ODPC Guidance Note on the Processing of Health Data

/ Legal Updates & Insights / By

The Office of the Data Protection Commissioner (ODPC) issued a comprehensive Guidance Note in December 2023, addressing the processing of health data in Kenya. This document is pivotal in ensuring that healthcare providers, institutions, and other relevant stakeholders adhere to the highest standards of data protection while handling sensitive health-related information.

Introduction
The health sector in Kenya is a significant processor of personal data, encompassing various stakeholders like hospitals, clinics, laboratories, pharmaceutical services, health insurance providers, and health research institutions. The increasing adoption of digital technologies such as Health Management Information Systems (HMIS), eHealth, mHealth, and other digital health platforms has amplified the need for robust data protection mechanisms. This Guidance Note serves as a crucial tool to ensure that personal data, especially health data, is processed lawfully, fairly, and transparently.

Legislative Framework
The processing of health data in Kenya is governed by several legal instruments, including the Constitution of Kenya 2010, the Data Protection Act, 2019 (DPA), and various sector-specific regulations. The DPA categorizes health data as sensitive personal data, which necessitates additional safeguards to protect it from unauthorized access, misuse, or disclosure.

Key Data Protection Principles
The Guidance Note emphasizes the application of core data protection principles within the health sector:

  • Lawfulness, Fairness, and Transparency: Health data must be processed in a lawful manner, with the explicit consent of the data subject or under specific legal provisions. Healthcare providers are required to inform patients about the purposes of data collection, how the data will be used, and the measures in place to protect their privacy.
  • Purpose Limitation: Personal data should be collected for specific, legitimate purposes and not used for other unrelated activities. For instance, data collected for medical treatment should not be repurposed for marketing without the patient’s consent.
  • Data Minimization: Only the minimum necessary data should be collected and processed to achieve the intended purpose. Healthcare providers must avoid collecting excessive or irrelevant information.
  • Accuracy: Health data must be kept accurate and up-to-date. Any inaccuracies should be corrected promptly to ensure that the data reflects the true state of the patient’s health.
  • Storage Limitation: Personal data should not be retained for longer than necessary. Healthcare providers are advised to implement clear retention policies that outline how long patient data will be stored and the procedures for securely disposing of it once it is no longer needed.
  • Integrity and Confidentiality: Given the sensitivity of health data, it must be protected against unauthorized access, accidental loss, or damage. Healthcare institutions are required to implement robust security measures, including encryption, secure storage, and regular audits to ensure data integrity.

Lawful Basis for Processing

The Guidance Note outlines several lawful bases for processing health data, including:

  • Consent: Explicit, informed consent must be obtained from the data subject before processing their health data.
  • Performance of a Contract: Data may be processed if it is necessary for the performance of a contract, such as providing healthcare services.
  • Compliance with Legal Obligations: Data processing may be necessary to comply with legal obligations, such as public health reporting.
  • Protection of Vital Interests: Processing may occur if it is necessary to protect the vital interests of the data subject, such as in emergencies.

Rights of Data Subjects
The DPA grants several rights to data subjects, including:

  • Right to be Informed: Patients have the right to know how their data is being processed.
  • Right to Access: Patients can request access to their personal data held by healthcare providers.
  • Right to Rectification: Patients can request corrections to any inaccurate data.
  • Right to Erasure: Under certain circumstances, patients can request the deletion of their personal data.

Compliance Obligations
Healthcare institutions must adhere to several compliance obligations, including:

  • Registration with the ODPC: Healthcare providers must register with the ODPC and comply with its guidelines.
  • Privacy by Design and Default: Data protection measures should be integrated into the design of data processing systems and practices.
  • Data Protection Impact Assessments (DPIAs): Institutions must conduct DPIAs to assess and mitigate risks associated with data processing activities.

Conclusion

The ODPC Guidance Note on the Processing of Health Data emphasizes the importance of adhering to data protection principles, particularly in the sensitive area of health data. Healthcare providers and institutions must ensure that they process personal health data in a lawful, fair, and transparent manner, respecting the privacy rights of individuals while implementing robust security measures to safeguard this sensitive information.

Our firm, Mbuchi & Associates Advocates, assists organizations and businesses in complying with the Data Protection Act, 2019. We provide comprehensive legal guidance, tailored compliance strategies, and practical steps to ensure your data processing activities align with the law. For consultations on data protection compliance and related matters, feel free to reach out to us.

Let us help you safeguard your organization’s data and avoid the legal pitfalls associated with non-compliance. Reach us at mbuchiadvocates@gmail.com or call 0713188474 to schedule your consultation.