Recently, Tech Hive Advisory made a contribution to the Transform Health Global Digital Health Data Governance Policy. The contribution introduced policy recommendations in the form of principles that should guide an ideal health data governance framework. It also went further to discuss what the principles should address.
The suggested Principles are six in number, namely, transparency, facilitating innovation, interoperability, exceptions to the use of data, establishing data rights and ownership, and ethics.
An ideal health data governance framework should provide for the principle of transparency. Transparency in health data use should extend to the acknowledgement of local context, language and values. Also, information about the use of health data should be made available to individuals in language and communicated in a way they can understand. This includes populations with various forms of disability.
It is important for a health data governance framework to encourage responsible innovation that is rights-respecting. In addition, it should create room for ahuman rights impact assessment before deploying solutions to mitigate residual and real risks in health data use. This might involve steps like undertaking a data protection impact assessment (DPIA) or an AI systems audit, to certify that the system is compliant with the relevant data protection regulation, like the NDPR in Nigeria, or the EU’s GDPR.
The governance framework should provide for data interoperability especially the international transfer of data. The Principles should recognise that there are variegated frameworks across the globe and their provisions on international data transfer. Also, regard should be given to the approved list of countries for data transfer, where data protection legislation specifies those countries. Where data is to be transferred to another jurisdiction which is not approved for data transfer by the legislation, or such legislation does not exist yet, there should be consultation to ensure that the destination country has a legal framework that guarantees at least the same level of protection as the host country.
Exceptions to the use of data
The framework must put in place specific exceptions for using health data without consent, such as for public health emergencies like the Covid-19 pandemic. The Principles should also lay down specifics for balancing out the State’s need for data and making data use as person-centric as possible. For instance, the Principle should consider metadata as non-personal data; because, metadata can identify individuals indirectly, which explains why modern data protection laws like the EU GDPR define it as personal data.
In addition, when treating anonymised data, there is a need to be certain the data is fully anonymised. Research has shown that anonymised data, when combined with publicly available data, could still identify individuals.
Establish data rights and ownership
The framework should establish clear data rights and consideration should be had for data stewardship which could assist vulnerable populations.
Ethics should be embedded into the use of data and the design of product architecture. In addition, the principles should be clear on the use of health data for discriminatory purposes, harassment and surveillance by state or private actors.
The end goal of the Principles is to achieve compliance-by-design and privacy-by-design. Thus, it is easier to achieve compliance from the get-go, if systems for collecting and managing health data are built and informed by these Principles from the onset, rather than applying them for damage control as an afterthought.