Skip to main content
Download PDF
Download ePub

Data protection legislation in Africa and pathways for enhancing compliance in big data health research

Health Research Policy and Systems volume 22, Article number: 145 (2024) Cite this article

Abstract

Background

The increasing availability of large volumes of personal data from diverse sources such as electronic health records, research programmes, commercial genetic testing, national health surveys and wearable devices presents significant opportunities for advancing public health, disease surveillance, personalized medicine and scientific research and innovation. However, this potential is hampered by a lack of clarity related to the processing and sharing of personal health data, particularly across varying national regulatory frameworks. This often leaves researcher stakeholders uncertain about how to navigate issues around secondary data use, repurposing data for different research objectives and cross-border data sharing.

Method

We analysed 37 data protection legislation across Africa to identify key principles and requirements for processing and sharing of personal health and genetic data in scientific research. On the basis of this analysis, we propose strategies that data science research initiatives in Africa can implement to ensure compliance with data protection laws while effectively reusing and sharing personal data for health research and scientific innovation.

Results

In many African countries, health and genetic data are categorized as sensitive and subject to stricter protection. Key principles guiding the processing of personal data include confidentiality, non-discrimination, transparency, storage limitation, legitimacy, purpose specification, integrity, fairness, non-excessiveness, accountability and data minimality. The rights of data subjects include the right to be informed, the right of access, the right to rectification, the right to erasure/deletion of data, the right to restrict processing, the right to data portability and the right to seek compensation. Consent and adequacy assessments were the most common legal grounds for cross-border data transfers. However, considerable variation exists in legal requirements for data transfer across countries, potentially creating barriers to collaborative health research across Africa.

Conclusions

We propose several strategies that data science research initiatives can adopt to align with data protection laws. These include developing a standardized module for safe data flows, using trusted data environments to minimize cross-border transfers, implementing dynamic consent mechanisms to comply with consent specificity and data subject rights and establishing codes of conduct to govern the secondary use of personal data for health research and innovation.

Peer Review reports

Introduction

The vast amount of health-related data generated today and potentially available for biomedical research is astounding. These data come from diverse sources, including individuals participating in health research, electronic health care records, third-party service providers such as medical insurance companies, telehealth platforms and direct-to-consumer genetic testing companies [1]. Digital platforms and devices, including wearables, mobile phone apps and social media, also contribute substantially to the research data ecosystem [2,3,4]. These large volumes of data from diverse sources, also known as big data [5], can be leveraged to accelerate scientific research and innovation, validate research findings, improve disease surveillance, uncover trends in population health that might not be apparent in individual datasets [6,7,8], advance personalized medicine and inform the development of evidence-based public health policies [9]. However, alongside these opportunities are significant ethical, legal and governance considerations for the processing of  big data for health research. This includes, for example privacy concerns/breaches, algorithmic bias, the potential for discrimination, upholding the rights of data subjects, national sovereignty over genetics and health data, and compliance with national requirements on secondary analysis and cross-border transfer of health and genetic data [10,11,12].

To give effect to the right to privacy and the right to data protection, many African countries have enacted legislation on the protection of personal data [13, 14]. In parallel, regional bodies such as the African Union (AU), the Southern African Development Community (SADC) and the Economic Community of West African States (ECOWAS), have introduced model data protection laws aimed at informing the sharing of personal data among their member states [15]. Ensuring compliance with data protection standards is essential for safeguarding the rights of individuals. However, there is a lack of clarity on their application to biomedical and data-driven health research especially in relation to secondary data analysis, cross border sharing of data and use of data for purposes different from that of which they were initially collected for [16].

Generally, data protection legislation serves as a broad legal framework and are not sector specific, meaning in most instances it will lack detailed and/or specific guidance on health research. While many of these laws include some exceptions for processing special categories of personal data, such as for scientific research, they can sometimes conflict with national and international research ethics regulations within the same jurisdiction [17], making data sharing in international collaborative research particularly challenging [18,19,20]. For example, uncertainty about the application of data protection laws in scientific research, along with fears of sanctions and penalties, may cause African scientists to hesitate in sharing data with other researchers and third parties [16], thus limiting opportunities for collaboration. This is even more pronounced with the sharing of health and genetic data [21], which are often afforded extra protections status and classified as sensitive data, with the effect being that data sharing and reuse may become increasingly restricted thereby stifling global health research efforts.

To advance data-driven health research in compliance with national data protection statues, it is critical to reflect on strategies that data science health research initiatives in Africa can adopt to remain compliant while re-using and sharing personal data for the benefit of science, medicine and innovation. To highlight and address the additional requirements brought about by data protection laws, we analysed 37 data protection laws in Africa to identify key requirements related to health research. On the basis of the analysis, we propose strategies that data science health research initiatives in Africa can implement to ensure compliance with national data protection laws while effectively re-using and sharing personal data for health research and scientific innovation.

Methods

We conducted a comparative analysis of data protection legislation in 34 African countries and 3 regional African economic/geographic blocks (Table 1), with the goal of identifying core bioethical elements that speak to the regulation of health research, particularly concerning data collection, storage, cross border sharing and reuse. Key areas of focus included: principles guiding data use and reuse; the rights of data subjects; informed consent requirements; regulation on cross-border sharing of data; and responsibilities of various stakeholders involved in data collection, management and use.

Table 1 Overview of data protection legislation across Africa (grouped by language)
Full size table

Full text of the data protection laws were sourced through personal contacts, official government websites, the United Nations Conference on Trade and Development (https://unctad.org/page/data-protection-and-privacy-legislation-worldwide), databases and general internet searches via Google. The documents were imported into QSR-NVivo 12, a qualitative data analysis software to facilitate the systematic extraction and organization of information.

The data analysis focussed on specific provisions related to the following aspects: definitions of different types of data, specific requirements for scientific research, principles underpinning data protection, the responsibilities of data protection officers, the rights of data subjects and requirements for cross-border data transfer. A major limitation of the study is that the language competency within our team restricted us to detailed analysis of legislation available in English and French. For laws written in other languages such as Kiswahili, Spanish and Portuguese, only basic information such as the name of the country, year and the title of the law was extracted.

Results

The complete text of 36 data protection statues and bills from across Africa were identified from the search (Fig. 1). This comprised 29 national data protection statues, one data protection and privacy bill, three cyber security acts, two model data protection laws from African regional economic blocs and the African Union Convention on Cyber Security and Personal Data Protection. Out of these 36 documents, 31 were subjected to analysis, as they were available in either English or French, the two languages in which at least one member of the study team was proficient. The remaining documents were in Kiswahili, Portuguese or Spanish (Table 1). More than 50% of African countries have data protection legislation (Fig. 1).

Fig. 1
figure 1

Representation of African countries with data protection legislation/statutes and year enacted or drafted

Full size image

Key concepts and definitions in data laws

Data protection laws defined different categories of data (Table 2) pertinent to health research, including sensitive data and biometric data. Health and genetic data fall within the category of sensitive data, warranting heightened levels of protection.

Table 2 Different categories and common definitions of data types
Full size table

Processing of personal data for scientific research

The principles for the processing of personal data must be met for scientific research. In most instances, data protection laws typically accord exemptions or make special provisions on the processing of personal data for health or scientific research (Table 3). Tunisia, for example, introduces a specific provision for consent when processing data originally collected for a different purpose and subsequently needed for historical or scientific research. In such scenarios, data controllers are required to obtain the consent of the individuals involved or, in case of unavailability, their heirs or legal guardians. In Gabon, processing of personal data for research requires an opinion from a research ethics committee. In the ECOWAS region, the use of health and genetic data for research purposes mandates permission from a data protection authority. Meanwhile, within the SADC region, the model data protection law stipulates that in cases where sensitive personal data are processed for scientific research and there is no apparent risk of privacy infringement or decision-making based on individual data, notification to the data subject may be postponed until the conclusion of the research. However, this delay is permissible only if informing the data subject would significantly prejudice the research. In such instances, the data subject must have previously provided written consent to the processing of their personal data for scientific research purposes, including postponement of notification for this reason.

Table 3 Country-specific provisions for the processing of sensitive data for scientific research
Full size table

Principles guiding the processing of personal information

All the data protection laws are built upon a set of principles that govern the lawful collection, storage and use of data (Table 4). The processing of personal data for scientific research must follow these principles. There are, however, in most regulations, certain exceptions to some of these principles if the processing is for research.

Table 4 Key principles outlined in data laws and their definitions/descriptions
Full size table

The rights of data subjects

All data protection regulations afford certain rights to data subjects (Table 5) including the prerogative to request organizations or data controllers to delete their personal data or opt out from the processing of their personal data, provided such objections are grounded in legitimate and justifiable reasons.

Table 5 Rights of data subjects as defined in national data protection laws
Full size table

Cross border sharing: storage and sharing of scientific data

All countries that have data protection regulations in place do not permit the trans-border sharing of data unless the transfer falls within one of the grounds for the trans-border sharing of data specified in the regulation. The exact grounds vary according to jurisdiction and the precise definition of the ground differs, but they generally include some or a combination of the following:

  • Sharing of data with a country that has an adequate level of protection (adequacy);

  • Standard contractual clauses that provide a similar level of protection;

  • Binding corporate agreements that provide a similar level of protection;

  • The transfer is necessary for the performance of a contract between the data subject and the controller or measures prior to the conclusion of such a contract;

  • Data subject consents to the transfer;

  • The transfer is necessary to safeguard the vital interests of the data subject;

  • The transfer is necessary or made legally binding for the protection of an important public interest, or for the establishment, exercise or defence of legal claims.

In the research context, the transfer mechanisms that are likely most appropriate are: adequacy, standard contractual clauses, binding corporate agreements or consent. As can be seen in Table 6, Madagascar, Mali and South Africa are the only countries surveyed that explicitly state binding corporate rules as a ground for transfer if the binding corporate rules would provide an adequate level of protection. Madagascar, Mali, South Africa and Zambia explicitly provide for standard contractual clauses as a ground for transfer. Thus, in the context of international collaborative research within Africa, adequacy and consent are most likely the grounds to be used in the transborder sharing of data. With the exception of Togo, Mali, Egypt and the Republic of Congo, consent is a ground under which personal data can be shared across borders. The consent would need to be specific to the transfer and specifically state the country that it is going to.

Table 6 Relevant grounds for the transborder transfer of personal data
Full size table

Responsibilities of individuals under data protection law

The data protection laws outline the roles and obligations of key data protection stakeholders (Table 7). For the purposes of scientific research, the data protection laws in Gabon, Senegal and Lesotho mention an advisory or scientific committee as a critical stakeholder for the processing of personal data for scientific research. By contrast, Botswana, Mauritania, Zimbabwe and SADC data protection laws stipulate that health-related data may only be processed under the responsibility of a healthcare professional.

Table 7 Responsibilities of different stakeholders as listed in different data laws
Full size table

Navigating data protection laws: proposed strategies for ensuring compliance in big data health research initiatives

Data protection laws introduce strict requirements on the processing and sharing of personal data. For instance, while informed consent stands as an ethical imperative in all research endeavours, under data protection regulations, it constitutes merely one potential lawful basis for processing personal data, subject to specific conditions and exceptions [22]. Consent may also be the lawful basis on which to transfer data internationally, or under adequacy, if the receiving country has an adequate level of protection [23]. Data science research initiatives in Africa need to develop mechanisms for navigating the complexities of processing personal data for health research. On the basis of our analysis, we recommend several approaches to address the complexities of re-use and cross-border sharing of personal data for health research while ensuring compliance with data laws. This includes the use of trusted research environments, establishing a module for safe data flows in Africa, adopting dynamic consent, developing codes of conduct to complement data laws and engaging the public on big data for health research.

Establishing a module for safe data flow for health research in Africa

For scientific research, the grounds for what can be shared between jurisdictions is based on one of the following: adequacy, standard contractual clauses, binding corporate agreements or consent (Table 6). These mechanisms ensure that health and genomic data can flow securely across borders while adhering to the diverse national and regional legal standards that protect personal data. To meet these demands it is necessary for African data science research consortia to establish a safe data module that provides a structured framework for lawful and ethical management and transfer of personal data for health research and public health purposes. The module should focus on informed consent, adequacy assessments, exploring alternative grounds for data transfers, training in data protection principles and processes and monitoring and compliance. Drawing on the analysis of data protection legislation in African countries and our experience in data-driven health research, we propose a set of practical recommendations for creating a robust, compliant and effective module for safe data flow (Table 8).

Table 8 Recommendations for a safe data module for data sharing
Full size table

Adopting technical approaches to data analysis that limit cross border data transfer

The implementation of trusted research environments (TREs), designed to offer remote and pre-approved access to health data [24], may prove necessary, perhaps indispensable, within the current data protection landscape in Africa. TREs effectively restrict researchers from directly copying individual-level data while allowing other researchers to access and analyse data using techniques such as federated data sharing [25] and data visiting [26]. However, the implementation of these techniques in Africa would require the development of harmonized codes of conduct for data access, significant investment in data infrastructure, trained workforce in cloud computing and use within TREs. To ensure compliance to data protection laws, it would be essential to anchor the codes of conduct on principles outlined in data protection laws (Table 4), as well as those identified as key to fostering equity in research partnerships in Africa [27, 28]. Initiatives in the United Kingdom have also proposed the five safes framework as a code of conduct that is central to the use of TREs [29], and its application to big-data-driven research in the United Kingdom has proven to very beneficial [30,31,32]. The five safes framework (safe projects, safe people, safe data, safe settings, safe outputs) could serve as a valuable tool for thinking through codes of conduct for data access and use in TREs in Africa. However, empirical studies on the feasibility and preferences of TREs and remote data access and analysis methods (e.g. data visiting, data federation) by scientists in Africa would be required to inform their rapid adoption and use in big data health research in Africa.

Dynamic consent: a solution to consent specificity and rights to restrict processing

Data protection laws place emphasis on the specificity of consent for the processing of personal data or the transborder flow of data. Where consent is not the lawful basis for the processing of personal data, data subjects have certain rights, which can include the right to object to the processing of their personal data (Table 4). Tunisia, for example, introduces a specific provision for consent when processing data originally collected for a different purpose and subsequently needed for historical or scientific research. In such scenarios, data controllers are required to obtain the consent of the individuals involved, or in case of unavailability, their heirs or legal guardians. In such cases, dynamic consent [33] offers a promising digital solution for managing the complexities of consent specificity and data subjects’ rights.

Dynamic consent employs digital platforms to foster continuous communication and engagement between data custodians and research participants [33, 34] by providing updates on data use and research progress, aligning with principles of autonomy, legitimacy, purpose limitation and fairness. Another significant benefit of dynamic consent is that it empowers research participants to exercise their rights as prescribed in data protection laws, such as the right to object to the processing of personal data. Furthermore, emerging data suggest that research participants would like to be re-contacted for future use of their data and samples for health research [35]. This further strengthens the argument for dynamic consent, as it provides a flexible and participant-centred approach to managing consent over time. A couple of initiatives have already proposed dynamic consent platforms tailored for use in big data health research [36,37,38]. However, the feasibility and acceptability of dynamic consent in Africa would need to be explored.

Data governance: approaching data privacy through a socio-cultural lens

The data protection legislation in all the countries is heavily informed by the rights of natural persons to data privacy. However, the effectiveness and adequacy of data protection laws as it applies to health research in Africa would be contingent upon socio-cultural factors that shape perceptions of privacy, trust and data sharing practices in health research. Generally, culture exerts a profound influence on people’s perceptions of privacy, data protection and willingness to share personal information [39, 40]. In communal cultures, prevalent across Africa, where solidarity is prioritized, there may be a greater willingness to share personal information for the greater good of the community [41]. Empirical studies conducted across Africa have shown that research participants often express a willingness to share their data for research purposes, particularly if it is to be used for, the public good [42, 43]. Additionally, data from some of our public engagement activities on genomics and big data research data leans towards support for the concept of data solidarity, with participants stating that they will favour minimal restrictions to data sharing if benefits accrue to their communities and they were informed of how their data are contributing to the public good. However, it would be essential to further explore whether communities view data sharing for research purposes as encroaching upon their privacy and autonomy and if that requires stringent rules for data sharing within and across borders. Such insights can inform the development of codes of conduct or harmonized data protection frameworks for research, focussing on the benefits and risks associated with different data uses, rather than solely emphasizing stringent rules around personal data.

Public engagement and education on data laws in health research

Public engagement activities aimed at raising awareness about data protection laws can empower individuals to make informed decisions about their privacy rights and secondary uses of their data for research and innovation. It should involve educating the public about the transformative potential of data-driven scientific advancements and empowering the public to appreciate the possibilities that that the use of their personal data can bring to advances in health research and medicine. Equally important is addressing the ethical and social concerns that may arise when sensitive data are repurposed and used for secondary research or commercial purposes.

Conclusions

While data protection laws are not primarily designed for scientific research purposes, they will significantly influence the way African researchers approach data sharing. Through a comparative analysis of data laws across Africa, we propose that to harness the full potential of big data for health research and innovation while adhering to data protection legislation, initiatives in data science for health should consider adopting the following strategies: (1) the use of data access and analysis methods that allow for data localization; (2) Implementation of dynamic consent to meet requirements of specificity of consent; (3) public engagement and education on sharing of personal data for health research as prescribed in data protection laws; and (4) development of codes of conduct for the responsible sharing, reuse and repurposing of personal data for scientific research and innovation. The development of codes of conducts should take into consideration societal perceptions of privacy.  Finally, the formulation of the recommended guidance, policies and codes of conduct would greatly benefit from input and support from African regional and international agencies such as the African Union Development Agency-New Partnership for Africa's Development (AUDA-NEPAD), the Africa Centres for Disease Control and Prevention, the WHO and the World Economic Forum, that have a mandate to promote science policy and diplomacy in Africa and/or have a vested interest in fostering the responsible use of big data for global health research.

Data availability

No datasets were generated or analysed during the current study.

References

  1. Alonso SG, de la Torre DI, Rodrigues JJPC, Hamrioui S, López-Coronado M. A systematic review of techniques and sources of big data in the healthcare sector. J Med Syst. 2017;41(11):183.

    Article  PubMed  Google Scholar 

  2. Hussain MS, Tewari D. Social media applications in biomedical research. Explor Digit Health Technol. 2024;2(4):167–82.

    Article  Google Scholar 

  3. Munos B, Baker PC, Bot BM, Crouthamel M, de Vries G, Ferguson I, et al. Mobile health: the power of wearables, sensors, and apps to transform clinical trials. Ann N Y Acad Sci. 2016;1375(1):3–18.

    Article  PubMed  Google Scholar 

  4. Bietz MJ, Bloss CS, Calvert S, Godino JG, Gregory J, Claffey MP, et al. Opportunities and challenges in the use of personal health data for health research. J Am Med Inform Assoc. 2016;23(e1):e42–8.

    Article  PubMed  Google Scholar 

  5. Kitchin R, McArdle G. What makes big data, big data? Exploring the ontological characteristics of 26 datasets. Big Data Soc. 2016;3(1):2053951716631130.

    Article  Google Scholar 

  6. Saberwal G. The many uses of data in public clinical trial registries. Curr Sci. 2021;120(11):1686–91.

    Article  Google Scholar 

  7. Król ZJ, Dobosz P, Ślubowska A, Mroczek M. WGS data collections: how do genomic databases transform medicine? Int J Mol Sci. 2023;24(3):3031.

    Article  PubMed  PubMed Central  Google Scholar 

  8. Bourgeron T, Chapeau UK. Biobank! A revolution for integrated research on humans and large-scale data sharing. CR Biol. 2022;345(1):7–10.

    Article  Google Scholar 

  9. Vickers AJ. Whose data set is it anyway? Sharing raw data from randomized trials. Trials. 2006;7:15.

    Article  PubMed  PubMed Central  Google Scholar 

  10. Lalova-Spinks T, De Sutter E, Valcke P, Kindt E, Lejeune S, Negrouk A, et al. Challenges related to data protection in clinical research before and during the COVID-19 pandemic: an exploratory study. Front Med. 2022. https://doi.org/10.3389/fmed.2022.995689.

    Article  Google Scholar 

  11. Staunton C, Adams R, Anderson D, Croxton T, Kamuya D, Munene M, et al. Protection of personal information act 2013 and data protection for health research in South Africa. Int Data Privacy Law. 2020;10(2):160–79.

    Article  Google Scholar 

  12. Boscarino N, Cartwright RA, Fox K, Tsosie KS. Federated learning and Indigenous genomic data sovereignty. Nat Mach Intell. 2022;4(11):909–11.

    Article  PubMed  PubMed Central  Google Scholar 

  13. Makulilo AB. African data privacy laws. Berlin: Springer; 2016.

    Book  Google Scholar 

  14. Daigle B. Data protection laws in Africa: A pan-African survey and noted trends. J Int'l Com & Econ. 2021:1.

  15. Greenleaf G, Cottier B. International and regional commitments in African data privacy laws: a comparative analysis. Comput Law Secur Rev. 2022;44:105638.

    Article  Google Scholar 

  16. Peloquin D, DiMaio M, Bierer B, Barnes M. Disruptive and avoidable: GDPR challenges to secondary research uses of data. Eur J Hum Genet. 2020;28(6):697–705.

    Article  PubMed  PubMed Central  Google Scholar 

  17. Gefenas E, Lekstutiene J, Lukaseviciene V, Hartlev M, Mourby M, Cathaoir KÓ. Controversies between regulations of research ethics and protection of personal data: informed consent at a cross-road. Med Health Care Philos. 2022;25(1):23–30.

    Article  PubMed  Google Scholar 

  18. Fleming N. Proposed EU data laws leave researchers out in the cold. Nature. 2023. https://doi.org/10.1038/d41586-023-01572-2.

    Article  PubMed  PubMed Central  Google Scholar 

  19. Nordling L. A new law was supposed to protect South Africans’ privacy. It may block important research instead. Science. 2019. https://doi.org/10.1126/science.aax0768.

    Article  PubMed  Google Scholar 

  20. Lewis D. China’s souped-up data privacy laws deter researchers. Nature. 2023. https://doi.org/10.1038/d41586-023-01638-1.

    Article  PubMed  PubMed Central  Google Scholar 

  21. Townsend B. The lawful sharing of health research data in South Africa and beyond. Inform Commun Technol Law. 2022;31(1):17–34.

    Article  Google Scholar 

  22. Staunton C, Adams R, Horn L, Labuschaigne M. A framework to govern the use of health data for research in Africa: a South African perspective. In: Zima T, Weisstub DN, editors. Medical research ethics: challenges in the 21st century. Cham: Springer International Publishing; 2023. p. 485–99.

    Chapter  Google Scholar 

  23. Scheibner J, Ienca M, Kechagia S, Troncoso-Pastoriza JR, Raisaro JL, Hubaux JP, et al. Data protection and ethics requirements for multisite research with health data: a comparative examination of legislative governance frameworks and the role of data protection technologies. J Law Biosci. 2020;7(1):010.

    Article  Google Scholar 

  24. Varma S, Hubbard T, Seymour D, Brassington N, Madden S. Building trusted research environments-principles and best practices. London: Towards TRE ecosystems; 2021.

    Google Scholar 

  25. Kairouz P, McMahan HB, Avent B, Bellet A, Bennis M, Nitin Bhagoji A, et al. Advances and open problems in federated learning. Found Trends Mach Learn. 2021;14(1–2):1–210.

    Article  Google Scholar 

  26. Weise M, Kovacevic F, Popper N, Rauber A. OSSDIP: open source secure data infrastructure and processes supporting data visiting. Data Sci J. 2022. https://doi.org/10.5334/dsj-2022-004.

    Article  Google Scholar 

  27. Munung NS, de Vries J, Pratt B. Genomics governance: advancing justice, fairness and equity through the lens of the African communitarian ethic of Ubuntu. Med Health Care Philos. 2021;24(3):377–88.

    Article  PubMed  PubMed Central  Google Scholar 

  28. Yakubu A, Tindana P, Matimba A, Littler K, Munung NS, Madden E, et al. Model framework for governance of genomic research and biobanking in Africa—a content description. AAS Open Res. 2018. https://doi.org/10.1268/aasopenres.12844.2.

    Article  PubMed  PubMed Central  Google Scholar 

  29. Desai T, Ritchie F, Welpton R. Five safes: designing data access for research. Economics. 2016;1601:28.

    Google Scholar 

  30. Brophy R, Bellavia E, Bluemink MG, Evans K, Hashimi M, Macaulay Y, et al. Towards a standardised cross-sectoral data access agreement template for research: a core set of principles for data access within trusted research environments. Int J Popul Data Sci. 2023;8(4):2169.

    PubMed  PubMed Central  Google Scholar 

  31. Kerasidou CX, Malone M, Daly A, Tava F. Machine learning models, trusted research environments and UK health data: ensuring a safe and beneficial future for AI development in healthcare. J Med Ethics. 2023;49(12):838–43.

    Article  PubMed  Google Scholar 

  32. Ritchie F, Tilbrook A, Cole C, Jefferson E, Krueger S, Mansouri-Benssassi E, et al. Machine learning models in trusted research environments—understanding operational risks. Int J Popul Data Sci. 2023;8(1):2165.

    PubMed  PubMed Central  Google Scholar 

  33. Kaye J, Whitley EA, Lund D, Morrison M, Teare H, Melham K. Dynamic consent: a patient interface for twenty-first century research networks. Eur J Hum Genet. 2015;23(2):141–6.

    Article  PubMed  Google Scholar 

  34. Kaye J, Curren L, Anderson N, Edwards K, Fullerton SM, Kanellopoulou N, et al. From patients to partners: participant-centric initiatives in biomedical research. Nat Rev Genet. 2012;13(5):371–6.

    Article  PubMed  PubMed Central  Google Scholar 

  35. Moodley K, Sibanda N, February K, Rossouw T. “It’s my blood”: ethical complexities in the use, storage and export of biological samples: perspectives from South African research participants. BMC Med Ethics. 2014;15(1):4.

    Article  PubMed  PubMed Central  Google Scholar 

  36. Haas MA, Teare H, Prictor M, Ceregra G, Vidgen ME, Bunker D, et al. ‘CTRL’: an online, dynamic consent and participant engagement platform working towards solving the complexities of consent in genomic research. Eur J Hum Genet. 2021;29(4):687–98.

    Article  PubMed  PubMed Central  Google Scholar 

  37. Miranda P, Kaur J, Morita PP. Designing dynamic informed consent for public health research. Eur J Public Health. 2023;33(2):60.

    Google Scholar 

  38. Wang Z, Stell A, Sinnott RO. A GDPR-compliant dynamic consent mobile application for the Australasian type-1 diabetes data network. Healthcare. 2023;11(4):496.

    Article  PubMed  PubMed Central  Google Scholar 

  39. Reviglio U, Alunge R. “I am datafied because we are datafied”: an ubuntu perspective on (relational) privacy. Philos Technol. 2020;33(4):595–612.

    Article  Google Scholar 

  40. Basu S. Privacy protection: a tale of two cultures. Masaryk Univ J Law Technol. 2012;6(1):1–34.

    Google Scholar 

  41. Kim J, Kwan M-P. An examination of people’s privacy concerns, perceptions of social benefits, and acceptance of COVID-19 mitigation measures that harness location information: a comparative study of the U.S. and South Korea. ISPRS Int J Geo-Inform. 2021;10(1):25.

    Article  Google Scholar 

  42. Mohammed-Ali AI, Gebremeskel EI, Yenshu E, Nji T, Ntabe AC, Wanji S, et al. Informed consent in a tuberculosis genetic study in Cameroon: information overload, situational vulnerability and diagnostic misconception. Res Ethics. 2022. https://doi.org/10.1177/17470161221106674.

    Article  Google Scholar 

  43. Nansumba H, Flaviano M, Patrick S, Isaac S, Wassenaar D. Health care users’ acceptance of broad consent for storage of biological materials and associated data for research purposes in Uganda. Wellcome Open Res. 2022;7:73.

    Article  PubMed  PubMed Central  Google Scholar 

Download references

Funding

This study is funded by the NIH-National Institutes of Mental Health (award no. U01MH127692) for the project "Public Understanding of Big data in Genomics Medicine in Africa (PUBGEM-Africa)" under the Harnessing Data Science for Health Discovery and Innovation in Africa (DS-I Africa) program". A.W. and N.S.M. receive research funding from the NHLBI (U24HL135600) as part of the Sickle Africa Data Coordinating Center (SADaCC). C.S. is funded through the U.S. National Institute of Mental Health and the U.S. National Institutes of Health (award no. U01MH127690) as part of the DSI-Law project. The content of this article is solely the author’s responsibility and does not necessarily represent the official views of the U.S. National Institutes of Health.

Author information

Authors and Affiliations

  1. Division of Human Genetics, University of Cape Town, Cape Town, South Africa

    Nchangwi Syntia Munung, Otshepeng Mazibuko & Ambroise Wonkam

  2. Institute for Biomedicine, Eurac Research, Bolzano, Italy

    Ciara Staunton

  3. School of Law, University of Kwazulu-Natal, Durban, South Africa

    Ciara Staunton

  4. ADAPT Centre Trinity College, Dublin, Ireland

    P. J. Wall

  5. McKusick-Nathans Institute and Department of Genetic Medicine, John Hopkins University School of Medicine, Baltimore, MD, United States of America

    Ambroise Wonkam

Authors
  1. Nchangwi Syntia Munung
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ciara Staunton
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Otshepeng Mazibuko
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. P. J. Wall
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ambroise Wonkam
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

N.S.M. and A.W. conceptualized and designed the study. Primary data extraction was done by N.S.M. Secondary checks for data extraction was done by O.M. Analysis and interpretation were carried out by N.S.M., C.S, P.J. and A.W. The first draft was written by N.S.M. and C.S. All authors contributed to the revision of the manuscript and approved the final version for publication.

Corresponding authors

Correspondence to Nchangwi Syntia Munung or Ambroise Wonkam.

Ethics declarations

Competing interests

The authors declare no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License, which permits any non-commercial use, sharing, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if you modified the licensed material. You do not have permission under this licence to share adapted material derived from this article or parts of it. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by-nc-nd/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Munung, N.S., Staunton, C., Mazibuko, O. et al. Data protection legislation in Africa and pathways for enhancing compliance in big data health research. Health Res Policy Sys 22, 145 (2024). https://doi.org/10.1186/s12961-024-01230-7

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s12961-024-01230-7

Keywords

Health Research Policy and Systems

ISSN: 1478-4505

Contact us