efforts of the trained journalists, and those which the human rights commission could implement, are expected to boost the fight against online harms and contribute to the advancement of digital rights in Ethiopia.

Social Media 4 Peace: An Initiative to Tackle the Quagmire Of Content Moderation

By Juliet Nanfuka |

Content moderation has emerged as a critical global concern in the digital age. In Africa, coinciding with increasing digital penetration and digitalisation, along with problematic platform responses to harmful content and retrogressive national legislation, the demand for robust and rights-respecting content moderation has reached a new level of urgency. 

Online content platforms and governments are increasingly getting caught in a contentious struggle on how to address content moderation, especially as online hate speech and disinformation become more pervasive. These vices regularly seep into the real world, undermining human rights, social cohesion, democracy, and peace. They have also corroded public discourse and fragmented societies, with marginalised communities often bearing some of the gravest  consequences. 

The Social Media 4 Peace (SM4P) project run by the United Nations Educational, Scientific and Cultural Organization (UNESCO) was established to strengthen the resilience of societies to potentially harmful content spread online, in particular hate speech inciting violence, while protecting freedom of expression and enhancing the promotion of peace through digital technologies, notably social media. The project was piloted in four countries – Bosnia and Herzegovina, Colombia, Indonesia, and Kenya.

At the Forum on Internet Freedom in Africa (FIFAfrica) held in Tanzania in September 2023, UNESCO hosted a session where panellists interrogated the role of a multi-stakeholder coalition in addressing gaps in content moderation with a focus on Kenya. The session highlighted the importance of multi-stakeholder cooperation, accountability models, and safety by design to address online harmful content, particularly disinformation and hate speech in Africa. 

In March 2023, as a product of the SM4P, UNESCO in partnership with the National Cohesion and Integration Commission (NCIC) launched the National Coalition on Freedom of Expression and Content Moderation in Kenya. The formation of the coalition, whose membership has grown to include various governmental, civil society and private sector entities, is a testament to the need for content moderation efforts based on broader multi-stakeholder collaboration. 

As such, the coalition provided a learning model for the participants at FIFAfrica, who included legislators, regulators, civil society activists and policy makers, whose countries are grappling with establishing effective and rights-based content moderation mechanisms. The session explored good practices from the SM4P project in Kenya for possible replication of the model coalition across African countries. Discussions largely centred on issues around content moderation challenges and opportunities for addressing these issues in the region.

Online content moderation has presented a new regulatory challenge for governments and technology companies. Striking a balance between safeguarding freedom of expression and curtailing harmful and illegal content has presented a challenge especially as such decisions have largely fallen into the remit of platforms, and state actors have often criticised platforms’ content moderation practices. 

This has resulted in governments and platforms coming to loggerheads as was witnessed during the 2021 Uganda elections. Six days before the election, Meta blocked various accounts and removed content for what it termed as “coordinated inauthentic behavior”. Most of the accounts affected were related to pro-ruling party narratives or had links to the ruling party. In response, the Uganda government blocked social media before blocking access to the entire internet. Nigeria similarly suspended Twitter in June 2021 for deleting a post made from the president’s account.

Social media companies are taking various measures to curb such content, including by using artificial intelligence tools, employing human content moderators, collaborating with fact-checking organisations and trusted partner organisations that identify false and harmful content, and relying on user reports of harmful and illegal content. However, these measures by the platforms are often criticised as inadequate. 

On the other hand, some African governments were also criticised for enacting laws and issuing directives that undermine citizens’ fundamental rights, under the guise of combating harmful content.  

Indeed, speaking at the 2023 edition of FIFAfrica, Felicia Anthonio, #KeepItOn Campaign Manager at Access Now, stated that weaknesses in content moderation are often cited by some governments that shut down the internet. She noted that governments justify shutting down internet access as a tool to control harmful content amidst concerns of hate speech, disinformation, and incitement of violence. This was reaffirmed by Thobekile Matimbe from Paradigm Initiative who noted that “content moderation is a delicate test of speech”, stressing that if content moderation is not balanced against freedom of expression and access to information, it would result in violation of fundamental human rights. Beyond governments and social media companies, other stakeholders need to step up efforts to combat harmful content and advocate for balanced content moderation policies. For instance, speakers at the FIFAfrica session were unanimous that civil society organisations, academic institutions, and media regulators need to enhance digital media literacy and increase collaborative efforts. Further, they stressed the need for these stakeholders to regularly conduct research to underpin evidence-based advocacy, and to support the development of human rights-centered strategies in content moderation.

Advancing Awareness of the UNESCO Internet Universality Assessments in Africa

By Juliet Nanfuka |

In 2015, the 38th General Conference of the United Nations Educational, Scientific and Cultural Organization (UNESCO) endorsed a new definition on the universality of the internet. It was based upon four principles, namely Rights, Openness, Accessibility to all and Multi-stakeholder participation, or the ROAM principles. 

The addition of cross-cutting indicators in 2018 resulted in the ROAM-X Indicator framework comprising 303 indicators that assess the extent to which national stakeholders, including governments, businesses and civil society, comply with the ROAM principles. It was recognised that these indicators were central to the growth and evolution of the internet, and the achievement of the Sustainable Development Goals.  

Over the years, UNESCO has partnered with the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) to increase awareness of the Internet Universality Indicators (IUI’s) and the ROAM-X framework. In 2015, at the CIPESA-convened Forum on Internet Freedom in Africa (FIFAfrica), the ROAM principles were featured in the opening discussion of the event, with then UNESCO regional advisor for Communication and Information, Jaco du Toit, explaining the practical use of the Internet Universality principles of human-rights, openness, accessibility and multi-stakeholder participation and their link to African development.

The  2018 edition of FIFAfrica again provided a collaborative platform for experts, policymakers, activists, and technologists to exchange ideas and strategies for advancing a more inclusive and accessible digital space. CIPESA also contributed to discussions at the 2018 Internet Governance Forum (IGF) where the link between internet shutdowns and the need for national assessments through the use of the ROAM-X framework was stressed.

At the October 2020 Africa IGF, CIPESA contributed to a discussion that served as a launch of the IGF Dynamic Coalition on Internet Universality Indicators (IUIs). The Dynamic Coalition is a shared space for advocating Internet Universality ROAM principles worldwide, sharing experiences and raising awareness of the value of the related indicators and good practice in applying them in more countries. Further discussions were held at the global IGF in November 2020. 

In March 2022, CIPESA hosted a regional dialogue on the Indicators, which highlighted lessons from countries where IUI assessments had been conducted, namely  Benin, Ethiopia, Ghana, Kenya, Niger and Senegal. This effort aimed to garner best practices in conducting national assessments of media and internet ecosystems using the indicators.

Later that year, CIPESA convened a regional training webinar to raise awareness of the Internet Universality ROAM-X indicators and their potential to promote internet development to advance media freedom and digital rights in Africa. The UNESCO Information for All Programme (IFAP) and International Programme for the Development of Communication (IPDC) jointly supported the training which targeted participants from Cameroon, Malawi, Namibia,  Somalia and Uganda. Outputs from the webinar went on to feed into discussions at the 2022 IGF which included sessions on the ROAM-X indicators and a session on the Internet Universality Indicators as part of the Dynamic Coalition.

At the 2023 edition of  FIFAfrica held in September in Tanzania, UNESCO hosted a session titled “Foster Internet Freedom in Africa through UNESCO’s ROAM-X Internet Universality Indicators Assessments”. The panel consisted of UNESCO experts, including John Okande, Programme Officer, Tatevik Grigoryan, Associate Programme Specialist; and Xiaojie Sun, Junior Professional Officer. Also on the panel were participants from earlier UNESCO/CIPESA collaborative efforts on ROAM-X, including Asrat M. Beyene from the Internet Society Ethiopia Chapter and Addis Ababa Science and Technology University; Grace Githaiga, Convenor of the Kenya ICT Action Network (KICTANet); and Dr. Simon-Peter Kafui Aheto of the University of Ghana.

The various speakers showcased the main findings and recommendations from the IUI  assessments they conducted,  and impacts of ongoing and completed ROAM-X national assessments in Africa (see some assessments here). They also shared best practices and lessons learnt during the implementation process. Panelists also highlighted that the IUI is due for revision following the amount of data collected over the years and the evolving digital landscape globally.   Since its introduction, ROAM-X has been integrated into discussions at FIFAfrica and into CIPESA programming, both of which have served as collaborative platforms for experts and policymakers to advance inclusivity and accessibility in the digital space.

Digital Rights Hub of African Civil Society Organisations

By Edrine Wanyama |

Since 2016, the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) has been partnering with the International Center for Not-for-Profit Law (ICNL) to improve African digital civic spaces. 

At the September  Forum on internet Freedoms in Africa, CIPESA and ICNL convened a digital rights hub in Dar es Salaam, Tanzania aimed at promoting the digital civic space in Africa. The hub brought together civil society organisations (CSOs) representatives from 10 African countries. 

Across the continent, there is increased demand for democratic rule yet civic spaces continue to be undermined by state autocracy which still prevails in at least half the continent.  Rights and freedoms such as assembly, association, access to information and data privacy in the online space continue to be curtailed. This is despite that 2016  UN Human Rights Council Resolution  that called for the protection of rights afforded offline, to be applied in equal measure online.

The hub  held discussions on the relationship between digital civic space and its importance to CSOs and the internet infrastructure governance. 

Further insights were drawn from developments on artificial intelligence, surveillance, privacy rights, network disruptions, online content moderation, and the burgeoning concerns on  disinformation and its impact on the digital society. 

The hub concluded by defining the  role of CSOs in protecting the digital civic space through effective advocacy strategies such as litigation, legal analysis and the law making process, capacity building of key stakeholders including parliamentarians and making use of regional human rights monitoring mechanisms such as the United Nations Human Rights Council mechanisms like Universal Periodic Review and Special Rapporteurs and the African Commission on Human and Peoples Rights monitoring mechanisms were enumerated.  

The emerging statement from the convening can be accessed here