The road to effective data privacy guidelines

The need to safeguard personal information, especially in the health sector has never been more critical. Strong data privacy and security frameworks are essential to protect health records, ensure trust in health systems, and support the development of essential digital health infrastructure. But designing and an implementing these frameworks is complex. Stakeholders must navigate diverse political landscapes, evolving health system priorities, and the unique complexities of public health data.

With support from the US Centers for Disease Control and Prevention’s Technical Assistance Platform, PATH’s cybersecurity experts have partnered with governments in the Democratic Republic of Congo (DRC), Haiti, Uganda, and Zambia to develop and implement context-specific data privacy guidelines.

A common challenge across these countries is the proliferation of data protection acts. Many have introduced data protections modeled on Europe’s General Data Protection Regulation, but these often don't account for the health sector's requirements in low- and middle-income countries. For instance, countries building national health insurance systems or developing digital infrastructure must also manage complex flows of sensitive data across multiple platforms. These efforts add urgency and complexity to the need for health-specific data protections that are both effective and feasible to implement.

1. Government ownership: The success of data privacy guidelines hinges on the government's active participation. The government must champion these guidelines, be key drivers and owners of the process, and integrate them into the national agenda.
2. Technical practicality: Implementing data protection measures can seem daunting. Countries should begin with foundational steps such as controlling the system and data access, sharing, and use. They should document and enforce data privacy-related processes and procedures, such as data breach protocols, and build on existing organizational privacy practices where possible. This incremental approach ensures that measures are realistic and achievable.
3. Flexibility in implementation: Setting timelines that allow for adjustments is vital. Many countries are keen to dive into data security, but the necessary skills are not always available. Starting with a data security assessment and strengthening capacity will allow countries to adapt their strategies accordingly.

One of the most significant insights from our experiences is the the need to tailor data privacy guidelines to each country's unique context. We start by reviewing existing policies and assessing the health information system to understand the landscape. Drawing from experience in several countries, we have a predefined guidelines toolkit that allows us to adapt and assemble the most relevant components to kick-off drafting.

For example, Haiti's framework was developed primarily with input from the CDC and implementing partners, allowing for a more focused approach. In contrast, Zambia utilized a combination of online and in-person workshops to draft and refine their guidelines, ensuring that various stakeholders had input throughout the process. In the DRC, we used a preexisting working group and collaborated to validate the draft during an in-person session.

Democratic Republic of the Congo: The DRC government has been committed to advancing its data protection initiatives. With a strong Data Protection Act enacted in 2023, the country has established a roadmap for data sharing, use, and confidentiality and appointed the Ministry of Health (MOH) for ICT as the interim data protection authority. This proactive approach sets a strategic precedent for other nations. The next steps for the DRC are for the MOH to sign off on the guidelines formally.

Zambia: After working closely with stakeholders, Zambia launched the formal Health Data Governance Framework, which includes data privacy, security, and confidentiality. The Data Protection Commissioner has also been appointed. Throughout the process, including validation meetings, Zambia showcased its commitment to being a model for data protection compliance in Africa.

Uganda: In partnership with the MOH, we supported Uganda in creating a stronger, more robust policy that provides a comprehensive framework for the protection and confidentiality of health data, addressing both legal and practical aspects. The Uganda Health Data Protection and Confidentiality Guidelines were launched in November 2024 at the National Digital Health Conference by the Minister of Health in Uganda, Hon. Dr. Ruth Aceng. The guidelines include a detailed consent framework to respect data subjects’ rights, mandate regular data assessments, outline consequences for non-compliance, and support utilizing health data for decision-making.

Haiti: Haiti has established one of the most comprehensive frameworks to date. Haiti was the first country to customize data privacy guidelines. It broadened the guideline appendices to include an extensive set of templates that can be reproduced to either be used as standalone standard operating procedures or job aids to assist in operationalizing the guidelines.

Haiti is sharing lessons learned throughout this process with other countries, demonstrating the collaborative spirit in addressing data privacy challenges. Technical refinement of the guidelines and the overall customization approach for subsequent country adaptations had its basis in the learnings obtained in Haiti’s thorough and systematic Technical Working Group review processes. Although the Haiti guidelines are unique in their application (focus on implementing partners, and not yet the government), it is envisioned that the CDC Data Privacy, Confidentiality, and Security Guidelines will help inform national guidelines and strategies in the future.

Looking forward, the sustainability of these data privacy frameworks will depend on the commitment of all stakeholders. Moreover, the legal frameworks in these countries often include severe penalties for non-compliance, ensuring that all partners understand their roles in monitoring and maintaining data privacy. As awareness grows around the necessity of data protection, the mentality is shifting from "if" to "when" systems will be attacked, underscoring the urgent need for comprehensive frameworks.

The strides made by these countries in adopting data privacy guidelines illustrate the growing recognition of the importance of protecting sensitive health data. As these nations navigate the complex data privacy landscape, their efforts serve as a beacon for others to follow.

The road ahead is undoubtedly challenging, but with continued political will and commitment to collaboration, there is hope for a future where health data is safeguarded effectively. By prioritizing data privacy, nations can not only protect individual rights but also build trust in their health care systems, ultimately improving health outcomes for all.