Health Data Regulations: Notes for Policy Development (Data Governance for Digital Health Ecosystems 4)

The Health Data Regulatory Context 

Health data is often highly regulated, as systems ensure that people’s personal and sensitive data is treated respectfully, with safeguards to reduce risks arising from how data is used. At times it can be challenging to describe who “owns'' personal health data (for example, the use of genomic data for one person can also impact other family members), so policy approaches need to take a wider view of how to protect all data from being used inappropriately or in ways that can negatively impact some members of the community.  

Regulations for Protecting Health Data

Data protection regulations are designed to enable the use of personal data while minimising the risk of harmful impacts. This aligns with the key principle that we discussed in the previous post regarding the protection of people.

Typically, three key tenants are outlined by health data regulations:

Regulations differ across countries, many of which have enacted legislation covering the protection of personal health data, which organisations need to adhere to when using protected health information. One example of this includes the ‘right to erasure’, a data protection law in the United Kingdom and Europe that supports an individual's right to request that their personal information be deleted. Understanding the regulations that apply to your organisation is critical when creating your internal data policy.

Health Data Protection Laws

Health data protection laws and policies instituted by central and regional governmental institutions are often created as a result of historical events that resulted in harm to an individual or community as a result of the mishandling of health data. For example, some countries have set laws to ensure data is only stored in data servers that are physically located in the country.  

To help you find out which laws and regulations apply to your jurisdiction, there are several resources available that can help: 

We recommend adapting the GDHP/OECD Policy Repository Tool to create an inventory of regulations you may want to track. 

The existing downloadable tool has lists of country-level regulations included, some of which may now be out of date or need updating. But the categorisation of the types of regulations to track may be useful to create your own inventory. (As we note in our digital health policy maturity indicators, we were unable to use this tool for scoring individual countries, as the tool gives the highest score if a country has any regulation in each category in place.)

Questions to answer:

These questions are a great starting point to help your organisation begin to establish an understanding of the wider health data policy and regulatory landscape. However, it is important to do your research and seek consultation from legal and regulatory experts to ensure that you are complying with all applicable legal and regulatory requirements.

Consider Sociocultural Norms for Health Data Policy

To develop health data governance policies that support the ethical and responsible management of data, consider the sociocultural norms of the individuals and groups from whom the data was collected. Considering local social and cultural factors when working with health data is important to ensure equitable value and the protection of people who may come from marginalised or at-risk populations (as we discuss in greater detail in our overview of health data justice principles).

Also keep in mind the core principles of data governance we discussed: protect people, promote health value, and prioritise equity. Your health data policy should support these aims, including: