Cross-Border Data Transfer In The Healthcare Sector: Legal Considerations And Best Practices

INTRODUCTION

Cross-border data sharing in the healthcare sector is vital for advancing medical research, enhancing patient care, and promoting global health initiatives. It enables stakeholders gain access to a multitude of data, which in turn speeds up medical progress and enhances patient care. However, this practice raises considerable concern, particularly in terms of privacy and compliance with both local and international standards. It involves navigating a complex web of legal considerations and adhering to best practices to ensure compliance with diverse regulatory frameworks, security, and ethical standards.

The legal complexities of cross-border data sharing in healthcare require striking a fine balance between maximizing the benefits of shared data and protecting against potential risks. Key legal considerations include adherence to data protection laws such as the Nigerian Data Protection Act (NDPAct) of 2023, and various national laws that impose stringent requirements on data transfer, consent, and usage. Healthcare data being sensitive data, demands stringent safeguards to ensure confidentiality and integrity.

This article explores the legal considerations and best practices for crossborder data sharing in the healthcare sector.

LEGAL CONSIDERATIONS

1. Data Protection Regulations

Different countries have different data protection laws that control the exchange of personal information. Understanding and adhering to these laws are important to avoid legal issues. Some key international regulations such as the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act (HIPAA) in the United States make provisions for data sharing in the healthcare sector, however in this article, we shall be taking a cursory look at provisions of the NDPAct regarding cross border data transfer and its operation in the healthcare sector.

The Act outlines two conditions for cross-border transfers. Firstly, it restricts the transfer of personal data outside Nigeria unless the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, codes of conduct, or certification mechanisms that afford an adequate level of protection with respect to the personal data in accordance with the NDPAct.¹ This is known as the adequacy requirement - as a basis for the cross-border transfer of personal data. Information can be transferred from the healthcare sector in Nigeria to another country if it complies with this provision of the NDPAct or, where there is no adequacy, a data controller or processor may only transfer data if: (a) the data subject consents and does not revoke such consent after being informed of associated risks; (b) transfer is necessary for a contract with the data subject or to take pre-contractual steps at the data subject's request; (c) transfer is for the sole benefit of the data subject and obtaining consent is impracticable; (d) transfer is necessary for important public interests; (e) transfer is necessary for legal claims; or (f) transfer is necessary to protect vital interests of a data subject or others unable to consent. ²

2. Data Transfer Mechanisms

Pursuant to section 41 of the NDPAct, the first consideration and basis for cross border transfer is the existence of a data transfer mechanism. These mechanisms include: the existence of a data protection law, binding corporate rules, contractual clauses, code of conduct or certification mechanism. These mechanisms provide a legal framework and solution to facilitate data transfers to third party countries.

While contractual clauses are legal contracts that will stipulate data protection requirement for both parties and give a binding commitment to both parties to comply with the principles outlined in the contract, binding corporate rules are internal policies used by multinational corporations to ensure that personal data transferred both internally and across borders conforms with data protection regulations in the countries involved. In order for these mechanisms to be effective, they must be carefully drafted and complied with.

In determining the adequacy of these mechanisms listed in section 41 of the NDPAct, such mechanism shall be assessed taking into account the provisions of section 42(2) of the NDPAct. These assessment measures include:

1. availability of enforceable data subject rights
2. existence if any appropriate instrument between the Nigeria Data Protection Commission (the 'Commission') and a competent authority in the third country that ensures adequate data protection
3. access of a public authority to personal data
4. existence of an effective data protection law
5. existence and functioning of an independent, competent data protection or similar supervisory authority with adequate enforcement power; and
6. international commitments and conventions binding on the relevant country and its membership to multilateral or regional organisations.

It is important to note that in Nigeria, the Commission is required to approve any of such adopted mechanisms before an organisation can rely on them as a basis for their cross-border data transfer. It is also for the Commission to determine whether a country, region or specific sector within a country affords an adequate level of protection under section 42 of the NDPAct. This means that where an organisation within the health sector intends to carry out a cross-border transfer of health data and such organisation is relying on section 41(1)(a) of the NDPAct, then the organisation is required to submit such mechanism to the Commission for approval before carrying out such cross border transfer.

3. Consent

The most primary basis on which data controllers and processors can rely on while processing data is consent. Consent is especially necessary in the health sector where most data processed are the sensitive data of data subjects and these need to be handled with utmost care and secrecy.

As previously stated, in the absence of adequacy of protection, an organsiation may rely on any of the condition in section 43 of the NDPAct, one such conditions being consent.

1. Informed Consent: The healthcare facility must provide the patient, in clear, concise and understandable language, information about how the data would be used, who it would be shared with, the countries to which the data would be transferred, the purpose of the data transfer and any potential risk.
2. Voluntary and Unequivocal Consent: The patient must give his/her consent freely without any form of coercion or influence. For example, consent gotten from a patient under the influence of an anesthesia cannot be seen to be voluntary consent. The patients must also be informed of their right to withdraw their consent at anytime in an easy method.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.