Kenya's recently enacted Digital Health Act provides strong safeguards of patient data, including the safe transfer of personal, identifiable health data and medical records to and from health facilities in and out of the country.
This statement was originally published on cipesa.org on 3 May 2024.
In October 2023, Kenya enacted the Digital Health Act, which seeks to promote the safe, efficient and effective use of technology for healthcare and to enhance privacy, confidentiality and security of health data. It also provides for the safe transfer of personal, identifiable health data and medical records to and from health facilities within and outside Kenya, and the development of standards for provision of m-Health, telemedicine, and e-learning.
While Kenya enacted the Data Protection Act earlier in 2019, the dedicated digital health law is a positive step towards addressing the potential data privacy challenges related to health data. The law could deliver dividends for the e-health sector by leveraging data and technology to devise interventions and solutions that improve health services delivery.
In a recent brief, CIPESA analyses the Digital Health Act and what it portends for health data governance in Kenya. As the brief notes, if rightly implemented, the law will offer lessons in proper health data governance, while ensuring the rights of data subjects and the principles of data protection are respected and promoted.
The new law is the latest addition to Kenya’s policy and legal initiatives that aim to buttress the health care system, including through technology and improved data governance. Others include the National eHealth Policy 2016-2030 and the Guidance Note on the Processing of Health Data developed by the data protection authority.
The Digital Health Act presents an opportunity for strengthening patient data protection while making strides in addressing privacy challenges by emphasising the need to comply with the Data Protection Act, 2019. The law has set the pace for health data governance in Africa as it deals with data related to medical insurance, physician notes and diagnosis, medical records on current and past health history, and health data governance. Appropriate data governance will provide safeguards against breaches and misuse such as in disease surveillance, research and innovation.
Section 4 of the Act emphasises the data principles to be applied to health data: treating health data as a strategic national asset; safeguarding privacy, confidentiality and security of health data for information sharing and use; facilitating data sharing and use for informed decision-making at all levels; and using the digital health eco-system to serve the health sector and to facilitate, in a progressive and equitable manner, the highest attainable standard of health.
Data, including health data, requires specialised agencies to guarantee its protection. The Digital Health Act establishes a Digital Health Agency which is charged with establishing and managing an integrated health information system. The system will ensure quality assurance in the health sector, since it will be guided by data protection principles, scalability and interoperability, efficiency and effectiveness, simplicity and accessibility, and consistency. The Digital Health Agency will potentially promote accountability and transparency in the health sector.
While integrated data and information management systems offer numerous benefits, they also pose risks of abuse and privacy violations, especially during pandemics such as Covid-19, when there was surveillance on individuals based on health data. During the surge of Covid-19, several countries such as Kenya and Uganda adopted measures to contain the virus but with adverse impacts on data protection and privacy. It is imperative therefore that the Digital Health Agency takes all necessary measures to ensure that the Integrated Health Information System robustly guards against unauthorised access, processing, use and transfer of individuals’ private health information within the country as well as across its borders.
Section 45 on e-Waste Management offers indications in the right direction for the management of e-waste in the health sector. It also provides pointers to promoting the use of sustainable models for e-waste management through public-private partnerships. Nevertheless, in promoting reuse and lifetime extension of e-waste in health data, the law potentially creates opportunities where e-health data may be used unfairly by unscrupulous individuals.
The Digital Health Act is a progressive move towards appropriate regulation of digital health services in Kenya. It points to the relevance of technology in enhancing health care amidst the growing significance of personal data, its protection, management and governance. Other countries in the region could borrow from Kenya’s example to enact similar legislation on digital health and health data governance.
Read the full brief here.
