15 minute read
4 Global standards on digital health governance
This chapter summarises common standards and approaches used to address digital health governance in LMICs. We include standard definitions, country case studies and approaches used for appraisal of digital health systems and practice. We will use these global standards for benchmarking in the Findings section of this report.
4.1 Defining digital health governance
Digital health is recognised by the World Health Organization (WHO) as a key building block for universal health coverage and the health-related Sustainable Development Goals. However, WHO also acknowledges that, as countries implement a range of digital health solutions (such as, digital disease surveillance systems, electronic medical records, and social health insurance payment processes), there is a need for robust governance oversight.
WHO defines digital health governance as: directing and coordinating digital health systems development, achieving consensus on policy, protecting individuals and groups and assuring oversight and accountability in the various aspects relating to use of information and communication technologies to promote health for all.44 WHO puts effective leadership at the heart of this governance concept, with a focus on ensuring a strategic and investment framework, infrastructure and systems oversight, legislative compliance and workforce development.45
Figure 3: Elements of digital health leadership and governance (WHO 2019)
In its Global Strategy on Digital Health, 2020-2025, WHO emphasises the importance of an integrated approach that situates digital health within the wider public and private health system. This means giving due attention to the “digital determinants of health” by creating an enabling environment with sufficient resources for digital transformation and human capacity development, while ensuring new initiatives consider legacy infrastructure, technology ownership, privacy, security, and adapting and implementing global standards and technology flows.46 Central to this approach is the concept of human-centred design. This means
44 Retrieved from: https://www.who.int/ehealth/governance/en 45 World Health Organization (WHO) and International Telecommunication Union. (2012). National eHealth Strategy Toolkit. Geneva: WHO/ITU.
46 WHO. (2020). Global Strategy on Digital Health, 2020 – 2025. Available at: https://www.who.int/docs/defaultsource/documents/gs4dhdaa2a9f352b0445bafbc79ca799dce4d.pdf
developing technology solutions with accountability structures, cultural contexts, available resources, and implementation capabilities of key users in mind.47
There is also recognition that digital initiatives can themselves become vehicles for enhancing good governance, inclusion, voice and accountability, and thereby contribute to human and social capital. For example, responding to a growing gender gap in internet access and online participation,48 the Mozambique development-finance institution, GAPI, is lowering barriers to women’s mobile access by providing offline Internet browsing, rent-to-own options, and tailored training in micro-entrepreneurship.49 However, it is also acknowledged that use of technology to enhance democratic dialogue can be associated with risks and dangers and these, too, need to be mitigated through united leadership and stakeholder engagement (Case Study 1). 50
4.2 Working to common principles
The nine Principles for Digital Development (PDD) aim to provide common standards for integrating best practices into ICT initiatives for international development programmes. They have been endorsed by over 200 organisations51 - including BMGF and several non-state actors in the Kuunika landscape. Since 2016, stewardship for Principles of Digital Development has resided with the United Nations Foundation's Digital Impact Alliance. The nine principles can be summarised as: design with user; understand the existing ecosystem; design for scale; build for sustainability; be data driven; use open standards, open source and open innovation; reuse and improve; address privacy and security; and be collaborative.52Each of these principles is associated with a number of core tenets that have governance and / or policy implications (see example below).
47 WHO. (2020). Young people and digital health interventions: working together to design better. Available at: https://www.who.int/news/item/29-10-2020-young-people-and-digital-health-interventions-working-together-to-design-better 48 EQUALS Global Partnership. (2019). EQUALS Research Group: Taking Stock: Data and Evidence on Gender Equality in Digital
Access, Skills and Leadership”. Available at: https://www.itu.int/en/action/genderequality/Documents/EQUALS%20Research%20Report%202019.pdf . 49 USAID. (2020). Digital Strategy, 2020-2024. Retrieved from: https://www.usaid.gov/usaid-digital-strategy 50 Case Study 1 – sourced from USAID. (2020). Ibid. 51 See: https://digitalprinciples.org/endorse/endorsers/ 52 Principles of Digital Development. Retrieved from: https://digitalprinciples.org/
Figure 4: Overview of digital principle on open standards
Principle Key tenets
Use Open Standards, Open Data, Open Source, and Open Innovation
An open approach to digital development can help to increase collaboration and avoid duplication of effort. • Adopt and expand on existing open standards to enable sharing of data across tools and systems. • Share non-sensitive data after ensuring that data privacy needs are addressed • Use existing open platforms where possible to help to automate data sharing; build in flexibility to adapt to future needs. • Invest in software as a public good. • Develop new software code to be open source, which anyone can view, copy, modify and share, and distribute the code in public repositories. • Enable innovation by sharing freely without restrictions, collaborating widely and co-creating tools. This principle extends to open data access. Since January 2021, the Bill & Melinda Gates Foundation has adopted an Open Access Policy that enables the unrestricted access and reuse of all peer-reviewed published research funded, in whole or in part, by the Foundation, including any underlying data sets. See: Open Access Policy | Bill & Melinda Gates Foundation Bill & Melinda Gates Foundation
Example of policy application
4.3 Spotlight on privacy and security
The Principle of Digital Development on addressing privacy and security has particular relevance for Special Study. The key tenets of this principle are summarised in the figure below.
Figure 5: Overview of digital principle on privacy and security
Principle
Addressing privacy and security
Addressing privacy and security involves careful consideration of which data are collected and how data are acquired, used, stored and shared. • Define data ownership, sovereignty and access before any data are collected or captured. • Keep the best interests of end users and individuals whose data are collected at the forefront of planning – especially for those who have not had a say in how their data will be used. • Perform a risk-benefit analysis of the data being processed that identifies who benefits and who is at risk. Assess the risks of unauthorised access or leakage of any stored data. • Minimise the collection of personal identifiable information.
Agree a timeframe for destruction of unnecessary data. Be transparent, obtain consent and explain how data will be protected to all those providing data. • Protect data by adopting best practices for securing and restricting access to data. Malawi does not have a comprehensive data protection law, but the Electronic Transactions and
Cybersecurity Act No. 33 of 2016
replicates some provisions seen in data protection laws. Under the Act individuals have the right to: obtain all of their personal data in an understandable form; oppose, for legitimate reasons, the processing of their personal data concerning them; rectify or erase erroneous or outdated personal data concerning them. There is no data protection regulator in Malawi but the Communications Regulatory Authority is responsible for implementation of the Act and can impose penalties. There are no data transfer restrictions in Malawi, and no data breach notification protocols stipulated in Malawian law. See https://dataprotection.africa/wpcontent/uploads/2020/03/MalawiFactsheet-updated-20200331.pdf
Key tenets Example of policy application
Under this PDD, it is emphasised that securing data and devices are paramount for protecting user privacy and ensuring organisational data is not compromised. Accordingly, national and international regulations for data security and privacy — particularly around health infrastructure and personally identifiable information — are an increasingly important consideration for many
organisations. These regulations include the African Union Convention on Cyber Security and Personal Data Protection, the European Union General Data Protection Regulation and the Asia-Pacific Economic Cooperation Privacy Framework.
Under the PDD on privacy and security, particular attention is given to the theme of cloud computing and hosting services that stores and processes end-user data while providing data management services over the internet. Cloud storage can reduce the financial and human resources needed within organisations to back up data and maintain server access. While these networks can pose significant challenges for front-end security in the cloud computing environment, there can be opportunities to standardise, replicate and deploy robust datasecurity processes across networks and the benefit from the extensive security frameworks that reputable cloud service providers implement. Unlike typical user organisations, third-party cloud services employ thousands of security workers and enforce security safeguards that are sophisticated and well-resourced.
PDD guidance on protecting sensitive data in the cloud recommends that users need to apply stringent front-end technical, administrative and physical security assessments and safeguards. Assessments include Privacy Impact Assessments (PIA) and Threat Risk Assessments. Safeguards include: aligned organisational data security policies; network risk management strategies; regular user and provider compliance audits; and compliance with best practice on managing and protecting highly sensitive and private data. 53Notably, countries such as Malawi and Kenya recognise the challenges of guaranteeing these safeguards, so have opted to expand server and hosting capacity in-country – especially with respect to personal health data.
53 See: What is Data Privacy? Available at: https://www.snia.org/education/what-is-data-privacy
The World Bank’s World Development Report 202154 gives particular attention to the challenge of optimising the benefits of digital technology, while protecting data privacy and systems security. The report emphasises that responding to the challenge of ‘digital safety’ requires national and international collaboration across infrastructure policies, laws and regulation, sectoral policies and institutions (Figure 6).55
Figure 6: Effective digital safety requires national and international collaboration across multiple domains
This milestone World Development Report suggests that an effective data regulatory framework requires an appropriate balance of enablers (e.g. public and private intent data and etransactions) and safeguards (e.g. for personal and non-personal data, cross-border data flows, and cybersecurity/ cybercrime). It notes that around the world just 40% of recommended digital safeguards are in place – with Malawi ranking in the lower third, along with most of sub-Saharan Africa.
The World Development Report observes that, globally and regionally, there has been uneven progress in regulatory frameworks for personal data protection. There are also glaring gaps in regulatory requirements for cybersecurity, while little attention has been paid to regulatory regimes for private intent data and cross-border data flows. It is important to note, however, that comprehensive data protection has multiple components and a coherent approach, even at national levels (Figure 7).56 This, in turn, requires high levels of technical and political collaboration within and across sectors, and balancing of multiple stakeholder agendas on data use, privacy and security and transparency and accountability.57
54 World Bank. (2021). World Development Report 2021: Data for Better Lives. Washington, DC: World Bank. 55 Source: World Bank. (2021). Ibid. 56 Adapted from: What is Data Privacy? Available at: https://www.snia.org/education/what-is-data-privacy 57 USAID. (2020). Digital Strategy, 2020-2024. Retrieved from: https://www.usaid.gov/usaid-digital-strategy
Figure 7: Comprehensive approaches to data protection
4.4 Digital Health Governance Models
An expert review of digital health practice58 identified three general models of governance arrangements found globally. These include:
● MODEL 1: Health Ministry Mechanism: The MoH drives digital health and mobilises technical capacity and skills from other ministries, agencies, firms and organisations to deploy digital health systems e.g. Rwanda, South Africa, the Philippines ● MODEL 2: Government-wide Digital Agency Mechanism: the MoH drives digital health, but is a client to a government-wide technology agency/ministry that provide significant ICT infrastructure and capacity e.g. Malaysia and Estonia ● MODEL 3: Dedicated Digital Health Agency Mechanism: The MoH Leads on the health strategy, while a designated third-party agency or directorate drives digital health strategy and implementation through its own technical capacity and resources e.g. Mali, Norway. This review noted that governance arrangements for digital health evolve within the wider historical and institutional systems landscape. Some countries may be a hybrid of more than one model (e.g. Malawi shows elements of Model 1 and 2). While there are strengths, opportunities and limitations associated with each model, the review concluded there are three common factors in success. These are: i) sustained senior government leadership and committed long-term financing (covering ongoing support and improvement, as well as implementation); ii) effective governance mechanisms that engage stakeholders with clearly defined roles; and iii) a national ICT framework that facilitates alignment between health and ICT sectors to promote connectivity and interoperability, establish common standards and harmonise digital health policies and regulations.
4.5 Applying the concept of aid effectiveness
WHO’s Global Strategy on Digital Health59 emphasises that effective digital governance requires a commitment to working with different sectors and stakeholders at all levels. This can include multilateral and bilateral donors and international development partners, especially in LMICs. Many donors and international development partners now have their own digital strategies for development assistance. 60 Many refer to their endorsement of the PDD,61including the tenets of ecosystem working and collaboration. 62There is also common reference to the principles of aid
58 Broadband Commission for Sustainable Development. (2017). Digital Health: A Call for Government Leadership and Cooperation between ICT and Health. Available at: https://www.broadbandcommission.org/Documents/publications/WorkingGroupHealthReport2017.pdf 59 WHO. (2020). Ibid. 60 See, for example, the digital / digital health strategies of USAID, UK Aid, WHO. 61 See list of PDD endorsers at: Endorsers | Principles for Digital Development (digitalprinciples.org) 62 See links under: https://digitalprinciples.org/principles/
effectiveness (Box 4) and development cooperation to promote the Sustainable Development Goals. 63
Box 4: The concept of aid effectiveness
For this study, we will be assessing the involvement of international development partners against the concept of aid effectiveness. Since 2002 there has been a global movement in the name of aid effectiveness to tackle issues such as aid fragmentation, duplication of effort, unpredictability and tying of aid budgets. Since 2002, the UN has convened four high-level global forums on aid effectiveness. The principles set out in the 2005 Paris Declaration on aid effectiveness became the foundation for subsequent global dialogue. These refer to the need for development assistance to be based on: country ownership; alignment and harmonisation to country policies and procedures; management for results; and the mutual accountability of all parties. More recently the movement has become part of the Global Partnership for Effective Development Co-operation to ensure international development partners and countries maintain a focus on the Sustainable Development Goals.
International donors and development partners can offer LMICs significant financial resources, technical know-how and innovative technology solutions. However, successive studies have shown they can also perpetuate short-term projects and “pilotitis”, along with information system fragmentation.64 This, in turn, raises fundamental questions relating to data sovereignty, ownership and intent. 65Experience from Data Use Partnership and enterprise architecture approaches confirms the importance of strong government and agency leadership based on a shared vision and systems thinking. 66,67
There are now a number of toolkits available for assessing maturity of digital health systems to plan for investment, and track and maintain progress over successive strategic cycles. For example, the Digital Square68 Navigator offers six maturity model-based tools. 69 These are: i) Early-Stage Digital Health Investment Tool; ii) Global Digital Health Index; iii) Health Information Systems Interoperability Maturity Toolkit; iv) Information Systems for Health Toolkit; v) Survey, Count, Optimize, Review, Enable - Essential Interventions; vi) Health Information System Stages of Continuous Improvement Toolkit. Several of these toolkits emphasise the importance of sound digital health governance and provide useful tools and templates for assessing the maturity of the policy, institutional and stakeholder landscape, the digital ecosystem, the resource environment, and the data privacy and security context.70
63 GSMA. (2020). 2020 Mobile Industry SDG Impact Report. Available at: https://www.gsma.com/betterfuture/2020sdgimpactreport/sdg-3good-health-and-well-being/ 64 Neumark T & Prince R J. (2021). “Digital Health in East Africa: Innovation, Experimentation and the Market.” Global Policy (2021) 12:Suppl.6. Available at: https://onlinelibrary.wiley.com/doi/epdf/10.1111/1758-5899.12990 . 65 Cooper A. et al. (2016). Africa’s Health Challenges: Sovereignty, Mobility of People and Healthcare Governance. London: Routledge. 66 PATH. (2016). Data Use Partnership: The Journey to Better Data for Better Health in Tanzania. Available at: Data Use Partnership:
The Journey to Better Data for Better Health in Tanzania | PATH 67Jonnagaddala J. et al. (2020). “Adoption of enterprise architecture for healthcare in AeHIN member countries”. BMJ Health Care Inform 2020;27. Available at: https://informatics.bmj.com/content/bmjhci/27/1/e100136.full.pdf 68 The OpenHIE framework that underpins Kuunika’s digital health approach is a Digital Square initiative: https://applications.digitalsquare.io/content/advancing-instant-openhie 69 See: https://wiki.digitalsquare.io/index.php/Navigator_for_Digital_Health_Capability_Models. The Navigator was developed by the
University of North Carolina at Chapel Hill and Digital Square, with funding and technical advisory support from the United States
Agency for International Development (USAID). UNICEF’s Digital Health Center of Excellence (DICE) and Digital Public Goods
Alliance, and WHO’s “digital health clearing house” are closely related developments. CDC is also taking a strong interest in “global goods”. 70 Some experts consulted criticised some of the tools for being subjectively scored and not peer reviewed for accuracy.
Of note is the Global Digital Health Index (GDHI). This is an interactive digital health tool and maturity model that enables countries to track, monitor, and evaluate the use of digital technology for health within and across countries. GDHI is the result of a multi-partner initiative that builds on the WHO/ITU eHealth Strategy Toolkit and the Principles for Digital Development. The seven GDHI indicators include a specific indicator on ‘Leadership and Governance’ -this indicator reflects whether digital health has been prioritised at the national level through dedicated governance bodies/mechanisms and planning processes. There is also an indicator on ‘Legislation, Policy and Compliance’ which to assess whether there are laws and regulations in place covering data protection (security), privacy, certification of digital health devices and services and cross-border data sharing. In addition, an indicator on ‘Standards and Interoperability’ reflects whether there is a national digital health architecture and/ or information exchange, along with health information standards. GDHI’s report ‘State of Digital Health 2019’71 presents assessment findings from 22 countries across the world, with Africa represented by six countries (Benin, Ethiopia, Mali, Nigeria, Sierra Leone and Uganda). The case study below summarises the GDHI assessment for Uganda.
Uganda’s scores appear typical of the other countries in Africa. However, it is notable that across the sample of 22 countries, nearly all were doing relatively well on Leadership and Governance in terms of prioritising digital health planning. Most countries now have some laws on data security and privacy, confidentiality, and access to health information, although they are at different stages of implementation, while protocols for regulating and certifying digital health devices and services, as well as cross-border data security and sharing are lacking. Almost half of the countries assessed do not have national digital health (eHealth) architectural framework and/or health information exchange (HIE) established; however, most countries are now implementing data standards.
71 Global Digital Health Index. (2019). The State of Digital Health 2019. Available at https://www.digitalhealthindex.org/stateofdigitalhealth19
