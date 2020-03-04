Health data is sensitive

Last December I received a text message from an established healthcare institution informing me that they had opened a clinic in my neighbourhood, detailed the kind of services they offer and that I should make a point of visiting the clinic.

This angered me and I asked myself: “Who gave them my number, when did I agree to them sending me marketing messages, how did they know where I live and how long do they intend to keep my number?”

This was a clear violation of my right to privacy and misuse of my personal information, which I hope the Kenya Data Protection Act 2019 is going to cure.

The Act is aimed at regulating the collection and processing of personal data.

It defines health data as the state of physical or mental health of the data subject and includes records regarding the past, present or future state of health, data collected in the course of registration for, or provision of health services. Ideally, this is information given to hospitals, health insurance companies, clinics, NGOs and pharmaceutical companies by data subjects.

The Act also determines that certain types of data falls under a special category referred to as sensitive personal data because it requires extra care. Health data falls in this category since it comes within a person’s most intimate domain and any breach may lead to various forms of discrimination and violation of fundamental rights.

However, full compliance with the law has proved not to be enough in hedging a healthcare organisation from data breaches.

ENSURE ACCOUNTABILITY

To prevent data breaches and subsequent violation of the Act, healthcare organisations can adopt suitable safeguards. Such measures involve a mix of employee training, smart use of technology and physical security for buildings. These measures can be taken from both an administrative and technical point of view.

From an administrative point of view, managing health data requires that a healthcare organisation provides explicit consent forms to data subjects, develops internal data protection policies, educates its staff, implements physical security controls, deletes unnecessary data and have a data breach response plan.

From a technical point of view, one may implement a couple of measures such as secure health data transmission between mobile applications, computers and servers, develop systems which give users access to data encryption at record level, pseudonymisation or anonymisation to reduce risks when you process the data, authentication and access control procedures, non-modifiable audit logs and deletion rights for their data.

Nonetheless, two critical aspects from a Kenyan perspective which healthcare organisations should immediately implement to show commitment to compliance with the Act are the appointment of data protection officers (though not mandatory as per the Act) and ensuring that accountability documents and trade documents are drafted, implemented, monitored and maintained as per the provisions of the Act.

It would also be prudent that the organisation conducts a risk assessment and comes up with an action plan to seal any loophole that may cause data breaches.