The Data Protection Act 2019 (the Act) commenced on 25th November 2019 to regulate the processing of personal data. Amongst the Act’s key definitions is health data-which is defined as data related to the state of physical or mental health of the data subject and includes records regarding the past, present or future state of the health, data collected in the course of registration for, or provision of health services, or data which associates the data subject to the provision of specific health services. In a separate definition, health and genetic data have been classified as “sensitive personal data”.
In addition, the Health Act 2017 attempts to cover issues concerning digital health. The Act defines eHealth as “the combined use of electronic communications and information technology in the health sector including telemedicine”
The World Intellectual Property Organization ranked Kenya as the second leading innovation hub in Africa and a leading consumer of internet via smartphones in the world. It goes without saying that in Kenya, digital is finding traction and the health industry is no exception.
Kenya has seen key emerging technologies in the health sector including telehealth, telemedicine, m-health and integrated hospital management information systems (HMIS). For instance, in 2018, HopeCore, a healthcare start-up partnered with MedTreks International to utilize eHealth services to improve patient access in Chogoria Hospital. There are other examples of innovations such as M-tiba and the popular app My Dawa which is a web-based platform that allows users to purchase authentic medication. All these apps hold critical health data; not just for the patients/users but also for their families or dependents.
On the international front, we have experienced an exponential growth of health technologies such as wearables. The Google Fitbit holds user’s data on heart rates, breathing patterns, sleep quality and other sensitive information on health. A lot of mobile phone devices also have fitness applications that monitor various aspects of health data. The concern with this is these companies are storing medical data in an unregulated space and the use of the data is unknown.
Further to this, healthcare organisations such as hospitals insurance companies and employers hold impressive amounts of health data regarding data subjects.
Health data and data breaches
There are several reasons why health data is particularly prone to cyber-attacks and theft.
First, health data is critical and sensitive thus making it a valuable commodity. It is even more appealing when digitally held as it can be sold off multiple times over to create revenue for the attackers or be encrypted so as to extort the hospital to pay for their data back.
In addition, healthcare organizations have embedded systems. Healthcare IT departments find it difficult to tamper with these systems as it would hamper how the manufacturer can offer support, which makes them an easy target for attack.
Further, breaches can include cases in which privileged healthcare organization officials steal protected health information to commit medical identity theft for fraudulent insurance compensation.
Like every other sector in the data economy, healthcare systems that hold health data are susceptible to data breaches through malicious email schemes and/or accidental disclosure.
Finally, due to the ever-present need for human beings to share that which is deemed sensational, there are cases where medical officers have shared on digital platforms crucial patient information without consent.
Consequently, healthcare professionals must assess what emerging technological trends exist, what they mean in the data protection ecosystem and how to legally ensure that they collect and process health data in compliance with regulatory requirements.
Emerging and ethical issues in the context of the Act
The Act provides for principles that should guide any data controller or data processor when handling personal data. Key provisions include that data should be collected for a specified and legitimate manner; and data should be collected only where a valid explanation is provided whenever information is in relation to family or private affairs.
The Act provides for rights of a data subject which include access of their personal data, as well as objecting to the processing of all or part of their personal data.
Section 44 of the Act provides that no category of sensitive personal data, including health data shall be processed unless the principles of data protection enumerated in the Act are applied to that processing. Given that health technology processes personal data, health organisations and all actors in the eco-system will have to show what measures they have put in place, including controls in the technologies used to ensure compliance with the law.
With the increased use of data in healthcare, we anticipate seeing the use of Artificial Intelligence in service delivery due to its ability to hold and process large quantities of information in a short time. This raises the question of the risks of poor data representation which can be magnified as sets are fed into AI projects. How will health organisations ensure that the data sets are as diverse as the populations that will eventually use the tools without infringing on the rights set out in Section 26 of the Act? Similarly, there will be an expectation that health IT professionals ensure data fed into AI does not amount to profiling that produces adverse legal effects or significantly affects the data subject.
Secondly, the Act allows for anonymization of data. Commercial, research and academic institutions have previously gained access to health data without necessarily having to seek consent from the subjects and have been expected to anonymize such information. However, in the wake of the new law, experts in health technology must consider that health technologies might very well have the ability to reconstruct and re-identify individuals whose data is shared. Will the adoption of removal or obscuring of obvious identifiers suffice as a way of anonymization?
Anonymized data is still personal data. The stakeholders in the healthcare sector should advocate for a code of practice that would ensure that principles of data protection are applied in anonymizing health data that is practicable to the situations at hand.
Another ethical issue is that relating to wearables. Wearables monitor your overall health and organ vitals without having to see a certified practitioner. With challenges revolving around do it yourself (DIY) health care practices, a key issue is unsolicited diagnosis which will only be justified in situations where the mobile app is from a regulated and certified health care institution or a third party that has partnered with such an entity.
Increased use of Data-as-a-Platform to extract insights from patient data is an area that health organizations may venture into. The question of express consent arises in such instances.
As virtual health care increases in capability and popularity, health care organizations will likely need to continue investing in security tools and services to identify risks and ward them off.
With the issue of access, patients will look to be able to access their records in a variety of ways, including in real-time using their smartphones. . While patients relish in the ease of access to their health data, security and protection ought to be a key consideration. We anticipate that with advancement in technology, IT experts within the health sector may well consider an integrated, interoperable system where healthcare organisations can share information through electronic exchange. This has been used in the United States where New York State created the Statewide Health Information Network for New York (SHIN-NY). Healthcare professionals, with patient consent, can quickly access electronic health information and securely exchange data statewide.
In view of the emerging technologies and the provisions of the Data Protection Act, compliance must be top of the agenda.
Data breaches can expose the entity to non-compliance under the Act, whereby other than potential administrative fines such as the Kshs, 5,000,000/-, sanctions and other compliance costs, the institution may also suffer reputational damage and loss of patient/stakeholder trust.
Consequently, institutions within the sector should develop and/or amend privacy policies to comply with the Data Protection Act. There is a great need for data protection literacy within institutions so that employees and officials within the institution do not negligently handle health data. The requirement to appoint data protection officers to ensure compliance with the Act is made more imminent in light of the issues raised above.
We anticipate that the Data Commissioner will provide guidelines, however, nothing stops healthcare practitioners from having sector-specific guidelines that will ensure that health data is protected, even in the face of an ever-changing technological sphere.
This article was initially published in the CIO
The TMT Team at TripleOKLaw Advocates comprises of Catherine Kariuki, Janet Othero, Sherry Bor and Joyanne Wanjiru. They are legal service providers on matters pertaining to technology, media and telecommunication. Email email@example.com for details.
Deputy Managing Partner and Head of Telecommunications, Media & Technology