Office Of the Data Protection Commissioner: Summary on The Guidance Notes on The Processing of Health Data 

Introduction: 

The Office of the Data Protection Commissioner (ODPC) is a government agency established under the Data Protection Act, 2019 (DPA). The office is mandated to oversee the implementation and enforcement of the Act to safeguard the privacy, dignity and fundamental rights of individuals. In the age of digital transformation and growth, the ODPC plays a vital role in ensuring that the advancement of technology does not hinder or breach the rights and privacy of individuals. 

The health sector is one of the largest users of personal data, it collects, stores and analyses vast amounts of data. In recent times, the health sector has adopted various technologies to advance processes of transferring, storing and accessing healthcare data. However, the use of technology albeit being more timely and efficient, comes with its own drawbacks. A major concern pegged to the use of technology is leakage of confidential and private data. The DPA therefore imposes responsibilities and obligations on healthcare providers to ensure data collection, processing and storage is in compliance with the Act and is safe from cyberattacks and misuse. This guidance note provides the respective stakeholders with a comprehensive overview of their obligations when processing personal data and practical steps to ensure compliance with the law. 

The guidance note ensures that electronic records are protected with the same rigour as manual records. It provides practical and clear guidelines on processing and using data. It also includes checklists to aid healthcare institutions understand their obligations and check their compliance with the law. 

Legislative Framework: 

The Constitution of Kenya 2010: Article 31 recognises the right to privacy which includes the right not to have information relating to their family or private affairs unnecessarily required or revealed. 

Data Protection Act, 2019: Under the Act, “health data” is data relating to the physical and mental health status of a data subject and includes records relating to the past, present, or future state of health, data collected during registration, or data associating the data subject/patient/client to the provision of specific healthcare services. The Act puts in measures to safeguard healthcare data which is considered sensitive personal data. It grants individuals rights to access their health data, seek corrections of inaccurate information, and request for health data to be deleted in certain circumstances. 

Principles of Data Protection:

1. Lawfulness, Fairness, and Transparency 

Data should be processed in a lawful, fair and transparent manner. This includes, obtaining explicit, specific and easily revocable consent from the data subject to process their data. Secondly, the data should solely be handled by or under the responsibility of a healthcare provider or a person subject to professional secrecy under any law. If data is processed by anyone else, a duty of confidentiality must be owed. Thirdly, taking active measures to establish safeguards to ensure data security is put in place. Lastly, healthcare institution should issue data protection policies or notices that state the type of data processed, the purpose for processing the data, how the data will be collected and stored, how it will be disposed, procedures if data is lost or stolen, rules on sharing and transferring data, and rights of the data subject.

2. Limitation and Minimisation: 

Data should only be used and processed for the purpose and reason for which it was collected, and should not be used for any other purpose. This entails collecting minimum data required to fulfil or achieve the particular purpose for which it was collected. Some purposes for which data is collected are: medical treatment, research, public health, health insurance and health awareness. For example, data collected for medical treatment should be used for diagnosis and treatment only and not for research or any other purpose. In addition, the data collected should be limited to data that is necessary to reach a diagnosis, nothing extra. 

3. Accuracy 

Data should be accurate, up-to-date and complete. Any inaccuracies shall be promptly corrected. Medical records should be constantly updated with the subject’s medical history. Prescription and test results should be accurate and correctly attributed to the patient. Data for research purposes should be complete and properly identified. Health insurance companies should ensure the data is accurate for determining coverage and processing claims. 

4. Storage Limitation

Data should not be kept for longer than required to fulfil the purpose for which it was collected. This requires stakeholders to adopt policies that contain retention rules in accordance with the DPA. Since the DPA does not specify retention periods, the policy should have a justification for the retention period which should not last indefinitely. 

5. Integrity and Confidentiality 

Given the sensitive nature of health information, data must be processed in secure manner to protect it from unauthorised and unlawful processing, loss, destruction or damage. Safeguards such as two-factor authentication, security keys, password requirements, and data encryptions must be adopted. Confidentiality entails that the data should be used by authorised personnel only and that the data is not shared without the patients consent. Data security ensures measures are taken to ensure the safe storage and transfer of data. Healthcare providers must inform their employees of their responsibilities and conduct regular risk assessments to identify any vulnerabilities, and implement safeguards to mitigate the identified risks. 

6. Accountability 

This entails the health sectors responsibility to take active measures to comply with the law, which includes putting in place policies and procedures to govern the collection, use and disclosure of data. It also includes active and responsible steps taken when a breach occurs. 

Lawful Basis for Processing: 

Irrespective of the purpose, data must be collected and processed for a lawful basis. The lawful basis are as follows: 

1. Consent: there is a lawful basis when the subject gives clear and informed consent to process data for the specific purpose. The consent given must be free, informed, specific, and unambiguous. It must be a clear voluntary statement given upon receiving sufficient information and for a specific purpose. This consent is different from medical consent which relates to consenting to receiving medical services such as treatment and surgeries. However, consent under the DPA refers to collection, processing and preservation of personal and health related data. 
2. Performance of a contract: entities may process personal data to fulfil contractual obligations for contracts to which the subject is a party. However, the Data should only be used for purposes within the ambit of the contract. 
3. Compliance with legal obligation: processing of personal data is lawful when it is done to comply with legal obligations imposed by law. 
4. Protection of vital interests of the subject: personal data processing is lawful if it is necessary to protect vital interest of the subject. For example, an unconscious patient in unable to communicate, therefore their information can be accessed without consent in order to provide necessary medical treatment needed to save them. 
5. Legitimate interests pursued by the health care providers: data can be processed for legitimate interests such as maintaining patient records, billing purposes, scheduling appoints and for other related or like purposes. 
6. Public interest: personal data may be lawfully processed if it is necessary for the performance of a task carried out in the public interest. 
7. Historical, statistical, journalistic, literature and art or scientific research: data is lawfully processed if needed for health care research.  

Rights of a Data Subject 

These are enforceable rights that are granted to data subjects under the DPA, and that must be respected and upheld by healthcare institutions. 

1. Right to be informed: the data subject must be aware of why the data is being collected, who is collecting it, for how long it will be kept and with whom it will be shared. 
2. Right to access personal data: the data subject has a right to get access to the data held in custody by the health care provider. 
3. Right to rectification of personal data: individuals have the right to request for any inaccurate or wrong data to be corrected.
4. Right to object to all or part of their personal data being processed: a data subject has the right to refuse for their data to be processed in certain circumstances, such as where the data will be used for marketing purposes without their consent, where it is being shared to a third party without consent, where the data is inaccurate, or where it is being used for research without consent. However, this right is not absolute and may be limited when necessary. 
5. Right not to be subjected to automated decision making: right to demand human intervention rather than having important decision made by automated algorithms. 
6. Right to erasure: right to request for the personal data to be removed and deleted. 
7. Right to data portability: right to receive the data in a structured, readable format for purposes of transmitting it to another data controller/health care provider. 

Compliance Obligations of Health Sector 

1. Registration with ODPC: all entities are mandated to register with the ODPC. 
2. Privacy by design or by default: it is an obligation under the Act for all entities within the health sector to incorporate appropriate security measures to protect data privacy, and to ensure only necessary data is processed. 
3. Data storage: this mandates that data should only be stored for as long as it is required. Once the data has been used it should be erased or anonymised. This is to reduce the risk of unauthorised access, and ensure that data is up-to-date and reliable. Each entity must create its own retention schedule, however the retention period should be reasonable and justified. 
4. Data Protection Impact Assessment: this is an important tool that helps with compliance of the law. It allows entities to anticipate risks that may arise and implement measures to overcome those risks. 
5. Notification and communication of breach: a breach should be reported to the ODPC without delay and within 72 hours of becoming aware of the breach. The data subject should also be informed of the breach relating to their personal data. The report should clearly identify the details of the breach, the date, the data subjects affected, the potential harm to the data subjects and any action taken to mitigate the harm. 
6. Engagement of data processors: it is important for health facilities to engage data processors that have experience in handling health data and are compliant with all relevant laws and regulations. This is to ensure data is handled securely and ethically and that patient privacy is protected. Under the Act, if an entity engages a vendor or service provider (processor) to process information on its behalf, it must have a written contract with the processor stipulating that it acts under the controller’s instructions. Both parties should ensure persons employed or acting under their authority comply with the security measures. 
7. Data sharing: there are several laws that obligate data sharing in certain circumstances. However, the data sharing must be done in accordance with the principles of confidentiality, privacy and informed consent. Data sharing is done with the aim of improving the health sector, however, it should be done ethically. 
8. Data Transfer: any transfer of data to a third party must be done with the consent of the data subject and must be done with appropriate safeguards. The transfer must be documented and provided to the Data Commissioner upon request. 
9. Duty to notify: transparency is a fundamental principle of data protection. Data controllers and processors must inform the data subject of their rights and information on the purpose of data collection and the safeguarding measures adopted to protect the data. Healthcare providers should have a comprehensive policy that is easy to understand and is accessible. 

Conclusion 

The guidelines set a minimum standard that healthcare institutions must adopt in order to comply with the laws on data protection. With the advent of technology and the rate at which it is advancing, such guidance notes ease the application, implementation and enforcement of data protection laws, therefore reducing the risk of a breach. Furthermore, the guidance note speaks towards the country’s dedication in serving its populace by ensuring their data is well secured; as well as portrays the nations zeal in tackling the pitfalls that come with adopting new advancement.