The need for adequate attention and protection of personal sensitive health data, in the Cameroon healthcare sector.
“Patient privacy has been an issue since the oath of Hippocrates first called on physicians to “keep silence” on patient matters, and with highly sensitive data–genetic information, HIV test results, psychiatric records–entering patient records, concerns over privacy and security are growing.” (https://pubmed.ncbi.nlm,nih.gov )
All over the world, with no exception to Cameroon, at this digital era, data protection and security has emerged as key concern in the healthcare sector, data breaches within the healthcare sector in Cameroon dominate headlines of most of our media outlets. People are particularly concerned about the privacy of their health-related personal information (both hard and electronic copies) especially due to the sensitive nature of this information. They want their information to be confidential and well safeguarded.
- Privacy is a fundamental human right guaranteed by international human rights instruments including the Universal Declaration of Human Rights in its article 12, the International Covenant on Civil and Political Rights, in its article 17 and the Constitution of Cameroon. Patients when they visit hospitals in Cameroon and provide their health information, they are secure in the knowledge that this health data is processed and stored with the utmost Just like the right to free speech is held dear, so should the right to data privacy.
It is time for Health service providers in Cameroon to prioritise data privacy, take drastic organisational and technical measures to protect sensitive health data. Data privacy refers to the protection of individuals’ personal information, ensuring its confidentiality, integrity, and lawful processing.
- With the advancement of electronic healthcare technologies, computers, internet and electronic mobile devices, citizens are able to share voluminous amount of sensitive data with their Health service In Cameroon today, we see an increase in the use of office computer in most medical facilities to record patients’ information, send test result to laboratories or consulting physicians, relevant information, are
transmitted to health insurers or pharmacies. Sensitive personal data are being collected by government institutions for research purposes and studies. Health service providers are reaping enormous benefits, from these readily available computerised, health information. Benefits which range from improved quality of health care, fostering sustainable development and cost reductions as a result of effective and efficient information systems.
- In short, Health service providers nowadays know and store everything about their patients’ health and circumstances, ranging from their diseases, test results, prescriptions and so forth. Some Health service providers even have interoperable systems which are able to share data at scale without being restricted by structural and
operational limitations. For Health service providers to win the trust and confidence of patients, it is important and imperative, they ensure the security and protection of both electronic and hard copy health information.
- At all times when processing patients’ data Health service providers must take into consideration the following: the purpose of processing of sensitive data; get patients’ consent when practicable; minimize the amount of data collected; ensure security of data; keep health data only as long as necessary; be fair, transparent and accountable when processing this sensitive data.
- With Technical measures such as encryption, firewalls and secure authentication
methods can help prevent unauthorised access to sensitive health data. Organisational measures implemented through policies and procedures; staff training; data breach prevention and management, can prevent and protect sensitive health data from breaches. If they lose this sensitive information the patients can suffer significant consequences. This can lead to identity theft causing financial loss to patients; patients can be discriminated against after the society finds out what disease they have, reputational damage to health service provider, heavy fines from Regulators and so forth.
What then is Sensitive Personal data and why it important to protect this data?
- What encompasses a treasure of sensitive personal information, includes medical history, diagnoses, treatment plans, personal identifiers and so forth. Article 9 of the European General Data Protection Regulation (GDPR) clearly mentioned that ‘data concerning health’ are special category of personal data which is also referred to as ‘sensitive data’, because these types of data require additional protection as they can go to the very core of a human being. Health data comes within a person’s most intimate
- The GDPR set down additional conditions for the processing of sensitive personal
data, although Health service providers in Cameroon are not obligated and bounded by the GDPR, for the sake of best practice, the respect of confidential and the obligations to protect personal data established by the existing robust cybersecurity law in
Cameroon, this article strongly suggest Health service providers to treat sensitive personal data with a high level of duty of care. They must safeguard this data from unauthorised access, disclosure, breaches and misuse for them to maintain patient trust and legal compliance.
Relevant privacy instruments in the world
- Established legal frameworks for privacy and data protection in the health sector are aimed at protecting sensitive personal data and ensuring that it is processed, stored, and shared in a manner that is lawful, fair, and transparent. Without data privacy measures in place, individuals’ privacy rights can be violated through the collection and use of the personal information without their consent or
- In Cameroon there are no Privacy nor Health Digital laws, however the rights to privacy are enshrined in the constitution of the country, elucidated and expanded in several other legal instruments, providing additional legal frameworks to individuals and organizations that process personal data, including Healthcare institutions. Just to name a few – Decree No. 83- 166 of 12 April 1983 on the Cameroon Code of Medical Ethics, Law No.90-036 of 10th August 1990 relating to the Organisation and Practice of medicine in Cameroon and The Cybersecurity Law 2010/012 of 21 December 2010.
- In addition, Health service providers, can also rely and find comfort from the following international legal frameworks which establishes responsible data handling principles:
- The European General Data Protection Regulation (GDPR) which is considered to be a global standard for the protection of personal information. It is worth noting that many existing data protection laws in African countries were modelled on the regulations of the EU’s data privacy legislation – the EU Data Protection Directive (1995), which preceded the
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) which is an American federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or
- The African Union Convention on Cyber Security and Personal Data Protection of (27 June 2014) – (‘the Malabo Convention’). Fifteen African Union member states have ratified the Malabo Convention, Cameroon signed on the 12 August 2021 however not yet
Data Protection and Privacy is a broad and complex subject, subsequent articles will cover other privacy topics and sectors. This article is to highlight and echo the urgency and importance of protecting personal health data in Cameroon with the emergent electronic healthcare technologies. Make reference of relevant international privacy laws. Emphasis and draw the attention of the ministry of public health to prioritize and promote the draft proposed Privacy bill in parliament intended to protect health data, build trust and credibility in the healthcare system in Cameroon.
The materials on this article do not constitute legal advice. Legal advice on data protection and privacy must be tailored to the specific circumstances of each case, and nothing provided in the article should be used as substitute for advice of competent lawyer.