The complete text of 36 data protection statues and bills from across Africa were identified from the search (Fig. 1). This comprised 29 national data protection statues, one data protection and privacy bill, three cyber security acts, two model data protection laws from African regional economic blocs and the African Union Convention on Cyber Security and Personal Data Protection. Out of these 36 documents, 31 were subjected to analysis, as they were available in either English or French, the two languages in which at least one member of the study team was proficient. The remaining documents were in Kiswahili, Portuguese or Spanish (Table 1). More than 50% of African countries have data protection legislation (Fig. 1).
Representation of African countries with data protection legislation/statutes and year enacted or drafted
Key concepts and definitions in data laws
Data protection laws defined different categories of data (Table 2) pertinent to health research, including sensitive data and biometric data. Health and genetic data fall within the category of sensitive data, warranting heightened levels of protection.
Processing of personal data for scientific research
The principles for the processing of personal data must be met for scientific research. In most instances, data protection laws typically accord exemptions or make special provisions on the processing of personal data for health or scientific research (Table 3). Tunisia, for example, introduces a specific provision for consent when processing data originally collected for a different purpose and subsequently needed for historical or scientific research. In such scenarios, data controllers are required to obtain the consent of the individuals involved or, in case of unavailability, their heirs or legal guardians. In Gabon, processing of personal data for research requires an opinion from a research ethics committee. In the ECOWAS region, the use of health and genetic data for research purposes mandates permission from a data protection authority. Meanwhile, within the SADC region, the model data protection law stipulates that in cases where sensitive personal data are processed for scientific research and there is no apparent risk of privacy infringement or decision-making based on individual data, notification to the data subject may be postponed until the conclusion of the research. However, this delay is permissible only if informing the data subject would significantly prejudice the research. In such instances, the data subject must have previously provided written consent to the processing of their personal data for scientific research purposes, including postponement of notification for this reason.
Principles guiding the processing of personal information
All the data protection laws are built upon a set of principles that govern the lawful collection, storage and use of data (Table 4). The processing of personal data for scientific research must follow these principles. There are, however, in most regulations, certain exceptions to some of these principles if the processing is for research.
The rights of data subjects
All data protection regulations afford certain rights to data subjects (Table 5) including the prerogative to request organizations or data controllers to delete their personal data or opt out from the processing of their personal data, provided such objections are grounded in legitimate and justifiable reasons.
Cross border sharing: storage and sharing of scientific data
All countries that have data protection regulations in place do not permit the trans-border sharing of data unless the transfer falls within one of the grounds for the trans-border sharing of data specified in the regulation. The exact grounds vary according to jurisdiction and the precise definition of the ground differs, but they generally include some or a combination of the following:
-
Sharing of data with a country that has an adequate level of protection (adequacy);
-
Standard contractual clauses that provide a similar level of protection;
-
Binding corporate agreements that provide a similar level of protection;
-
The transfer is necessary for the performance of a contract between the data subject and the controller or measures prior to the conclusion of such a contract;
-
Data subject consents to the transfer;
-
The transfer is necessary to safeguard the vital interests of the data subject;
-
The transfer is necessary or made legally binding for the protection of an important public interest, or for the establishment, exercise or defence of legal claims.
In the research context, the transfer mechanisms that are likely most appropriate are: adequacy, standard contractual clauses, binding corporate agreements or consent. As can be seen in Table 6, Madagascar, Mali and South Africa are the only countries surveyed that explicitly state binding corporate rules as a ground for transfer if the binding corporate rules would provide an adequate level of protection. Madagascar, Mali, South Africa and Zambia explicitly provide for standard contractual clauses as a ground for transfer. Thus, in the context of international collaborative research within Africa, adequacy and consent are most likely the grounds to be used in the transborder sharing of data. With the exception of Togo, Mali, Egypt and the Republic of Congo, consent is a ground under which personal data can be shared across borders. The consent would need to be specific to the transfer and specifically state the country that it is going to.
Responsibilities of individuals under data protection law
The data protection laws outline the roles and obligations of key data protection stakeholders (Table 7). For the purposes of scientific research, the data protection laws in Gabon, Senegal and Lesotho mention an advisory or scientific committee as a critical stakeholder for the processing of personal data for scientific research. By contrast, Botswana, Mauritania, Zimbabwe and SADC data protection laws stipulate that health-related data may only be processed under the responsibility of a healthcare professional.
Navigating data protection laws: proposed strategies for ensuring compliance in big data health research initiatives
Data protection laws introduce strict requirements on the processing and sharing of personal data. For instance, while informed consent stands as an ethical imperative in all research endeavours, under data protection regulations, it constitutes merely one potential lawful basis for processing personal data, subject to specific conditions and exceptions [22]. Consent may also be the lawful basis on which to transfer data internationally, or under adequacy, if the receiving country has an adequate level of protection [23]. Data science research initiatives in Africa need to develop mechanisms for navigating the complexities of processing personal data for health research. On the basis of our analysis, we recommend several approaches to address the complexities of re-use and cross-border sharing of personal data for health research while ensuring compliance with data laws. This includes the use of trusted research environments, establishing a module for safe data flows in Africa, adopting dynamic consent, developing codes of conduct to complement data laws and engaging the public on big data for health research.
Establishing a module for safe data flow for health research in Africa
For scientific research, the grounds for what can be shared between jurisdictions is based on one of the following: adequacy, standard contractual clauses, binding corporate agreements or consent (Table 6). These mechanisms ensure that health and genomic data can flow securely across borders while adhering to the diverse national and regional legal standards that protect personal data. To meet these demands it is necessary for African data science research consortia to establish a safe data module that provides a structured framework for lawful and ethical management and transfer of personal data for health research and public health purposes. The module should focus on informed consent, adequacy assessments, exploring alternative grounds for data transfers, training in data protection principles and processes and monitoring and compliance. Drawing on the analysis of data protection legislation in African countries and our experience in data-driven health research, we propose a set of practical recommendations for creating a robust, compliant and effective module for safe data flow (Table 8).
Adopting technical approaches to data analysis that limit cross border data transfer
The implementation of trusted research environments (TREs), designed to offer remote and pre-approved access to health data [24], may prove necessary, perhaps indispensable, within the current data protection landscape in Africa. TREs effectively restrict researchers from directly copying individual-level data while allowing other researchers to access and analyse data using techniques such as federated data sharing [25] and data visiting [26]. However, the implementation of these techniques in Africa would require the development of harmonized codes of conduct for data access, significant investment in data infrastructure, trained workforce in cloud computing and use within TREs. To ensure compliance to data protection laws, it would be essential to anchor the codes of conduct on principles outlined in data protection laws (Table 4), as well as those identified as key to fostering equity in research partnerships in Africa [27, 28]. Initiatives in the United Kingdom have also proposed the five safes framework as a code of conduct that is central to the use of TREs [29], and its application to big-data-driven research in the United Kingdom has proven to very beneficial [30,31,32]. The five safes framework (safe projects, safe people, safe data, safe settings, safe outputs) could serve as a valuable tool for thinking through codes of conduct for data access and use in TREs in Africa. However, empirical studies on the feasibility and preferences of TREs and remote data access and analysis methods (e.g. data visiting, data federation) by scientists in Africa would be required to inform their rapid adoption and use in big data health research in Africa.
Dynamic consent: a solution to consent specificity and rights to restrict processing
Data protection laws place emphasis on the specificity of consent for the processing of personal data or the transborder flow of data. Where consent is not the lawful basis for the processing of personal data, data subjects have certain rights, which can include the right to object to the processing of their personal data (Table 4). Tunisia, for example, introduces a specific provision for consent when processing data originally collected for a different purpose and subsequently needed for historical or scientific research. In such scenarios, data controllers are required to obtain the consent of the individuals involved, or in case of unavailability, their heirs or legal guardians. In such cases, dynamic consent [33] offers a promising digital solution for managing the complexities of consent specificity and data subjects’ rights.
Dynamic consent employs digital platforms to foster continuous communication and engagement between data custodians and research participants [33, 34] by providing updates on data use and research progress, aligning with principles of autonomy, legitimacy, purpose limitation and fairness. Another significant benefit of dynamic consent is that it empowers research participants to exercise their rights as prescribed in data protection laws, such as the right to object to the processing of personal data. Furthermore, emerging data suggest that research participants would like to be re-contacted for future use of their data and samples for health research [35]. This further strengthens the argument for dynamic consent, as it provides a flexible and participant-centred approach to managing consent over time. A couple of initiatives have already proposed dynamic consent platforms tailored for use in big data health research [36,37,38]. However, the feasibility and acceptability of dynamic consent in Africa would need to be explored.
Data governance: approaching data privacy through a socio-cultural lens
The data protection legislation in all the countries is heavily informed by the rights of natural persons to data privacy. However, the effectiveness and adequacy of data protection laws as it applies to health research in Africa would be contingent upon socio-cultural factors that shape perceptions of privacy, trust and data sharing practices in health research. Generally, culture exerts a profound influence on people’s perceptions of privacy, data protection and willingness to share personal information [39, 40]. In communal cultures, prevalent across Africa, where solidarity is prioritized, there may be a greater willingness to share personal information for the greater good of the community [41]. Empirical studies conducted across Africa have shown that research participants often express a willingness to share their data for research purposes, particularly if it is to be used for, the public good [42, 43]. Additionally, data from some of our public engagement activities on genomics and big data research data leans towards support for the concept of data solidarity, with participants stating that they will favour minimal restrictions to data sharing if benefits accrue to their communities and they were informed of how their data are contributing to the public good. However, it would be essential to further explore whether communities view data sharing for research purposes as encroaching upon their privacy and autonomy and if that requires stringent rules for data sharing within and across borders. Such insights can inform the development of codes of conduct or harmonized data protection frameworks for research, focussing on the benefits and risks associated with different data uses, rather than solely emphasizing stringent rules around personal data.
Public engagement and education on data laws in health research
Public engagement activities aimed at raising awareness about data protection laws can empower individuals to make informed decisions about their privacy rights and secondary uses of their data for research and innovation. It should involve educating the public about the transformative potential of data-driven scientific advancements and empowering the public to appreciate the possibilities that that the use of their personal data can bring to advances in health research and medicine. Equally important is addressing the ethical and social concerns that may arise when sensitive data are repurposed and used for secondary research or commercial purposes.
Add Comment