• Regulation
  • UK’s NHS made illegal patient data transfer to Google’s DeepMind

    As eHealth expands its reach, and Artificial Intelligence (AI) becomes routine, benefits will increasingly depend on health systems handing over their patient data to specialist companies. It seems inevitable, but it might not always be legal. The UK’s NHS found that it wasn’t.

    An article in the UK’s Guardian says the Royal Free London NHS Trust, based in London, broke the law in November 2015 when it transferred 1.6m patient-identifiable records to DeepMind, the AI outfit owned by Google. It was part of a project where DeepMind’s built Streams, an app that provides clinical alerts about kidney injury. It needed the data for testing.

    The ruling says by transferring the data and using it for app testing, the Royal Free breached four data protection principles and patient confidentiality under common law. It sees the transfer as not fair, transparent, lawful, necessary or proportionate. Patients wouldn’t have expected it, they weren’t told about it, and their information rights weren’t available to them. 

    The UK’s Information Commissioner agreed. Its view’s that the core issue wasn’t the innovation. It was the inappropriate legal basis for sharing data which DeepMind could use to identify all the patients. A better way’s to keep the data in the health system and interface with apps such as Streams only when a clinical need arises. 

    Two issues are important. One’s dealing with an apparent data-grab of millions of patient records by a global organisation. The other’s the way the NHS seems keen to embed a global company into its routing working. Both need regulating and protection of patients’ rights and interests. 

    These offer insights for Africa’s health systems to deal constructively with external eHealth and AI firms. The relationships are already on a trajectory. A lesson from the NHS and DeepMind project’s essential that Africa avoids being dragged along its wake. There’s still time to do it.

  • Sierra Leone sets up a National eHealth Coordination Hub

    Succeeding with eHealth’s complexities across national health systems invariably needs a core organisation. Sierra Leone’s Ministry of Health and Sanitation has set up its National eHealth Coordination Hub to co-ordinate and regulate eHealth. It’ll also support eHealth expansion across the country’s health system. The Ministry of Information and Communications is a leading part of the initiative too.

    A report in Awoko says support’s provided by UNICEF as part of a US$2 million project financed by the United States Agency for International Development (USAID) to strengthen Sierra Leone’s eHealth Management Information System in Sierra Leone. It’s part of the US Government’s commitment to strengthen health systems and services after Ebola. Laurie Meininger, Deputy Chief of Mission, said the Awoko that “Sierra Leone is taking a step in the right direction, recognizing the growing importance of health coordination for the future health and sustainable development goals in Sierra Leone.”

    The Hub has three main goals I supporting the government’s eHealth ambitions. They’re:

    • Co-ordination
    • Regulation
    • Improve alignment of data with national health system goals.

    Acfee’s regulations database has extending across 64 eHealth regulation topics shows Africa’s health systems trailing those on other continents. Catching up’s a big task that needs resources for regulation risk assessments, regulation decisions and compliance reviews. Selecting and implementing relevant and appropriate priorities are essential to expanding eHealth regulations.

    It’s an important achievement. For Africa’s health systems, affordable, sustainable eHealth decisions are tough to take. Creating the Hub provides Sierra Leone with a constructive way to take them. 

  • Africa’s eHealth legal framework needs developing – unpacking the 3rd Global Survey on eHealth

    Africa’s eHealth legal and regulatory framework is behind global trends, as eHNA has reported. More insights are provided in Chapter 6 of the WHO Global Observatory for eHealth (GOe) publication eHealth Report of the third global survey on eHealth Global diffusion of eHealth: Making universal health coverage achievable. The report's data source is the WHO Global Survey 2015.

    Key findings include:

    • Slow but steady development of general eHealth regulation, with 33% of countries with  specific policies or legislation to define medical jurisdiction, liability or reimbursement of eHealth services
    • About 47% have legislation to promote safety, quality and standards of health related data
    • About 78% have health data privacy legislation and 55% have legislation to protect the privacy of electronically patient data. They’re up from 73% and 31% since 2010, so a big step up for eHealth data laws.

    The survey focused on EHRs, which are dealt with in detail in Chapter 5. They are seen as the basis of eHealth systems, so a good indicator of general eHealth regulatory framework maturity. Consequently, countries that don’t have EHRs aren’t covered.

    Africa’s overall position’s about half the global average. Catching up is not easy, Much of the current eHealth regulation’s generic, such as data protection laws and telecommunications regulation. It takes time to find a slot in countries' legislative programmes. eHNA posted that Angola took some five years to complete its data protection laws. This’s a typical timescale that other countries have said is needed to move eHealth regulation on.

    The challenge is exacerbated because eHealth regulation extends well beyond EHRs. Examples are data transfer and communication using mHealth services and new regulatory aspects such as eHealth governance and cyber-security. African countries will be unable to set up comprehensive regulations for all eHealth settings in the medium term, so setting eHealth regulation priorities is crucial.

    From these, eHealth laws and regulations are needed alongside finance and resources for a regulatory body and compliance reviews. These have to compete with finance and resources for expanding eHealth services and emerging demands such as cyber-security and human capacity building. An important question for Africa’s how much eHealth regulation’s needed?


    Image from the WHO report

  • India’s planning eHealth laws to tackle data breaches

    As cybercrime expands and eHealth becomes more affected and infected, India’s planning legislation for comprehensive civil and criminal remedies for eHealth data breaches. It’ll also set up an enforcement agency. Provisions are being drafted to deal with any breach of patients’ data.

    A report in the Times of India says the legislation will include a comprehensive legal framework to protect individual’s eHealth data, ownership of eHealth data, and health data standardisation for data collection, storage and exchange. African countries could benefit by monitoring India’s initiative as a comparator for their own eHealth legislation and regulation.

    Much of Africa’s eHealth in its infancy, so most African countries don’t have specific eHealth regulations. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then. eHNA reported previously on Africa’s eHealth regulatory perspectives. Much more remains to be done, but it must not stifle innovation.

  • African eHealth needs data protection laws

    With much of Africa’s eHealth in its infancy it’s not surprising that most African countries don’t have specific eHealth regulations in place. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then.

    One way to address this shortfall is for Africa to follow the EU's example in laying down common laws to help countries protect data as governments implement eHealth. A Liquid Telecom report, Cybersecurity and Data Protection, in ITWEB Africa, highlighted Uganda, Kenya, Tanzania, Ghana, Zimbabwe and South Africa as countries that are in the process of initiating data protection laws in Africa. eHNA reported recently that Angola has approved its data protection laws.

    Kenya’s Data Protection Bill 2013 aims to make it difficult for third parties to mine personal information without owners’ consents. Ghana’s Data Protection Act 2012 is facing slow enforcement. South Africa passed its legislation in September 2016. In Zimbabwe privacy is enshrined in the constitution. The only initiative to encompass most African countries is the African Union's Convention on Cyber Security and Personal Data Protection 2014, which  remains unratified by countries.

    "Some 53 African states came together to agree a legal framework to regulate various fields of ICT activity, ranging from e-transactions and personal data protection to cyber security. The convention is not however any kind of legally binding instrument, and requires that individual countries put its principles into their own statute book," the report said.

    Data protection laws for successful eHealth development are important. While regulation usually lags behind implementation, its key that eHealth’s regulated and regulations are passed in due time.

    Even though the continent’s efforts for general data protection  are fragmented and need further development, the report believes that  some countries are progressive. "There still needs to be more consensus on the meaning of key terms like 'consent', 'public interest' and 'legitimate grounds'. But there is hope that such details can be thrashed out and enshrined in a binding framework that both protects citizens and allows for healthy economic development," the report suggests.

    Data protection in healthcare is an important first step to protecting patients private medical data. While it’s a good foundation, more specific eHealth regulations are needed. An eHNA post sets out some of the challenges and has a link to an article setting out some eHealth regulation themes that for Africa’s eHealth that can go alongside privacy.

  • Angola moves data protection on

    In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified the gap at about 45% behind in Africa’s eHealth regulation compared to developed countries. A year before, in 2011, Angola’s Data Protection Law No. 22/11 came into force in 2011. It provided for a Data Protection Authority (DPA) to be established.

    It defined personal data as 'any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person.' This generic definition is important for advancing regulation for the country’s eHealth.

    The GMS study for ESA identified the long lead time needed to convert eHealth regulatory principles into enabling legislation. The project’s workshops with selected sub-Saharan countries identified a realistic legislative process of about five years. Angola’s experience of moving its data protection initiative on shows that long time scales are needed.

    An article in Data Protection Leader says Angola’s President, His Excellency President José Eduardo dos Santos approved DPA framework in Decree No.214/16, on 10 October 2016, some five years after the Data Protection Act passed into law. The DPAs’ roles include receive notifications and fillings from data processes, support the Government to develop and establish data protection policy and represent the country in international data protection initiatives

    As Africa’s health systems develop their eHealth regulatory environments, it’s essential that realistic timetables are set. The ESA study and Angola’s data protection experience shows that progress won’t be rapid. It reinforces the need to start and sustain a momentum to close the gap.

  • Africa’s eHealth regulation needs a boost

    eHealth regulation in Africa trails well behind developed countries. A study for the European Space Agency (ESA) in 2012, led by Greenfield Management Solutions, identified the gap at about 45% points.

    Acfee’s Tom Jones writes in Data Protection Leader (DPL) “Not much has changed since 2012.”  Considerable challenges remain, including:

    1. eHealth regulation must compete with other eHealth priorities
    2. eHealth regulatory bodies or organisations need establishing, requiring enacting legislation to define their delegated powers and resources
    3. This kind of legislation can take several years to agree on with stakeholders and more time to find a place in countries’ legislative agendas for approval
    4. eHealth regulations need enforcement and compliance reviews, which require resources and new skills
    5. Recruiting, training and retaining smart compliance teams is essential
    6. With so many other competing priorities, it is likely that any recruitment and training developments of eHealth regulation will be modest
    7. Phased, long term, sustainable and achievable goals are needed.

    This seems like an insurmountable task. Tom Jones proposes a start point as setting specific eHealth regulation for privacy, building on the generic privacy legislation already in place in 88% of African countries. Because privacy requirements stretch across many aspects of eHealth, it provides a route into the choices for subsequent steps towards greater legislations. The article sets out examples of these.

    As eHealth keeps expanding with new initiatives, like Big Data and analytics, the eHealth regulation gap keeps widening. It’s essential that Africa’s health systems start to catch up.

  • EC’s mHealth privacy code can meet Africa’s regulation needs

    African countries recognise the need for privacy in eHealth. Many countries’ privacy regulations are for general data protection and may not be specific enough for all eHealth services. With mHealth being a major part of Africa’s eHealth, it seems to offer a good template to start to build up and apply eHealth regulations.

    The European Commission (EC) offers a helpful starting point. Its draft Code of Conduct on privacy for mobile health apps has been completed. It’s derived from data protection law, and awaiting formal approval. When it’s attained, app developers can volunteer their commitment to comply with the Code.

    Eleven questions comprise the issues dealt with by the Code:

    1. How should consent of app users be obtained, including valid, explicit consent from citizens to collect and use their data
    2. What are the main principles that need adopting  before making an mHealth app available, including the purpose limitation, data minimisation, transparency, privacy by design, privacy by default and citizens’ rights
    3. What information shall be provided to users before they can use any app, including a formal notice that identifies the app developer; describe the purpose of the data processing, how the data will be used and fits with products and services, guarantee fair processing; the precise categories of personal data that the app will process; whether personal data will be transferred from the user’s device, and if so, who to; users’ rights to access, correct and personal data; inform users that their app use is but needs their consent to permit personal data processing; provide contact information where users can ask question about data protection; and contain a link to a full privacy policy.  
    4. How long can data be retained, including acknowledging challenges to irreversibly anonymise health data when retention periods expire
    5. Security measures, including confidentiality, integrity and availability of the personal data processed by apps, and completing Privacy Impact Assessments (PIA)
    6. Can apps contain advertisements, including authorisation by users and having different approaches for advertising involving personal data
    7. What’s needed before disclosing data to a third party for processing, including data used for scientific research, analytics or Big Data analysis
    8. Can personal data collected by apps be used for secondary purposes, including processing operations, needing agreements in place with third parties
    9. Where can gathered data be transferred to, including compliance with the rules for international data transfers and where gathered data can be transferred to
    10. What action’s needed if there’s a personal data breach including who to notify
    11. How can data be gathered from children, including parental consent, and especially when apps are for children’s use

    A set of questions are suggested for completing a PIA. They’re

    1. Which kinds of personal data will the app process?
    2. For which purposes will this data be processed?
    3. How have users’ consent been obtained to process their data for every type of use foreseen?
    4. Was someone designated to answer questions about the apps privacy requirements?
    5. Was the app developed in consultation with a healthcare professional to ensure that data is relevant for the app’s purposes and not misrepresented to users?
    6. Explain what’s been done to respect a set of security objectives, or explain why theyr’e not relevant:
    • Principles of privacy by design and privacy by default:
    • Data has been pseudonymised or anonymised wherever possible
    • Appropriate authorisation mechanisms have been built into the app to avoid unlawful access
    •  Effective encryption has been used to mitigate the risk of breaches
    • Independent system security audits have been considered
    • Inform users when updated versions are available
    • Blocks all uses of old apps if the update is security critical  
    1. App has been developed using known guidelines on secure app development and secure software development
    2. App has been tested using mock data before it’s available to real end users
    3. Incidents affecting remotely stored data can be identified and addressed
    4. If any personal data collected or processed by the app is transferred to a third party, has appropriate contractual guarantees about their obligations been obtained, including purpose limitations, security measures, and their liability.

    The Code is culmination of a wide range of contributions. It’s a very valuable contribution as best practice for attaining privacy in apps and for this aspect of mHealth regulation. App developers in Africa can enhance their products by showing how they’ve complied, even if countries haven’t incorporated them into eHealth regulations. These can follow on promptly if countries use the EC Code as their initial draft to prepare their bespoke versions.

  • eHealth algorithm and regulation let down cardiovascular patients

    When eHealth contributes to healthcare mission-critical activities, it’s vital it’s accurate, reliable, consistent and available. It seems that the UK’s NHS may have experienced a bit of a problem. 

    A report in The Times says “hundreds of thousands of patients could have been put at risk of heart attack and stroke or wrongly prescribed statins because of a software glitch.” It seems that an algorithm, the QRISK2 Calculaotr, wasn’t right. As a result, GPs had to contact all their patients assessed cardiovascular conditions using the SystemOne clinical programme since 2009, so over the last seven years. Some 2,700 GP surgeries may be affected. The Medicines and Healthcare Products Regulatory Agency (MRHA) has started an investigation.

    TPP, SystemOne’s owners, says that its solution contain over 40m patient records from more than 5,000 NHS organisations. These include more than 2,700 GP practices and 142 prisons. The system is verified by the NHS Health and Social Care Information Centre

    TPP and MHRA are collaborating to resolve the matter. It’s envisaged that it’ll take some time. The events reveal the need for effective eHealth regulation and compliance, a lesson for African countries. As eHealth moves further into using algorithms to support clinical activities, the more regulation and compliance reviews are needed. Effective eHealth regulation is costly. So’s the lack of regulation.

  • mHealth growth outstripping regulation isn't good

    Huge mHealth growth over recent years has left regulation chugging along in the inside lane. A team from the Netherland’s National Institute for Public Health and the Environment (RIVM) has analysed the difference and found a need to catch up.

    Its findings are in the Journal for Medical Internet Research (JMIR). From about 5,80 mHealth apps in 2011, there were over 23,000 in 2013 in the iTunes store, but not much’s known about their uses, effectiveness and risks. The study focused on an inventory of 116 apps and other tools used with medication. Diabetic patients were asked to complete a questionnaire about their apps’ experiences.

    Many apps mainly offer simple functionalities. The most experienced users’ benefits were for regulating blood glucose levels. A minority of apps for medication use have potentially high risks. For some apps, it’s unclear whether and how personal data are stored.

    A small subset of tools might involve relatively high risks. For the larger group of non-medical devices, risks are lower, but there’s still a mismatch between the enormous availability and low levels of regulation. Users and nonusers said there are issues with the overall quality of apps, such as ease of use, completeness and good functionalities.

    Important mHealth benefits for users, such as better health and self-reliance, arise from regulating blood glucose levels, so improving reliability and quality is likely to offer more benefits. Increased mHealth awareness’s important too. 

    A big challenge remains. There’s still a mismatch between the enormous availability and low levels of regulation. Africa has a regulation deficit compared to developed countries, and as its mHealth expands, catching up will be more demanding. Starting now’s a good option.


    Image from DigitalHealth.net