- SHA under scrutiny over privacy and data protection concerns.
- Auditor General reveals SHA system is not government-owned.
- Data Commissioner Kassait insists on third-party data consent.
- President Ruto defends SHA, says it prevents fraud and corruption.
The Office of the Data Protection Commissioner (ODPC) has announced plans to audit the Social Health Authority (SHA) over privacy concerns, following revelations that the system is not owned or controlled by the government.
Speaking on Wednesday, March 5, Data Commissioner Immaculate Kassait stated that SHA had submitted a Data Protection Impact Assessment (DPIA) but emphasized that further scrutiny was necessary.
“They (SHA) have reached out to us and undertaken a Data Protection Impact Assessment, but that doesn’t mean we cannot go and do a post-audit. One of the places we have identified to do an audit is the digital health information,” Kassait stated.
SHA’s Third-Party Data Hosting Raises Questions
Kassait underscored the importance of third-party agreements, especially in cases where sensitive data is hosted externally.
“When data is hosted by a third party, the agreement is critical. SHA has submitted a DPIA, and we have identified gaps. We have insisted that when it comes to access to third-party data, they must get consent from the patients,” she added.
Auditor General’s Report Sparks Controversy
The audit plan follows a report by the Auditor General revealing that the SHA system is not government-controlled but is instead managed by a consortium of technology firms.
On Tuesday, March 4, President William Ruto acknowledged the report, explaining that outsourcing the system was a measure to enhance transparency and eliminate fraudulent claims.
“We are going to have a consortium of technology companies that will ensure no fraudulent claims in SHA. This system will not be paid for by the government; it will be a fee-for-service facility to protect citizens’ contributions,” Ruto stated.
Ruto Defends SHA, Dismisses Critics
The President dismissed critics of the system, arguing that opposition stemmed from individuals benefiting from corruption in the health sector.
“The people complaining are those who have been stealing from us. They don’t want a technology system that works because they want to continue stealing,” he added.
The upcoming ODPC audit is expected to assess compliance with data protection laws and address concerns over third-party control of health data.
