All hospitals and health facilities have been given three months to apply for Certification as Data Handlers/Processors.
In a statement on Tuesday, December 17, the Kenya Medical Practitioners and Dentists Council (KMPDC) CEO David Kariuki informed all health institutions of the new compliance requirement under the Data Protection Act, 2019.
According to the Council, the Act, implemented through the Office of the Data Protection Commissioner (ODPC), mandates the regulation of personal data processing to protect individuals’ privacy and mitigate the risk of data misuse.
KMPDC said the certification will be mandatory while registering hospitals from January 2025.
Additionally, the Council said all health facilities must be registered by March 2025.
“Effective 1st January 2025, all new health facility registrations must include a valid Certificate of Data Handler/Processor issued by the ODPC,” Kariuki said.
“Additionally, existing facilities must obtain this certification within three (3) months, by 31st March 2025.”
Kariuki said the requirement underscores the critical importance of safeguarding patient privacy, a fundamental aspect of ethical medical practice.
He added that by ensuring the responsible and lawful handling of personal data, health institutions not only comply with regulatory standards but also uphold ethical principles, fostering patient trust and enhancing overall safety.
“KMPDC remains steadfast in its mission to uphold the highest standards of professionalism, accountability, and respect for individual rights in the healthcare sector,” he said.
ODPC 2023 Directive
In December 2023, the ODPC issued a directive compelling all healthcare institutions to register with them.
According to ODPC, the Data Protection Guidance Note for the Health Sector was as a result of the increase in privacy concerns when processing personal data within the sector.
“It has been reported that as a result of the increase in the use of technology within the health sector, the sector has been exposed to risks including frequent cyberattacks, data breaches, potential misuse of personal data, lack of transparency around data collection and processing, unauthorized access and disclosure, unauthorized use of personal data for advertising purposes or unlawful packaging and selling data to third parties,” ODPC said.
Also Read: Ruto Issues Directive on Cooking Gas in Schools Countrywide
Concerns on How Hospitals Handle Data
The ODPC said it had identified the following privacy concerns in the Health Sector which has called for its intervention to ensure protection of personal data.
1.Extensive use of technology such as Health Management Information System (HMIS), eHealth, mHealth, medical imaging devices, e-Prescription and robotic surgery, Community Health Information System (CHIS), Electronic Medical Records (EMR) and Electronic Health Records (EHR).
2.Collection of excessive data, retention of data for an extended period than necessary and use of CCTV cameras in health institution among others.
Also Read: REVEALED: SHA To Pay Upto Ksh4,480 Per Day for ICU Patients
Further, the Commission said the privacy concerns led to infringement of the right to privacy and potentially resulted in bullying, discrimination, and exclusion.
As a result, it called upon health institutions to understand that patients, staff, donors and partners have right to privacy and healthcare services must be provided in a way that respects their inherent dignity and right to privacy.
Follow our WhatsApp Channel and join our WhatsApp Group for real-time news updates.
