Kenya has recognized the importance of data protection in the healthcare sector and has taken steps toward implementing data protection laws to safeguard patients’ sensitive information. The Data Protection Act (DPA) of 2019 is one such initiative that provides guidelines for data collection, storage, and processing across all sectors, including healthcare and medical services.

The DPA 2019 mirrors the Public Health Act 2012 that explicitly guides health providers and medical staff in managing the data of patients. The hospital setting brings to light three types of data subjects:

1. Patient as a data subject.
2. The general public visiting the hospital or acting as next of kin to the patients ;
3. The hospital staff.

Article 31 of the Constitution protects all three categories of data subjects’ rights to privacy.

The DPA 2019 imposes the right not to have the personal information of a person disclosed without their consent. The Act classifies data for patients as sensitive personal data. The right of the patient as a data subject under the Act include:

• The right to control their health data.
• The right to decide who can access their health data.
• the right to know which health data they are collecting.
• The right to know the usage of their health data. 
• The right to give or withdraw consent for the collection and use of their health data.

The right to give or withdraw consent for the collection of a patient’s data may limit access to healthcare for the patient. As a hospital, you are therefore expected to build trust with the patients to continue attracting them to your facility. Some of the safeguards that your hospital may use to protect your patient’s data include data minimization, data pseudonymization, and purpose limitation principles.

Protecting patients’ data under the law is a little easier.

 A code of ethics that includes confidentiality of patient records already binds healthcare professionals. One of the main challenges in implementing data protection in the healthcare sector is the lack of awareness and training among healthcare providers. Many healthcare workers are not aware of the importance of data protection. Further, security and handling sensitive patient data remain a challenge. This can lead to inadvertent data breaches, which can compromise patients’ privacy.

To address this challenge, healthcare providers must ensure:

• Adequate investment in Data Protection training and awareness campaigns that educate their staff on the importance of data protection and best practices for handling sensitive patient data. This can include regular training sessions, workshops, and simulations that prepare healthcare workers for handling data breaches.

Group Photo of Mater Hospital Data Protection Training by South-End Tech Limited

• Appointment/designation of a Data Protection Officer (DPO) responsible for ensuring compliance with the Data Protection Act 2019 and the Regulations

•  Adopting privacy by design by ensuring they set privacy regulations when developing new products or services and must implement appropriate technical and organizational safeguards to protect patient data.

Mr. Collins Manoa from Mater Hospital receiving his Certificate from Mr. Derrick, BDM, South-End Tech Limited Kenya.

• Establish a data breach reporting system to ensure any data breach is duly reported to the Office of the Data Protection Commission (ODP) within 72 hours and to the data subject as soon as possible if the breach is likely to result in a high-risk exposure of their data.