Africa Digital Health Academy
Level I5 CEU

Ethics, Privacy & Security in Digital Health

3 weeks · 6 lessons · All health professionals

$29

Sponsorships & scholarships available — most learners join on a funded seat.

Digital tools have moved African health data off locked paper registers and onto phones, laptops, servers, and the cloud, multiplying both its usefulness and its exposure. This Level I course equips every health professional and student, clinical or not, with the practical ethics, privacy, and security skills to handle that data responsibly. Across three weeks you will learn to protect patient confidentiality in EMRs and on shared devices, obtain and document informed digital consent, apply lawful data-sharing and access rules, and practise personal cyber-hygiene against phishing and ransomware.

You will also be able to name the data-protection law that governs your work, from Ethiopia's PDPP and POPIA to the Nigeria and Kenya DPAs and the Malabo Convention, and apply the WHO six AI-ethics principles to question bias, equity, and accountability before trusting an algorithm. The course carries 5 contact hours in the Ethics and Human Rights CEU category.

Who can apply

Open to all health professionals and students. No prior digital-health experience required — but places are confirmed by application so we can build a cohort that finishes together.

Curriculum

3 modules · 6 lessons · delivered in the ADHA learning platform after admission

Module 1 — Confidentiality and Consent in Digital Workflows
Module 2 — Lawful Sharing and Personal Cyber-Hygiene
  • 2.1 · Lawful Data Sharing and Access
  • 2.2 · Personal Cyber-Hygiene: You Are the First Line of Defence
Module 3 — The Legal and AI-Ethics Frame
  • 3.1 · African Data-Protection Laws and Your Obligations
  • 3.2 · Ethics for AI in Digital Health: The WHO Six Principles

Full lessons unlock in the learning platform once you're admitted. Apply →

Next cohort — applications open

Ready to join Ethics, Privacy & Security in Digital Health?

Open to all health professionals and students. No prior digital-health experience required — but places are confirmed by application so we can build a cohort that finishes together.

Sponsorships & scholarships available — most learners join on a funded seat.

Course glossary

  • Algorithmic bias — systematic, unfair error in an AI model, frequently caused by unrepresentative training data.
  • Assent — agreement from a minor or person unable to give full legal consent, respected alongside guardian consent.
  • Audit log — a tamper-resistant record of who accessed which patient record and when.
  • Augmentation — using AI to extend scarce capacity under clinical governance, rather than to replace human judgement.
  • Breach notification — the legal duty to report a data breach to the regulator and affected individuals within set timelines.
  • Confidentiality — the duty to protect patient information disclosed during care from unauthorised access or sharing.
  • Cross-border transfer — sending personal data to another country, subject to legal restrictions on adequacy of protection.
  • Cyber-hygiene — routine personal security practices (passwords, device locking, updates, vigilance) that protect systems and data.
  • Data minimisation — collecting and retaining only the data actually needed for the stated purpose.
  • Data Protection Impact Assessment (DPIA) — a pre-deployment review that identifies and mitigates the privacy risks of a new system or data use.
  • Data-sharing agreement (DSA) — a written contract governing inter-organisational data sharing: what, why, with what safeguards, for how long.
  • Data sovereignty — the principle that a nation governs the data generated within its borders — its hosting, access, use, and the value derived from it.
  • Data-subject rights — a patient's legal rights to access, correct, and control their personal data.
  • De-identification — removing identifiers so data can be used with reduced privacy risk.
  • Human-in-the-loop — keeping a qualified person able to review, override, and be accountable for an AI tool's output.
  • Informed digital consent — a patient's freely given, documented, revocable agreement to data collection and use, after understanding what, why, who, and how long.
  • Lawful basis — the legal justification (direct care, legal mandate, consent, governed program use) required to process or share personal data.
  • Local validation — testing an AI model on the local population before clinical use to confirm it performs safely and equitably.
  • Malabo Convention — the AU's continental treaty on cyber security and personal data protection, in force 2023.
  • Minimum necessary / need-to-know — accessing and sharing only the data the immediate task and role require.
  • Multi-factor authentication (MFA) — requiring a second proof of identity beyond a password.
  • Phishing — fraudulent messages designed to trick you into revealing credentials or installing malware.
  • POPIA — South Africa's Protection of Personal Information Act, with special-category protection for health data.
  • Purpose limitation — the rule that data may be used only for the purpose for which it was collected, absent fresh consent.
  • Ransomware — malware that encrypts an organisation's data and demands payment for its release.
  • Re-identification — recovering a patient's identity from supposedly anonymous data using contextual clues.
  • Role-based access control (RBAC) — system permissions granted by job role so each cadre sees only what it needs.
  • Social engineering — manipulating people, rather than technology, into breaking security.
  • Special-category data — sensitive data, including health data, protected by stricter processing conditions.
  • WHO six AI-ethics principles — autonomy; well-being & safety; transparency & explainability; accountability; inclusiveness & equity; responsive & sustainable AI.

Frequently asked questions

Q: I work in a clinic with one shared computer. How can I protect confidentiality if everyone uses the same login? A: A shared login is itself the core risk — it disables role-based access and breaks the audit trail. Push for individual user accounts (most EMRs support them at no extra cost), and in the meantime always lock or log out when you step away, angle the screen from the waiting area, and never leave patient data open. Raise it with your supervisor as a governance gap, not just an inconvenience.

Q: Is it ever okay to discuss a patient case on WhatsApp with colleagues? A: Only with caution. Personal messaging apps are usually not approved, governed channels, and even "anonymised" cases can be re-identified from context. If your facility has a sanctioned, secure platform and there is a genuine clinical reason (e.g., an urgent specialist opinion), use that with consent where appropriate. Never share identifiable images or details in informal or social groups.

Q: A patient ticked "I agree" on a registration app. Is that valid consent for everything the app does? A: Not necessarily. Consent must be informed, specific, and freely given. A single tick on a long, unread policy does not validly cover unrelated uses such as marketing or data sales. Each distinct purpose generally needs its own clear, understandable consent, and the patient must be able to withdraw.

Q: The police / an employer / a relative asked me for a patient's information. Must I give it? A: Not by default. You need a lawful basis. A relative asking out of concern is not a basis; an employer is not a basis. Some legal requests (court orders, statutory mandates) are, but you should not judge these alone — follow your facility's policy and escalate to a supervisor or data-protection focal point rather than disclosing on the spot.

Q: How do I know which data-protection law applies to me? A: It is generally the national law of the country where you and your patients are. Examples: POPIA (South Africa), the Data Protection Act 2019 (Kenya), the Data Protection Act 2023 (Nigeria), and the Personal Data Protection Proclamation 2024 (Ethiopia), all under the continental Malabo Convention. The core duties — lawful basis, minimisation, security, breach notice, and data-subject rights — are similar across them, so good practice travels well even across borders.

Q: I think I clicked a phishing link or my account was hacked. What should I do? A: Report it immediately to your supervisor or IT/security focal point — speed matters more than embarrassment. Early reporting lets the institution reset credentials, contain any malware before it spreads, and meet legal breach-notification deadlines. Do not try to hide it or fix it silently.

Q: Can I trust an AI tool that the ministry or a vendor has provided? A: Trust it conditionally, not blindly. Ask whether it was validated on patients like yours, whether you can understand and override its output, who is accountable if it errs, and whether it performs equitably across skin tones, genders, and languages. AI in African health is augmentation under clinical governance with a human in the loop — your judgement and accountability remain.

Q: Why is "where the data is hosted" an ethics issue and not just a technical one? A: Because hosting determines whose law governs the data, who holds the keys and administrative access, and whether services survive if a foreign vendor exits — the 2023 collapse of Babylon Health's Rwanda telehealth partnership showed national services inheriting a vendor's fragility. Data sovereignty (local/regional hosting for sensitive data, exit clauses, open-source digital public goods) is therefore part of protecting patients' rights, not just IT preference.