Stellenbosch University
Welcome to Stellenbosch University
Legal framework needed to protect patients’ mobile phone data
Author: Corporate Communication & Marketing / Korporatiewe Kommunikasie & Bemarking [Alec Basson]
Published: 19/07/2023

​In remote areas or during an emergency, healthcare professionals can decide much quicker what type of treatment a patient needs if they have immediate access to mobile phone data about the person's health. While such data can make a world of difference to those requiring care, it is the collection, usage and sharing of this information that raise concerns. Adequate legal protection is needed to ensure this is done in a responsible and ethical manner that respects an individual's rights and privacy.

​This is according to a study by Dirk Brand and Nezerith Cengiz from Stellenbosch University and Annelize Nienaber McKay from the University of Pretoria and Abertay University (Scotland). They analysed the major legal concerns of mobility and location data collection and processing through mobile phones in the context of health care and provided recommendations to develop data protection guidelines that are built on the principles of lawfulness, fairness and transparency. The study was published recently in the South African Journal of Science.

According to the researchers, the collection, use and sharing of personal, mobility and location data in health care in South Africa presents a scenario with significant benefits and risks.

“In cases of urgent medical care, real-time location is shared with healthcare professionals through smartphones or smartwatches and in cases of remote health monitoring via digital applications that transmit data to them to better bridge the barrier of access to treatment.

“As personal information collected through health and fitness apps can be used by healthcare professionals to provide services to individuals, so can digitally collected health data and even medical insurance data be used in medical research.

“However, the collection, storage and sharing of personal information on mobile phones elicit various legal questions relating to the protection of privacy, consent, unlawful data processing, liability and the accountability of stakeholders such as health insurance providers, hospital groups and national departments of health."

The researchers add that health data are more sensitive than other forms of personal data, which makes this an enticing prospect for cybercriminals. Because apps are interlinked, e.g., a fitness app that provides the possibility of sharing data on various social media apps, the risk of a data breach or the unauthorised use of the personal data increases.

“No wonder, this type of data receives special attention in data protection legislation such as the European Union's General Data Protection Regulation (GDPR) and our own Protection of Personal Information Act (POPIA). Health information qualifies as 'special personal information' in terms of section 26(1)(a) of POPIA, and therefore it qualifies for special protection.

“If the personal data on a fitness or health app are sent to medical insurers or healthcare professionals, the recipients are allowed to process that health data in terms of the exception under section 32(1) of POPIA.

“Although our National Health Act does not focus on data protection as such, it stipulates that all patient information is confidential, and healthcare professionals may share or disclose that information only when they've obtained consent from the patient."

But these measures do not adequately address the various ethical and legal issues related to mobility and location data in health care, the researchers say.

They call for a comprehensive legal framework that includes data protection regulations, ethical guidelines and oversight mechanisms.

“Such a framework should account for the unique cultural and societal contexts in South Africa. Policymakers, healthcare providers, healthcare institutions and the manufacturers of digital devices should work together to develop and to implement an effective legal framework that protects the rights of individuals while promoting the responsible use of mobility and location data to improve healthcare outcomes.

“Also, app developers should design their apps in such a way that people with low literacy levels will be able to understand the terms and conditions of app use and the implications of sharing personal health information with third parties. Simple language, visual aids and audio cues could be helpful.

“Only in doing so, can South Africa fully leverage the potential in these technologies to improve the delivery of health care and ensure that individual privacy and rights are safeguarded."

The researchers say that given the similarity between POPIA and the GDPR, the “Guidelines on the Protection of Personal Data Processed by Mobile Applications Provided by European Union Institutions" may serve as guidance in our jurisdiction because they stipulate that apps should collect only data that are strictly necessary for its functioning and that users must be provided with clear and accurate information to make an informed decision, with the option to withdraw their consent at any time.

They also recommend the development of legislation for the use of AI in healthcare services to further strengthen the protection of privacy and personal data in healthcare services in South Africa.

  • Source: Brand D, Nienaber McKay AG, Cengiz N. What constitutes adequate legal protection for the collection, use and sharing of mobility and location data in health care in South Africa? South African Journal of Science. 2023;119(5/6), Art. #14605:

Photo by Bermix Studio on Unsplash.