Healthcare and health data legislation
Over the years, advancements in technology have impacted healthcare in several ways, especially regarding the increase in the generation, processing, storage, and sharing of health data.
This can be traced to the wide adoption of the Internet of Medical Things (IoMT), telemedicine and remote monitoring, mHealth, portal technology, wearables, cloud-based EHRs, etc.
The world is connected more than ever before, and data sharing is now much easier.
As interesting and revolutionary as these advances have been, they pose questions about how to deal with patient data privacy and protection on these platforms.
Sensitive personal data, including health data, requires special protection and is usually protected by law as it reveals details about an individual’s health status, diseases and their treatments, allergies, biological composition, e.g., genetic data, and genotype.
An unlawful disclosure, illicit access, or inappropriate use of health records exposes patients, which results in infringements of their rights to privacy, the sale of their health data, patient blackmail, etc.
This is why data privacy laws mandate the protection of health data as well as punish health data handlers if they fall short of the dictates of the legislation.
Health data legislation, including the National Health Act and the Nigerian Data Protection Legislation, are the guidelines that health organizations that handle patient data, including hospitals and other health facilities, follow in observing appropriate data protection measures.
1. National Health Act 2014 (NHA)
Nigeria’s National Health Act 2014 was signed into law on October 31, 2014. It provides a legal framework for the regulation, development, and management of Nigeria’s health system.
Health facilities are subject to the regulation, as outlined in Section 26, which states thus…
(1) All information concerning a user, including information relating to his or her health status, treatment or stay in a health establishment is confidential.
(2) Subject to section 27 of this Act, no person may disclose any information contemplated in subsection (1) unless:
(a) the user consents to that disclosure in writing;
(b) a court order or any law requires that disclosure;
(c) in the case of a minor, with the request of a parent or guardian;
(d) in the case of a person who is otherwise unable to grant consent upon the request of a guardian or representative; or
(e) non-disclosure of the information represents a serious threat to public health.
Hence, the confidentiality of patient data is not questionable and must be kept secret, except under some circumstances included in the law.
Every health facility owes a duty to their patients to ensure proper handling, storage, and protection of the personal data of their patients as provided by the law and will be held accountable if any data breach were to occur.
Section 29 of the Act – Protection of Health Records states, thus:
(1) The person in charge of a health establishment who is in possession of a user’s health records shall set up control measures to prevent unauthorised access to those records and to the storage facility in which, or system by which, records are kept.
(2) A person who:
(a) fails to perform a duty imposed on them under subsection (1) of this Act;
(b) falsifies any record by adding to or deleting or changing any information contained in that record;
(c) creates, changes or destroys a record without authority to do so;
(d) fails to create or change a record when properly required to do so;
(e) provides false information with the intent that it be included in a record;
(f) without authority, copies any part of a record;
(g) without authority, connects the personal identification elements of a user’s record with any element of that record that concerns the user’s condition, treatment or history;
(h) gains unauthorised access to a record or record-keeping system, including intercepting information being transmitted from one person, or one part of a record-keeping system, to another;
(i) without authority, connects any part of a computer or other electronic system on which records are kept to any:
(i) other computer or other electronic system; or
(ii) terminal or other installation connected to or forming part of any other computer or other
electronic system; or(j) without authority, modifies or impairs the operation of any:
(i) part of the operating system of a computer or other electronic system on which a user’s records are kept; or
(ii) part of the programme used to record, store, retrieve or display information on a computer or other electronic system on which a user’s records are kept,
commits an offence and is liable on conviction to imprisonment for a period not exceeding two years or to a fine ofN250,000.00 or both.
Hence, health establishments are required to maintain and protect the records of the users of their services while maintaining their confidentiality. The health records are not to be falsified, altered, changed, or copied without the authority to do so. The NHA imposes restrictions on the disclosure of user information and also includes punishments for falling short of maintaining the dictates.
2. The Nigeria Data Protection Regulation (NDPR) Act 2019
I. Definitions
The NDPR Act includes definitions for data terminologies, including data subject, personal identifiable information (PII), etc.,
The Act emphasizes that medical information is a Personal Data of Data subject and, hence, is included in the dictates of the Act. This means healthcare facilities (Data controllers) and their handling (Processing) of patient data are subject to the legislation.
Section 1.3 of the Act states thus…
(iii) ‘Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;
(iv) “Data” means characters, symbols and binary on which operations are performed by a computer, which may be stored or transmitted in the form of electronic signals, stored in any format or any device;
(x) “Data Controller” means a person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which Personal Data is processed or is to be processed;
(xiv) “Data Subject” means any person, who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
(xix) “Personal Data” means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; It can be anything from a name, address, a photo, an email address, bank details, posts on social networking websites, medical information, and other unique identifier such as but not limited to MAC address, IP address, IMEI number, IMSI number, SIM, Personal Identifiable Information (PII) and others;
(xx) “Personal Identifiable Information (PII)” means information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in a context
(xxi) “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
ii. Lawful reasons to manage (process) health data
From an individual patient perspective, healthcare is continuous and requires reference to previous illnesses and treatment plans to manage them moving forward.
Regarding a population of people, however, their collective health data is useful in assessing the trend of diseases among them, identifying epidemics and pandemics, arriving at improved treatment plans, conducting medical research, etc.
This is why healthcare facilities keep records of patient data and are in line with the NDPR Act’s lawful reasons to keep data.
Section 2.2 of the Act states, thus:
Without prejudice to the principles set out in this Regulation, processing shall be lawful if at least one of the following applies:
a) the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the Controller is subject;
d) processing is necessary in order to protect the vital interests of the Data Subject or of another natural person, and
e) processing is necessary for the performance of a task carried out in the public interest or in exercise of official public mandate vested in the controller;
iii. Principles of managing (processing) health data
The NDPR Act lays down guidelines for handling health data by health facilities. emphasizing that its possession is to be by only the healthcare giver(s) of the patient, who is accountable and would be held liable for handling the data. Section 2.1 of the Act states, thus:
(1) In addition to the procedures laid down in this Regulation or any other instrument for the time being in force, Personal Data shall be:
a) collected and processed in accordance with specific, legitimate and lawful purpose consented to by the Data Subject; provided that:
i. a further processing may be done only for archiving, scientific research, historical research or statistical purposes for public interest;
ii. any person or entity carrying out or purporting to carry out data processing under the provision of this paragraph shall not transfer any Personal Data to any person;
b) adequate, accurate and without prejudice to the dignity of human person;
c) stored only for the period within which it is reasonably needed, and
d) secured against all foreseeable hazards and breaches such as theft, cyberattack, viral attack, dissemination, manipulations of any kind, damage by rain, fire or exposure to other natural elements.
2) Anyone who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject owes a duty of care to the said Data Subject;
(3) Anyone who is entrusted with Personal Data of a Data Subject or who is in possession of the Personal Data of a Data Subject shall be accountable for his acts and omissions in respect of data processing, and in accordance with the principles contained in this Regulation.
iv. Consent before procuring patient data
The legislation requires hospitals and other health facilities (Data Controllers) to obtain written consent before handling (Processing) patient (Data Subjects) data.
Section 2.3 states thus
(1) No data shall be obtained except the specific purpose of collection is made known to the Data Subject;
(2) Data Controller is under obligation to ensure that consent of a Data Subject has been obtained without fraud, coercion or undue influence; accordingly:
(a) where processing is based on consent, the Controller shall be able to demonstrate that the Data Subject has consented to processing of his or her Personal Data and the legal capacity to give consent;
(b) if the Data Subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding on the Data Subject;
(c) prior to giving consent, the Data Subject shall be informed of his right and method to withdraw his consent at any given time. However, the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal;
(d) when assessing whether consent is freely given, utmost account shall be taken of whether the performance of a contract, including the provision of a service, is conditional on consent to the processing of Personal Data that is not necessary (or excessive) for the performance of that contract; and
(e) where data may be transferred to a third party for any reason whatsoever
v. Health data security
Health data is a target for hackers as it entails details of patients’ Personal Data which are private and can be used against the patient if made public.
Security breaches affect both health data and medical devices; hence, data security entails the protection of both digital data and the physical facilities housing the health data.
The NDPR Act instructs health facilities to put measures in place to protect the data in their care from theft, alteration, or loss.
Section 2.6 of the Act states, thus:
Anyone involved in data processing or the control of data shall develop security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
vi. Changes in organizational workflow
To accommodate the dictates of the NDPR and enforce them in a data handling organization such as a hospital, the legislation demands making changes to the workflow organizations.
Data Controllers are to employ Data Protection Officers (DPOs) within their organization to ensure adherence to the NDPR.
They are also to work with Data Protection Compliance Organisations (DPCOs) which would be their liaison with the NITDA as they cannot deal directly with the agency.
DPCOs are licensed data protection professionals that, among other things, provide auditing and compliance services, training, regulatory services, etc for Data Controllers.
These organizations are also required to professionally train their staff in the rudiments of data protection, usually with the help of DPCOs.
Section 4.1 of the NDPR states, thus:
(1) All public and private organizations in Nigeria that control data of natural persons shall, within three (3) months after the date of the issuance of this Regulation, make available to the general public their respective data protection Policies; these Policies shall be inconformity with this Regulation.
(2) Every Data Controller shall designate a Data Protection Officer for the purpose of ensuring adherence to this Regulation, relevant data privacy instruments and data protection directives of the Data Controller; provided that a Data Controller may outsource data protection to a verifiably competent firm or person.
(3) A Data Controller or Processor shall ensure continuous capacity building for Data Protection Officers and the generality of her personnel involved in any form of data processing.
(4) The Agency shall by this Regulation register and license Data Protection Compliance Organisations (DPCOs) who shall on behalf of the Agency monitor, audit, conduct training and data protection compliance consulting to all Data Controllers under this Regulation. The DPCOs shall be subject to Regulations and Directives of NITDA issued from time to time.
(5) Within six (6) months after the date of issuance of this Regulations, each organization shall conduct a detailed audit of its privacy and data protection practices with at least each audit stating:
a. personally identifiable information the organization collects on employees of the organization and members of the public;
b. any purpose for which the personally identifiable information is collected;
c. any notice given to individuals regarding the collection and use of personal information relating to that individual;
d. any access given to individuals to review, amend, correct, supplement, or delete personal information relating to that individual;
e. whether or not consent is obtained from an individual before personally identifiable information is collected, used, transferred, or disclosed and any method used to obtain consent;
f. the policies and practices of the organization for the security of personally identifiable information;
g. the policies and practices of the organization for the proper use of personally identifiable information;
h. organization policies and procedures for privacy and data protection;
i. the policies and procedures of the organization for monitoring and reporting violations of privacy and data protection policies; and
j. the policies and procedures of the organization for assessing the impact of technologies on the stated privacy and security policies.
(6) Where a Data Controller processes the Personal Data of more than 1000 in a period of six months, a soft copy of the summary of the audit containing information stated in 4.1(5) shall be submitted to the Agency.
(7) On annual basis, a Data Controller who processed the Personal Data of more than 2000 Data Subjects in a period of 12 months shall, not later than the 15th of March of the following year, submit a summary of its data protection audit to the Agency. The data protection audit shall contain information as specified in 4.1(5).
(8) The mass media and the civil society shall have the right to uphold accountability and foster the objectives of this Regulation.
The NDPR mandates that all Data Controllers submit an audit report of their Data Protection Practices to the NITDA no later than March 15 of the following year. (This is only for organizations that process more than 1000 data subjects in 6 months and 2000 data subjects in 12 months.).
The report should detail the organization’s audit of its data privacy and protection practices, signifying its continued compliance with the regulation.
