HEALTHCARE INSTITUTIONS IN KENYA TO MANDATORY REGISTER WITH ODPC
Review of the ODPC Guidance Note for the Health Sector: Data Protection in Kenya Series 5
The office of the Data Protection Commissioner (ODPC) in December 2023 issued the Data Protection Guidance Note for the Health Sector as a result of the increase in privacy concerns when processing personal data within the sector. It has been reported that as a result of the increase in the use of technology within the health sector, the sector has been exposed to risks including frequent cyberattacks, data breaches, potential misuse of personal data, lack of transparency around data collection and processing, unauthorized access and disclosure, unauthorized use of personal data for advertising purposes or unlawful packaging and selling data to third parties.
Some of the key stakeholders in the health sector include as per the guidance note are the data subjects (patients/clients), hospitals & clinics, laboratories, donors & partners, health workers, community health volunteers, pharmaceutical services, health insurance providers, health research and training institutions, and professional health bodies and all of which are now required to register with ODPC.
The ODPC has identified the following privacy concerns in the Health Sector which has called for its intervention to ensure protection of personal data: extensive use of technology such as Health Management Information System (HMIS), eHealth, mHealth, medical imaging devices, e-Prescription and robotic surgery, Community Health Information System (CHIS), Electronic Medical Records (EMR) & Electronic Health Records (EHR), collection of excessive data, retention of data for an extended period than necessary and use of CCTV cameras in health institution among others.
These privacy concerns have led to infringement of the right to privacy and potentially resulted in bullying, discrimination, and exclusion. As a result, Health institutions are now called upon to understand that patients, staff, donors and partners have right to privacy and healthcare services must be provided in a way that respects their inherent dignity and right to privacy.
Obligations of Healthcare Institutions as Data Controllers and/or Data Processors.
The guidance note sets the following obligations for Health institutions:
- All entities involved in the healthcare sector must undergo mandatory registration.
- At the time of collection of personal data, health institutions must notify data subjects of their rights including informing them that personal data is being collected, state the purpose of the collection; disclose third parties who may receive the data and the safeguards adopted; provide the contacts of the data controller or data processor and disclose whether any other entity may receive the data; describe the technical and organizational security measures taken to ensure data confidentiality and integrity; state if the data is being collected pursuant to the law and if it is voluntary or mandatory; and outline the consequences if data subjects fail to provide all or part of the requested data.
- Before processing sensitive personal data, health institutions should obtain explicit consent from data subjects. This means that the data subject must give clear, unambiguous, and specific consent for their data to be processed.
- Healthcare institutions must take appropriate technical and organizational measures to ensure the security of sensitive personal data.
- Healthcare institutions should only retain sensitive personal data for the period necessary to achieve the purpose of the processing. Sensitive personal data should be deleted or anonymized once it is no longer necessary for the processing.
- Healthcare institutions must ensure that sensitive personal data is processed lawfully, securely, and for a legitimate purpose.
- Healthcare institutions must conduct a DPIA where processing is likely to result in a high risk to the rights and freedoms of data subjects.
- Parental/guardian consent is required before collecting or processing data about minors.
- Healthcare institutions have to report personal data breaches to the ODPC without delay within 72 hours of becoming aware of the breach.
- Healthcare institutions are required to process personal data lawfully, fairly, and transparently.
- Healthcare institutions to limit the collection and storage of personal data to only what is necessary for a specific purpose that has been communicated to the individual.
- Healthcare institutions must take reasonable steps to ensure that personal data is accurate and that any inaccuracies are corrected as soon as possible. Further, all institutions in the health sector must ensure that they make provision for internal controls to allow for verification of the information provided, allow for the updating of the personal data by data subjects and have regular periodic reviews.
- All institutions in the health sector must have appropriate internal policies and procedures in place to ensure that personal data is securely stored and only kept for as long as necessary.
- All healthcare institutions are responsible for complying with data protection principles (the Act and the Regulations).
- Healthcare institutions must provide individuals with information about the purpose and legal basis of the processing. This means explaining why the institution is collecting and processing personal data, and what legal basis it relies on.
- All stakeholders have the right to access their personal data. This implies that data subjects have the right to request access to their personal data such as health information records. In accordance with the regulations, an institution in the healthcare sector has seven (7) days following the receipt of a data access request within which to provide access to the information to the said data subject.
- Data subjects have a right not to be subject to automated decision-making.
- if a data subject’s personal information in the health system is incorrect, they have the right to request that it be updated or corrected.
At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya including registration, tailored advice and conducting Data Protection Impact Assessment. For more info contact us via info@aowangaadvocates.com or +254794600191
All rights reserved for A.O.WANGA ADVOCATES
www.aowangaadvocates.com