Kenya: Cloud in Healthcare Services

The key regulator in this industry is The Ministry of Health which is in charge of the health sector and the co-ordination of health service delivery generally.

There are also many other regulators regulating practitioners and healthcare industry role-players¹⁴.All these regulatory bodies are established under separate Acts of parliament but account and answer to the Ministry of Health within their respective mandates.

The use of cloud services is not expressly addressed in any specific healthcare legislation. However, the Kenya Standards and Guidelines for mHealth Systems, 2017 provide standards to ensure the design, development, and implementation of interoperable, scalable, sustainable mHealth solutions where mHealth refers to interventions and programs designed to support health service provision through mobile technology and devices. The Kenya National eHealth Policy 2016 – 2030 also provides for the overarching provisions on the use of ICTs in healthcare delivery and envisages increased use of ICTs. It also prescribes circumstances in which health data should be anonymized and/or encrypted, or otherwise stored with permission of the Ministry of Health¹⁵. The Health Information System Policy further cements the government position which encourages the use of ICTs for healthcare service delivery. The Draft ICT Policy (2016)¹⁶ proposes an action plan to integrate mobile internet, cloud computing, big data, and the internet of things with modern manufacturing; promoting public service delivery among other sectors. The Health Sector ICT Standards and Guidelines (Ministry of Health, June 2013) seek to encourage the adoption of virtualization, thin clients and cloud computing technologies in the Ministry of Health’s programs to achieve IT efficiency.

Microsoft is proud to confirm that it meets regulatory and compliance requirements for use of the cloud in some of the most highly regulated industries across the globe and can help you to achieve compliance with the regulatory and compliance requirements applicable in the O&G sector

The Kenya mHealth Standards and Guidelines which are aimed at guiding the utilization of wireless and mobile applications and devices to improve outcomes in health defines that health Information should be held in Kenya; however, it can be held offshore with the consent of the Ministry of Health.

Microsoft is able to offer its customers the flexibility of various options for anonymisation and encryption.¹⁷

There is presently no uniform regulation of cloud services in Angola. Role-players within the O&G industry should however be mindful of certain regulatory provisions in moving to the cloud, namely:

• General legislation on confidentiality and protection of privacy
  • The Health Act, Cancer Prevention and Control Act, HIV and AIDS Prevention and Control Act the Public Health Act, the Kenya National eHealth Policy 2016 – 2030 and the Health Information System Policy all emphasize the importance of confidentiality and non- disclosure of information relating to a person’s health status, tests, treatment, or stay in a health facility.¹⁸ The right to privacy and confidentiality can only be waived by the individual in writing or as required by a court order or under legislation.
  • The Health Sector Strategic Plan for Health Information Systems 2009-2014, the Kenya National e-Health Strategy 2011-2017 and the Kenya Standards and Guidelines on mHealth Systems 2017 also stress the need to ensure confidentiality.
• Requirements on record keeping
  • The Information Communication and Technology Authority (ICTA) has established standards that are to be followed by all government ministries, county governments and government agencies.
  • Of importance in this case are the cloud computing standards.¹⁹ Some of the key requirements for cloud computing standards include:
    • The Ministry, County, or Agency (hereinafter referred to as MCAs) shall ensure Service Level Agreements (SLAs) cover issues such as ending the arrangement, dispute resolution, early warning of bankruptcy (or similar), compensation for data loss/misuse, change of control and assignment/novation, and change of terms at the discretion of the provider.
    • Cloud services should first be adopted in markets that have achieved an acceptable level of maturity.
      • MCAs shall ensure that data is stored in agreed locations, and is retrievable inside agreed timeframes
      • MCAs shall ensure they maintain control of the data and information in cloud storage and ensure protection from loss.
      • MCAs shall ensure the cloud provider adheres to regulatory law in relation to privacy and public record-keeping requirements. MCAs shall consider any legal obligations they have towards customers or other parties, and whether cloud will allow them to continue to meet them.
      • MCAs shall ensure the provider is vetted to ensure compliance with government standards.

The Kenya Standards and Guidelines on mHealth Systems, April 2017 require the documentation of the development of the mHealth systems in order to facilitate continuity among the system users and developers.

Microsoft contractually commits to provide products and services which comply with specific globally accepted and internationally recognised standards.²⁰

No, there are no laws requiring approval from regulatory authorities for use of cloud services. Cloud Service Providers in Kenya are deemed to be over the top service providers and are not required to obtain licenses from the ICT industry regulator, the Communications Authority.²¹ Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

The Health Information Systems Policy states that health information should be hosted by the Division of Health Information Systems under the Ministry of Health and requires that warehousing be created and maintained for data and information at a central level within the health sector. The mHealth Guidelines also permit information to be stored outside the country, provided that certain requirements are met and approval is obtained from the Ministry of Health.

Under the IT Governance Standards MCAs are required to monitor achievement of service levels and compare them with agreed service level targets in the SLA.

The SLA should have accountability mechanisms for failure to meet service levels and MCAs shall monitor and report on achievement of services and compare them with agreed service levels.

MCA must have an IT function that reports directly to an accounting officer.

The Health Sector ICT Standards and Guidelines (Ministry of Health, 2013) provides cloud computing guidelines adopted by the MOH which include the implementation of a governance and audit management process.

Further, the Kenya Standards and Guidelines on mHealth Systems (April, 2017) require assurance processes to be put in place to ensure that the accountability needs of the data are met. These assurance processes include audit trails.

The Kenya Standards & Guidelines on Mhealth Systems April 2017 state that data can only be stored outside the jurisdiction of Kenya with permission from the Ministry of Health. Therefore, if data is to be stored abroad, approval will be required from the Ministry of Health. Kenya has no legislative provisions on data transfer and data localization. However, the Health Information Systems Policy states that health information should be hosted by the Division of Health Information Systems under the Ministry of Health, and should be stored in de-identified form.

Furthermore, the draft Data Protection Bill, 2018²² contemplates possible future restrictions on the flow of personal data outside Kenya save in specified circumstances, such as where:²³

• the third party is subject to a law or agreement that requires the putting in place of adequate measures for the protection of personal data;
• the data subject consents to the transfer;
• the transfer is necessary for the performance or conclusion of a contract between the agency and the third party; and
• the transfer is for the benefit of the data subject.

The draft Data Protection Bill also indicates that health information will be treated as special personal information, and its processing may be subject to specific requirements²⁴ but this will not preclude processing with consent of the data subject nor processing in certain circumstances, including:²⁵

• Certain institutions for purposes of treatment and care.
• Administrative bodies, pension funds and employers processing for purposes of implementing law relating to health of the data subject.

The Kenya Standards and Guidelines on mHealth Systems, April 2017, provide that communication context and content used in mHealth applications shall remain the property of the Government of Kenya and cannot be transferred without written approval from the relevant ministry, for instance the Ministry of Health.

Microsoft holds itself accountable to and is subject to the laws of general application applicable to information technology service providers, and has binding agreements which, in its view, are likely to constitute adequate measures. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO/IEC 27018 Privacy Standard. Microsoft is also committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

This checklist provides a detailed look into the legal obligations that may affect your usage of Microsoft Cloud Services.

Click here to download the checklist.