[Column] John Syekei: No place in Kenyan healthtech for ‘Wild West’ approach to data
Technology has taken off in Kenya like wildfire, where the healthcare and pharmaceutical sectors are the latest industries to embrace its benefits. The good news for patients and practitioners alike is that the rapid uptake of health and medical technology is unlikely to compromise patient privacy and data integrity.
“The Wild, Wild West it certainly is not,” says John Syekei, head of the Intellectual Property Practice at the Nairobi office of pan-African law firm Bowmans. “While the legislative framework is piecemeal, the existing legislation is sufficiently broad to ensure the protection of data in the health and pharmaceutical sectors.”
Kenya’s rapid technological advancement has gone hand in hand with increased pressure to ensure that organisations safeguard sensitive medical data when collected, recorded and stored, Syekei says.
Data protection legislation is on the way in the form of the Data Protection Bill, but in the meantime, the existing legal and regulatory framework is robust enough to allay any concerns over potential breaches of privacy.
For one, the country’s courts have already shown the willingness to uphold citizens’ constitutional right to privacy.
Court finds that employer violated dignity
“The most relevant case concerning medical data was heard before the Industrial Court of Kenya in 2013,” says Syekei, referring to a claim against a higher education institution in East Africa, which required all new employees to undergo HIV screening before joining the organisation.
“Not only was the claimant’s HIV status tested without her consent, but the information regarding her HIV status was disclosed to her superiors and colleagues, again without her consent,” he says. “This was rightly held to violate her privacy.”
Over and above monetary damages for discrimination in the workplace, the judge awarded KES 5 million (USD 48 000) to the claimant for discrimination on the basis of her HIV status and gross violation of her human dignity.
Apart from enshrining the right to privacy, the Constitution of Kenya also provides that any international treaty or law that Kenya ratifies will form part of the laws of the land, Syekei says. “In terms of Kenya’s privacy and data protection laws, and its laws governing pharmaceutical regulation, this will mean the application of the guidelines and regulations introduced by the World Health Organisation (WHO), of which Kenya is a member.”
For example, Kenya has adopted the WHO’s Guidelines for Good Clinical Practice for Trials on Pharmaceutical Products, among other guidelines and regulations.
Local laws on confidentiality and privacy
Domestically, the main laws currently governing the Kenyan health and pharmaceutical sectors are the Pharmacy and Poisons Act of 2015 and the Health Act of 2017. “The Health Act is progressive and ambitious and deals, for example, with circumstances in which confidential information of a medical services user can or cannot be disclosed,” Syekei says.
In terms of the Health Act, information about anyone seeking or intending to seek medical care from a healthcare provider is confidential except where the user has given consent, a court order has been issued or informed approval has been given for health research and policy planning purposes, or where any non-disclosure would be a serious threat to public health.
Another Act that contains privacy provisions is the HIV and AIDS Prevention and Control Act of 2006, which protects the identity of any person who has undergone an HIV test. Any person convicted of an offence under the Act is liable for a fine of up to KES 100 000 or up to two years’ imprisonment or both.
Regulators are watching
The country also has various regulators and supervisory authorities that monitor healthcare and pharmaceutical organisations, including their data protection and privacy aspects. These are the Medical Practitioners and Dentists Board, the Pharmacy and Poisons Board, the Kenya Medical Research Institute, the Department of Pharmacovigilance and the Bioinformatics Institute of Kenya.
“Further, the Kenyan Medical Association, a voluntary membership organisation for doctors, serves as a useful stakeholder in promoting medical ethics and safeguarding the values of the profession,” Syekei says. “It is an important lobbyist and consultative partner working with the Government in introducing and implementing new laws and regulations.”
Syekei notes that, pending the passage of the Data Protection Bill, there are certain gaps in how medical data is dealt with.
For example, the HIV and AIDS Prevention and Control Act does not prescribe how data on HIV and AIDS should be recorded and stored, and the law pertaining to data transfer and exchange is undeveloped.
“However, the effectiveness of the constitutional right to privacy and integrity provides sufficient grounds to ensure that any transfer of sensitive personal data is secure and does not infringe on the constitutional rights of the subject.”
And while it is not yet known if and when the Data Protection Bill will come into force, companies in Kenya are already tightening up their data privacy and security policies. “We are seeing an increased trend towards putting data breach notification procedures in place and stepping up internal policies to safeguard data,” concludes Syekei.