Sector Analysis
Health
22%
SECTOR PERFORMANCE
36
COMPANIES ASSESSED
Overview of the Sector & Data Collectors Evaluated
The health sector across East, West, and Southern Africa, with a particular focus on Rwanda, Kenya, Uganda, Tanzania, Zimbabwe, Mauritius, Nigeria, Ghana, and Botswana, is undergoing rapid digital transformation. Countries are expanding the use of electronic health records, mobile health platforms, and national health information systems to improve service delivery and health outcomes. While digitization is advancing, privacy and data protection practices remain uneven.
Most of these countries now have comprehensive data protection laws that classify health data as sensitive personal information. Rwanda, Kenya, Mauritius, Nigeria, Ghana, and Botswana have relatively structured regulatory frameworks with designated data protection authorities. Uganda, Tanzania, and Zimbabwe also have legal regimes in place, though enforcement capacity and sector-specific implementation remain limited.
Despite legislative progress, several challenges persist across the region: weak enforcement capacity, inconsistent compliance among healthcare providers, limited cybersecurity safeguards, unclear cross-border data transfer mechanisms, and low public awareness of data protection rights. Many health data collectors still lack comprehensive privacy policies, clear consent procedures, and breach response systems.
Overall, while legal frameworks have improved significantly, practical implementation within healthcare systems continues to lag. Strengthening regulatory enforcement, institutional compliance, and technical safeguards will be essential to ensuring that digital health expansion in these countries protects patient confidentiality and builds public trust.
Analysis of Compliance With Each Criterion
This evaluation covers a total of 36 entities, comprising four health facilities selected from each participating country. From Nigeria, the facilities assessed were Avon Medical, Lagos Hospital, St. Catherine's Specialist Hospital Abuja, and St. Nicholas Hospital. In Ghana, the selected institutions were Korle-Bu Teaching Hospital, Komfo Anokye Teaching Hospital, Nyaho Medical Centre, and The Trust Hospital. Botswana was represented by Gaborone Private Hospital, Sidilega Private Hospital, Diagnofirm Medical Laboratories, and Sir Ketumile Masire Teaching Hospital.
In Rwanda, the facilities included CHUK (University Teaching Hospital of Kigali), King Faisal Hospital, Ruhengeri Referral Hospital, and Rwanda Military Hospital. Tanzania's assessed institutions were Muhimbili National Hospital, Regency Medical Center, CRBT Tanzania, and LyfPlus Tanzania. From Mauritius, Wellkin Hospital, Clinique Darne, Aegle Clinic, and Dr. Agarwal's Eye Hospital Mauritius were evaluated. The facilities reviewed in Zimbabwe were Karanda Mission Hospital, Mpilo Central Hospital, Baines Avenue Clinic, and Parirenyatwa General Hospital (PGH).
In Kenya, the assessment covered Aga Khan University Hospital, Nairobi Hospital, Nairobi Women's Hospital (Karen), and Karen Hospital. Finally, in Uganda, Case Hospital, IHK Hospital, Lubaga Hospital, and Nakasero Hospital were included in the evaluation.
Sector Findings - Health Sector
Health Sector - Nigeria
Avon Medical, Lagos Hospital, St. Catherine’s Specialist Hospital Abuja and St.Nicholas Hospital in Nigeria
The assessment reveals uneven levels of compliance with data protection requirements across the four evaluated facilities, with performance varying significantly across key privacy indicators. Demonstrable efforts to comply with mandatory registration requirements with the national data protection regulator were strongest at Avon Medical, Lagoon Hospital, and St. Catherine's Specialist Hospital, Abuja, each scoring 100%. In contrast, St. Nicholas Hospital recorded no evidence of registration compliance (0%). This gap exposes St. Nicholas Hospital to potential regulatory sanctions and reflects weaknesses in foundational compliance governance structures.
Accessibility and quality of privacy policies also varied. Avon Medical and St. Nicholas Hospital led in this category (88%), followed by Lagoon Hospital (75%), while St. Catherine's Specialist Hospital, Abuja scored 0%, indicating the absence of an accessible privacy notice. The lack of publicly available privacy information significantly limits patient awareness of data processing practices and undermines transparency obligations under data protection law.
Lagoon Hospital's privacy framework stands out as the most comprehensive. Its policies reflect a mature understanding of healthcare data protection requirements, clearly outlining categories of personal data collected (including medical, insurance, diagnostic, and digital platform data), lawful purposes for processing, data retention periods aligned with medical record standards, and detailed third-party sharing arrangements. The hospital also provides structured mechanisms for patients to exercise their rights and escalate complaints, demonstrating alignment with statutory accountability and transparency principles.
Avon Medical demonstrates solid baseline compliance, with policies covering key privacy elements such as categories of data collected, processing purposes, patient rights, and general third-party disclosures. However, certain areas, particularly detailed retention timelines and granular disclosure of third-party arrangements, could be strengthened to meet best-practice standards. St. Nicholas Hospital shows moderate compliance, providing basic disclosures and recognition of patient rights, though transparency around data sharing and retention practices remains limited. St. Catherine's Specialist Hospital, Abuja presents the most significant transparency gaps. The absence of accessible privacy documentation suggests weak implementation of statutory notice requirements, creating heightened compliance and reputational risk.
In operationalizing data subject rights, Lagoon Hospital again performed strongest (73%), followed by Avon Medical (64%) and St. Nicholas Hospital (52%). St. Catherine's Specialist Hospital, Abuja scored 0%, indicating no visible mechanisms for facilitating rights such as access, correction, or complaint resolution. Weak rights-management frameworks directly affect compliance with core legal obligations and may expose facilities to disputes and enforcement action.
All assessed facilities engage in third-party data sharing, a standard practice in healthcare delivery. However, compliance levels differ substantially. Lagoon Hospital demonstrated comparatively stronger safeguards and disclosure practices (58%), while Avon Medical and St. Nicholas Hospital each scored 14%, and St. Catherine's Specialist Hospital, Abuja scored 0%. Limited transparency and weak contractual safeguards around third-party processors increase risks of unauthorized disclosure, cross-border transfer violations, and accountability failures.
All facilities showed measurable effort in implementing security safeguards. Avon Medical led in this category (89%), while Lagoon Hospital, St. Catherine's Specialist Hospital, Abuja, and St. Nicholas Hospital each scored 61%. This indicates general recognition of cybersecurity obligations. However, security strength alone does not compensate for weaknesses in transparency, rights facilitation, and governance structures.
A significant compliance gap across all facilities relates to internal data breach management and transparency reporting. None of the hospitals publish transparency reports, and compliance with structured internal breach resolution mechanisms is low. Avon Medical recorded the highest score in this area (17%), followed by St. Nicholas Hospital (8%), while the remaining facilities scored 0%. This deficiency signals limited preparedness for incident response and regulatory notification obligations, increasing exposure to legal and operational risk in the event of a data breach.
The findings indicate that while some facilities, particularly Lagoon Hospital and Avon Medical, are progressing toward structured privacy governance, compliance remains uneven and, in some cases, superficial. Registration compliance and technical safeguards appear more developed than transparency, accountability, and breach management frameworks. Facilities with limited privacy disclosures and weak rights-management systems face elevated risks of regulatory enforcement, reputational damage, and erosion of patient trust. The absence of structured breach response mechanisms further compounds institutional vulnerability.
To strengthen compliance, facilities should prioritize:
The assessment reveals uneven levels of compliance with data protection requirements across the four evaluated facilities, with performance varying significantly across key privacy indicators. Demonstrable efforts to comply with mandatory registration requirements with the national data protection regulator were strongest at Avon Medical, Lagoon Hospital, and St. Catherine's Specialist Hospital, Abuja, each scoring 100%. In contrast, St. Nicholas Hospital recorded no evidence of registration compliance (0%). This gap exposes St. Nicholas Hospital to potential regulatory sanctions and reflects weaknesses in foundational compliance governance structures.
Accessibility and quality of privacy policies also varied. Avon Medical and St. Nicholas Hospital led in this category (88%), followed by Lagoon Hospital (75%), while St. Catherine's Specialist Hospital, Abuja scored 0%, indicating the absence of an accessible privacy notice. The lack of publicly available privacy information significantly limits patient awareness of data processing practices and undermines transparency obligations under data protection law.
Lagoon Hospital's privacy framework stands out as the most comprehensive. Its policies reflect a mature understanding of healthcare data protection requirements, clearly outlining categories of personal data collected (including medical, insurance, diagnostic, and digital platform data), lawful purposes for processing, data retention periods aligned with medical record standards, and detailed third-party sharing arrangements. The hospital also provides structured mechanisms for patients to exercise their rights and escalate complaints, demonstrating alignment with statutory accountability and transparency principles.
Avon Medical demonstrates solid baseline compliance, with policies covering key privacy elements such as categories of data collected, processing purposes, patient rights, and general third-party disclosures. However, certain areas, particularly detailed retention timelines and granular disclosure of third-party arrangements, could be strengthened to meet best-practice standards. St. Nicholas Hospital shows moderate compliance, providing basic disclosures and recognition of patient rights, though transparency around data sharing and retention practices remains limited. St. Catherine's Specialist Hospital, Abuja presents the most significant transparency gaps. The absence of accessible privacy documentation suggests weak implementation of statutory notice requirements, creating heightened compliance and reputational risk.
In operationalizing data subject rights, Lagoon Hospital again performed strongest (73%), followed by Avon Medical (64%) and St. Nicholas Hospital (52%). St. Catherine's Specialist Hospital, Abuja scored 0%, indicating no visible mechanisms for facilitating rights such as access, correction, or complaint resolution. Weak rights-management frameworks directly affect compliance with core legal obligations and may expose facilities to disputes and enforcement action.
All assessed facilities engage in third-party data sharing, a standard practice in healthcare delivery. However, compliance levels differ substantially. Lagoon Hospital demonstrated comparatively stronger safeguards and disclosure practices (58%), while Avon Medical and St. Nicholas Hospital each scored 14%, and St. Catherine's Specialist Hospital, Abuja scored 0%. Limited transparency and weak contractual safeguards around third-party processors increase risks of unauthorized disclosure, cross-border transfer violations, and accountability failures.
All facilities showed measurable effort in implementing security safeguards. Avon Medical led in this category (89%), while Lagoon Hospital, St. Catherine's Specialist Hospital, Abuja, and St. Nicholas Hospital each scored 61%. This indicates general recognition of cybersecurity obligations. However, security strength alone does not compensate for weaknesses in transparency, rights facilitation, and governance structures.
A significant compliance gap across all facilities relates to internal data breach management and transparency reporting. None of the hospitals publish transparency reports, and compliance with structured internal breach resolution mechanisms is low. Avon Medical recorded the highest score in this area (17%), followed by St. Nicholas Hospital (8%), while the remaining facilities scored 0%. This deficiency signals limited preparedness for incident response and regulatory notification obligations, increasing exposure to legal and operational risk in the event of a data breach.
The findings indicate that while some facilities, particularly Lagoon Hospital and Avon Medical, are progressing toward structured privacy governance, compliance remains uneven and, in some cases, superficial. Registration compliance and technical safeguards appear more developed than transparency, accountability, and breach management frameworks. Facilities with limited privacy disclosures and weak rights-management systems face elevated risks of regulatory enforcement, reputational damage, and erosion of patient trust. The absence of structured breach response mechanisms further compounds institutional vulnerability.
To strengthen compliance, facilities should prioritize:
- Publication of clear, accessible, and comprehensive privacy notices
- Formalization of third-party data processing agreements
- Development of documented breach response and notification procedures
- Strengthening of data subject rights management systems
- Periodic internal audits and privacy impact assessments
Health Sector - Ghana
Korie–Bu Teaching Hospital, Komfo Anokye Teaching Hospital, Nyaho Medical Centre and The Trust Hospital in Ghana
The assessment reveals systemic weaknesses in privacy governance and compliance with national data protection requirements across the sector. All four institutions failed to comply with mandatory registration requirements with the national data protection regulator. As a result, they remain inactive in the regulator's records. This foundational gap signals weak institutional accountability and exposes the facilities to potential regulatory sanctions.
Registration is a basic compliance obligation; failure at this level reflects broader governance deficiencies.
The sector demonstrates particularly weak transparency practices. Of the four institutions assessed, only The Trust Hospital has a publicly available privacy policy, scoring 63% for accessibility and 58% for content quality. However, the policy is not prominently displayed, limiting patient awareness and practical transparency.
Korle-Bu Teaching Hospital, Komfo Anokye Teaching Hospital, and Nyaho Medical Centre have no publicly available privacy policies, resulting in a complete absence of clarity regarding how patient data is collected, processed, stored, or shared. This creates significant compliance risks, particularly given the sensitive nature of health data.
The Trust Hospital's policy outlines categories of personal data collected (including health, payment, usage, and location data), identifies general processing purposes (healthcare management, payments, service improvement), and permits third-party sharing with healthcare providers, service partners, and where legally required. It affirms that data is not shared with advertisers and provides users with rights to access, correct, and request deletion of their data.
However, notable weaknesses remain:
Only The Trust Hospital demonstrates measurable effort in operationalizing data subject rights (58%). The remaining three institutions scored 0%, as no visible mechanisms exist for access, correction, deletion, objection, or complaint handling. This lack of structured rights-management frameworks significantly impairs compliance with statutory requirements and increases exposure to disputes and regulatory enforcement.
All four institutions engage in third-party data sharing, which is expected in healthcare service delivery. However, compliance safeguards are weak across the board. The Trust Hospital scored 38%, reflecting partial transparency and limited safeguards. Korle-Bu Teaching Hospital, Komfo Anokye Teaching Hospital, and Nyaho Medical Centre each scored 0% due to the absence of disclosed data-sharing frameworks. The absence of detailed processor agreements, data-sharing disclosures, or cross-border safeguards raises risks of unauthorized disclosure and accountability failures.
All institutions demonstrate some level of technical security implementation, though practices vary:
Performance in accountability and incident response is uniformly weak. None of the four institutions has published a transparency report since 2024. Additionally, no facility demonstrates visible internal data breach resolution mechanisms. Korle-Bu, Komfo Anokye, and Nyaho Medical Centre lack privacy policies entirely, and therefore provide no information on breach notification procedures, investigation timelines, reporting channels, or escalation mechanisms. Although The Trust Hospital has a privacy policy, it does not provide specific guidance on breach detection, user notification timeframes, reporting channels, or regulator notification procedures. Consequently, all four institutions scored 0% in this category.
This gap represents a serious compliance vulnerability. In the event of a data breach, these institutions may lack structured procedures for lawful notification, mitigation, and remediation, exposing them to regulatory penalties and reputational damage.
The findings indicate that privacy governance in the Ghanaian health sector remains underdeveloped. Non-registration with the regulator, absence of privacy policies in three of four institutions, weak rights-management systems, limited third-party transparency, and nonexistent breach response frameworks collectively point to systemic compliance deficiencies.
The assessment reveals systemic weaknesses in privacy governance and compliance with national data protection requirements across the sector. All four institutions failed to comply with mandatory registration requirements with the national data protection regulator. As a result, they remain inactive in the regulator's records. This foundational gap signals weak institutional accountability and exposes the facilities to potential regulatory sanctions.
Registration is a basic compliance obligation; failure at this level reflects broader governance deficiencies.
The sector demonstrates particularly weak transparency practices. Of the four institutions assessed, only The Trust Hospital has a publicly available privacy policy, scoring 63% for accessibility and 58% for content quality. However, the policy is not prominently displayed, limiting patient awareness and practical transparency.
Korle-Bu Teaching Hospital, Komfo Anokye Teaching Hospital, and Nyaho Medical Centre have no publicly available privacy policies, resulting in a complete absence of clarity regarding how patient data is collected, processed, stored, or shared. This creates significant compliance risks, particularly given the sensitive nature of health data.
The Trust Hospital's policy outlines categories of personal data collected (including health, payment, usage, and location data), identifies general processing purposes (healthcare management, payments, service improvement), and permits third-party sharing with healthcare providers, service partners, and where legally required. It affirms that data is not shared with advertisers and provides users with rights to access, correct, and request deletion of their data.
However, notable weaknesses remain:
- Retention timelines are vague.
- User rights are limited, particularly regarding objection and complaint escalation.
- Regulator complaint mechanisms are not clearly defined.
- Third-party entities are described by category but not specifically identified.
Only The Trust Hospital demonstrates measurable effort in operationalizing data subject rights (58%). The remaining three institutions scored 0%, as no visible mechanisms exist for access, correction, deletion, objection, or complaint handling. This lack of structured rights-management frameworks significantly impairs compliance with statutory requirements and increases exposure to disputes and regulatory enforcement.
All four institutions engage in third-party data sharing, which is expected in healthcare service delivery. However, compliance safeguards are weak across the board. The Trust Hospital scored 38%, reflecting partial transparency and limited safeguards. Korle-Bu Teaching Hospital, Komfo Anokye Teaching Hospital, and Nyaho Medical Centre each scored 0% due to the absence of disclosed data-sharing frameworks. The absence of detailed processor agreements, data-sharing disclosures, or cross-border safeguards raises risks of unauthorized disclosure and accountability failures.
All institutions demonstrate some level of technical security implementation, though practices vary:
- The Trust Hospital leads with 61%, supported by an SSL rating of A and policy references to encryption, access controls, and secure storage practices.
- Nyaho Medical Centre follows with 56%, supported by a strong SSL rating (A+) and relatively stronger security headers (B), though without policy disclosure explaining these measures.
- Korle-Bu Teaching Hospital and Komfo Anokye Teaching Hospital both scored 28%, with acceptable SSL ratings (A) but failing security headers (F) and no policy disclosure addressing personal data security.
Performance in accountability and incident response is uniformly weak. None of the four institutions has published a transparency report since 2024. Additionally, no facility demonstrates visible internal data breach resolution mechanisms. Korle-Bu, Komfo Anokye, and Nyaho Medical Centre lack privacy policies entirely, and therefore provide no information on breach notification procedures, investigation timelines, reporting channels, or escalation mechanisms. Although The Trust Hospital has a privacy policy, it does not provide specific guidance on breach detection, user notification timeframes, reporting channels, or regulator notification procedures. Consequently, all four institutions scored 0% in this category.
This gap represents a serious compliance vulnerability. In the event of a data breach, these institutions may lack structured procedures for lawful notification, mitigation, and remediation, exposing them to regulatory penalties and reputational damage.
The findings indicate that privacy governance in the Ghanaian health sector remains underdeveloped. Non-registration with the regulator, absence of privacy policies in three of four institutions, weak rights-management systems, limited third-party transparency, and nonexistent breach response frameworks collectively point to systemic compliance deficiencies.
Health Sector - Botswana
Gabarone Private Hospital, Sidilega Private Hospital, Diagnofirm Medical Laboratories and Sir Ketumile
Masire Teaching Hospital in Botswana
The assessment of Gaborone Private Hospital, Diagnofirm Medical Laboratories, Sidilega Private Hospital, and Sir Ketumile Masire Teaching Hospital indicates moderate progress in certain areas of privacy governance, but persistent structural weaknesses that undermine full compliance with data protection laws.
Performance across the facilities varies significantly with respect to transparency and public-facing privacy documentation. Diagnofirm Medical Laboratories demonstrates the strongest commitment to accessibility, scoring 88%, followed by Gaborone Private Hospital at 75%. In contrast, Sidilega Private Hospital and Sir Ketumile Masire Teaching Hospital have no accessible privacy policies, each scoring 0%. The absence of publicly available privacy notices in two of the four institutions creates substantial compliance gaps. Privacy policies serve as the primary mechanism for informing patients of their rights, data processing purposes, and institutional safeguards.
Without them, transparency obligations under data protection law are not met, and patients lack visibility into how their sensitive health information is handled.
Gaborone Private Hospital shows moderate effort in operationalizing data subject rights, scoring 61%. This suggests some level of procedural recognition of access, correction, or related rights. However, the remaining facilities, Diagnofirm Medical Laboratories, Sidilega Private Hospital, and Sir Ketumile Masire Teaching Hospital, scored 0%, indicating no visible mechanisms for facilitating statutory rights. The limited implementation of rights-management frameworks represents a critical compliance weakness. Data protection laws typically require institutions processing health data to establish clear procedures for responding to access requests, corrections, and complaints. The absence of such systems exposes facilities to legal risk and undermines patient trust.
All four facilities engage in third-party data sharing, which is standard practice in healthcare delivery (e.g., laboratories, insurers, technology providers). However, compliance safeguards in this area are notably weak. Gaborone Private Hospital recorded the highest score at 22%, followed by Diagnofirm Medical Laboratories at 14%, while Sidilega Private Hospital and Sir Ketumile Masire Teaching Hospital scored 0%. These low scores reflect limited transparency around categories of third-party recipients, absence of clearly articulated safeguards, and weak disclosure of cross-border transfer protections where applicable. Inadequate governance of third-party processing increases the risk of unauthorized disclosure, contractual non-compliance, and accountability failures, particularly given the sensitivity of medical data.
All facilities demonstrate some measurable effort to implement technical security controls. Gaborone Private Hospital and Diagnofirm Medical Laboratories lead in this category, each scoring 56%, suggesting moderate investment in cybersecurity protections. Sidilega Private Hospital and Sir Ketumile Masire Teaching Hospital scored 39%, indicating more limited but still observable safeguards. While these results suggest awareness of data security obligations, technical safeguards alone are insufficient to ensure full legal compliance. Effective privacy governance requires integration of security measures within broader accountability and transparency frameworks.
A significant cross-cutting weakness is the complete absence of transparency reporting and documented internal data breach response mechanisms. None of the four facilities has published a transparency report, nor is there visible evidence of structured breach notification procedures, internal investigation protocols, or patient notification frameworks. This represents a serious compliance vulnerability.
Data protection laws typically mandate timely breach notification to regulators and affected individuals. Without documented procedures, facilities risk delayed responses, regulatory penalties, and reputational damage in the event of a security incident.
The findings suggest that privacy governance among the assessed Botswana health facilities remains uneven and underdeveloped. While Diagnofirm Medical Laboratories and Gaborone Private Hospital demonstrate comparatively stronger performance in policy accessibility and technical security, sector-wide weaknesses persist in data subject rights implementation, third-party accountability, transparency reporting, and breach management.
The lack of accessible privacy policies in half of the facilities and uniformly weak breach response mechanisms highlight systemic compliance risks. To align with data protection law and strengthen patient trust, facilities should prioritize:
The assessment of Gaborone Private Hospital, Diagnofirm Medical Laboratories, Sidilega Private Hospital, and Sir Ketumile Masire Teaching Hospital indicates moderate progress in certain areas of privacy governance, but persistent structural weaknesses that undermine full compliance with data protection laws.
Performance across the facilities varies significantly with respect to transparency and public-facing privacy documentation. Diagnofirm Medical Laboratories demonstrates the strongest commitment to accessibility, scoring 88%, followed by Gaborone Private Hospital at 75%. In contrast, Sidilega Private Hospital and Sir Ketumile Masire Teaching Hospital have no accessible privacy policies, each scoring 0%. The absence of publicly available privacy notices in two of the four institutions creates substantial compliance gaps. Privacy policies serve as the primary mechanism for informing patients of their rights, data processing purposes, and institutional safeguards.
Without them, transparency obligations under data protection law are not met, and patients lack visibility into how their sensitive health information is handled.
Gaborone Private Hospital shows moderate effort in operationalizing data subject rights, scoring 61%. This suggests some level of procedural recognition of access, correction, or related rights. However, the remaining facilities, Diagnofirm Medical Laboratories, Sidilega Private Hospital, and Sir Ketumile Masire Teaching Hospital, scored 0%, indicating no visible mechanisms for facilitating statutory rights. The limited implementation of rights-management frameworks represents a critical compliance weakness. Data protection laws typically require institutions processing health data to establish clear procedures for responding to access requests, corrections, and complaints. The absence of such systems exposes facilities to legal risk and undermines patient trust.
All four facilities engage in third-party data sharing, which is standard practice in healthcare delivery (e.g., laboratories, insurers, technology providers). However, compliance safeguards in this area are notably weak. Gaborone Private Hospital recorded the highest score at 22%, followed by Diagnofirm Medical Laboratories at 14%, while Sidilega Private Hospital and Sir Ketumile Masire Teaching Hospital scored 0%. These low scores reflect limited transparency around categories of third-party recipients, absence of clearly articulated safeguards, and weak disclosure of cross-border transfer protections where applicable. Inadequate governance of third-party processing increases the risk of unauthorized disclosure, contractual non-compliance, and accountability failures, particularly given the sensitivity of medical data.
All facilities demonstrate some measurable effort to implement technical security controls. Gaborone Private Hospital and Diagnofirm Medical Laboratories lead in this category, each scoring 56%, suggesting moderate investment in cybersecurity protections. Sidilega Private Hospital and Sir Ketumile Masire Teaching Hospital scored 39%, indicating more limited but still observable safeguards. While these results suggest awareness of data security obligations, technical safeguards alone are insufficient to ensure full legal compliance. Effective privacy governance requires integration of security measures within broader accountability and transparency frameworks.
A significant cross-cutting weakness is the complete absence of transparency reporting and documented internal data breach response mechanisms. None of the four facilities has published a transparency report, nor is there visible evidence of structured breach notification procedures, internal investigation protocols, or patient notification frameworks. This represents a serious compliance vulnerability.
Data protection laws typically mandate timely breach notification to regulators and affected individuals. Without documented procedures, facilities risk delayed responses, regulatory penalties, and reputational damage in the event of a security incident.
The findings suggest that privacy governance among the assessed Botswana health facilities remains uneven and underdeveloped. While Diagnofirm Medical Laboratories and Gaborone Private Hospital demonstrate comparatively stronger performance in policy accessibility and technical security, sector-wide weaknesses persist in data subject rights implementation, third-party accountability, transparency reporting, and breach management.
The lack of accessible privacy policies in half of the facilities and uniformly weak breach response mechanisms highlight systemic compliance risks. To align with data protection law and strengthen patient trust, facilities should prioritize:
- Publishing comprehensive and accessible privacy notices
- Establishing formal procedures for managing data subject rights
- Strengthening contractual and transparency safeguards for third-party processors
- Implementing documented breach detection and notification frameworks
- Introducing periodic transparency reporting mechanisms
Health Sector - Rwanda
Chuk (University Teaching Hospital of Kigali), King Faisal Hospital, Ruhengeri Referral Hospital and Rwanda Military Hospital in Rwanda
The reassessment of CHUK (University Teaching Hospital of Kigali), King Faisal Hospital, Ruhengeri Referral Hospital, and Rwanda Military Hospital shows that there has been little measurable progress in strengthening privacy governance across Rwanda's public health sector since last year. While one institution continues to demonstrate partial compliance with data protection requirements, sector-wide performance remains weak, with some areas showing stagnation and others clear regression. King Faisal Hospital remains the only facility with a publicly accessible privacy policy, maintaining its score of 88% from the previous assessment.
The policy is visible and reasonably readable, meeting minimum length and accessibility standards. However, no substantive improvements have been observed in its content. Key compliance gaps identified last year persist, including incomplete contact information, limited clarity on retention periods, insufficient detail regarding third-party recipients, and the absence of a clearly defined complaint escalation process to the regulator. In contrast, CHUK, Ruhengeri Referral Hospital, and Rwanda Military Hospital continue to have no publicly available privacy policies, each maintaining a score of 0%. This sustained lack of transparency represents a significant compliance deficiency, as patients remain uninformed about how their personal and sensitive health data are collected, processed, retained, or shared.
With respect to data subject rights, King Faisal Hospital remains the only institution demonstrating effort in this area. However, its score declined markedly from 61% last year to 25% in the current assessment. Although the policy references rights such as access, correction, and deletion, it does not provide adequate procedural clarity or structured mechanisms for exercising these rights. The absence of detailed complaint channels or timelines further weakens its compliance posture. The other three hospitals again recorded 0%, reflecting no visible systems for facilitating statutory rights.
This regression at King Faisal Hospital, combined with the continued inaction of the other facilities, suggests that the operationalization of patient rights in the sector has not strengthened and, in some respects, has deteriorated.
Third-party data sharing practices remain inadequately governed. King Faisal Hospital's score in this category dropped from 30% to 24%. While the hospital acknowledges that data may be shared with affiliates and service providers and excludes advertisers, it does not clearly identify categories of shared data, specify recipients, or outline safeguards for cross-border transfers. CHUK, Ruhengeri Referral Hospital, and Rwanda Military Hospital continue to score 0% due to the absence of any publicly disclosed information on third-party processing. The persistence of these gaps heightens the risk of unauthorized disclosures and weakens accountability mechanisms required under data protection law.
In the area of data security, results are mixed. King Faisal Hospital maintained its score of 45%, continuing to reference general technical, administrative, and physical safeguards without providing specific details. Its SSL rating improved from B to A, although security headers remain weak. Rwanda Military Hospital recorded a modest improvement, increasing from 22% to 28%, supported by a stronger SSL configuration, though it still lacks policy documentation addressing data security practices. CHUK maintained its prior score of 22%, reflecting no improvement in either technical safeguards or transparency. Ruhengeri Referral Hospital experienced a significant decline, dropping from 33% to 0%, indicating deterioration in its technical security posture. Although some institutions demonstrate baseline cybersecurity measures, the lack of detailed disclosure and consistent standards across facilities limits demonstrable compliance.
As in the previous year, none of the assessed hospitals has published a transparency report since 2024. Furthermore, there is no evidence of structured internal data breach resolution mechanisms across any of the four institutions. King Faisal Hospital provides limited complaint channels but does not articulate breach detection procedures, notification timelines, or regulator reporting obligations. The remaining hospitals provide no public guidance whatsoever on breach management. This continued absence of documented incident response frameworks represents a critical compliance vulnerability, particularly given the sensitive nature of health data.
Overall, the comparative analysis indicates that Rwanda's assessed health facilities have made no meaningful sector-wide progress in strengthening privacy practices since last year. King Faisal Hospital remains the relative leader but shows signs of stagnation and regression in certain areas, particularly in data subject rights and third-party transparency. The other institutions continue to demonstrate systemic non-compliance, especially in transparency and accountability.
These findings underscore persistent legal, operational, and reputational risks within the sector. Without deliberate institutional reforms focused on transparency, enforceable patient rights, structured third-party governance, strengthened cybersecurity documentation, and formal breach response mechanisms, the healthcare sector's compliance with data protection laws will remain limited and reactive rather than proactive and sustainable.
The reassessment of CHUK (University Teaching Hospital of Kigali), King Faisal Hospital, Ruhengeri Referral Hospital, and Rwanda Military Hospital shows that there has been little measurable progress in strengthening privacy governance across Rwanda's public health sector since last year. While one institution continues to demonstrate partial compliance with data protection requirements, sector-wide performance remains weak, with some areas showing stagnation and others clear regression. King Faisal Hospital remains the only facility with a publicly accessible privacy policy, maintaining its score of 88% from the previous assessment.
The policy is visible and reasonably readable, meeting minimum length and accessibility standards. However, no substantive improvements have been observed in its content. Key compliance gaps identified last year persist, including incomplete contact information, limited clarity on retention periods, insufficient detail regarding third-party recipients, and the absence of a clearly defined complaint escalation process to the regulator. In contrast, CHUK, Ruhengeri Referral Hospital, and Rwanda Military Hospital continue to have no publicly available privacy policies, each maintaining a score of 0%. This sustained lack of transparency represents a significant compliance deficiency, as patients remain uninformed about how their personal and sensitive health data are collected, processed, retained, or shared.
With respect to data subject rights, King Faisal Hospital remains the only institution demonstrating effort in this area. However, its score declined markedly from 61% last year to 25% in the current assessment. Although the policy references rights such as access, correction, and deletion, it does not provide adequate procedural clarity or structured mechanisms for exercising these rights. The absence of detailed complaint channels or timelines further weakens its compliance posture. The other three hospitals again recorded 0%, reflecting no visible systems for facilitating statutory rights.
This regression at King Faisal Hospital, combined with the continued inaction of the other facilities, suggests that the operationalization of patient rights in the sector has not strengthened and, in some respects, has deteriorated.
Third-party data sharing practices remain inadequately governed. King Faisal Hospital's score in this category dropped from 30% to 24%. While the hospital acknowledges that data may be shared with affiliates and service providers and excludes advertisers, it does not clearly identify categories of shared data, specify recipients, or outline safeguards for cross-border transfers. CHUK, Ruhengeri Referral Hospital, and Rwanda Military Hospital continue to score 0% due to the absence of any publicly disclosed information on third-party processing. The persistence of these gaps heightens the risk of unauthorized disclosures and weakens accountability mechanisms required under data protection law.
In the area of data security, results are mixed. King Faisal Hospital maintained its score of 45%, continuing to reference general technical, administrative, and physical safeguards without providing specific details. Its SSL rating improved from B to A, although security headers remain weak. Rwanda Military Hospital recorded a modest improvement, increasing from 22% to 28%, supported by a stronger SSL configuration, though it still lacks policy documentation addressing data security practices. CHUK maintained its prior score of 22%, reflecting no improvement in either technical safeguards or transparency. Ruhengeri Referral Hospital experienced a significant decline, dropping from 33% to 0%, indicating deterioration in its technical security posture. Although some institutions demonstrate baseline cybersecurity measures, the lack of detailed disclosure and consistent standards across facilities limits demonstrable compliance.
As in the previous year, none of the assessed hospitals has published a transparency report since 2024. Furthermore, there is no evidence of structured internal data breach resolution mechanisms across any of the four institutions. King Faisal Hospital provides limited complaint channels but does not articulate breach detection procedures, notification timelines, or regulator reporting obligations. The remaining hospitals provide no public guidance whatsoever on breach management. This continued absence of documented incident response frameworks represents a critical compliance vulnerability, particularly given the sensitive nature of health data.
Overall, the comparative analysis indicates that Rwanda's assessed health facilities have made no meaningful sector-wide progress in strengthening privacy practices since last year. King Faisal Hospital remains the relative leader but shows signs of stagnation and regression in certain areas, particularly in data subject rights and third-party transparency. The other institutions continue to demonstrate systemic non-compliance, especially in transparency and accountability.
These findings underscore persistent legal, operational, and reputational risks within the sector. Without deliberate institutional reforms focused on transparency, enforceable patient rights, structured third-party governance, strengthened cybersecurity documentation, and formal breach response mechanisms, the healthcare sector's compliance with data protection laws will remain limited and reactive rather than proactive and sustainable.
Health Sector - Tanzania
Muhimbili National Hospital, Regency Medical Center, CRBT Tanzania and LyfPlus Tanzania in Tanzania
The reassessment of Muhimbili National Hospital, Regency Medical Center, CRBT Tanzania, and LyfPlus Tanzania indicates that compliance with Tanzania's Personal Data Protection Act remains generally weak across the health sector, with limited progress recorded since last year. With the exception of LyfPlus, most institutions continue to demonstrate structural non-compliance in key privacy governance areas.
LyfPlus remains the only facility with a publicly accessible privacy policy. However, its score for policy accessibility declined from 88% last year to 75% in the current assessment. Although the policy is visible and available on its website, its readability has deteriorated, with a readability grade above level 14, making it difficult for the average data subject to understand. While the policy remains comprehensive in length and scope, reduced accessibility undermines the principle of transparency and the requirement that privacy notices be clear and intelligible.
In contrast, Muhimbili National Hospital, Regency Medical Center, and CRBT Tanzania continue to operate without publicly available privacy policies, each maintaining a score of 0% for the second consecutive year. This sustained absence of transparency significantly limits patient awareness of data processing practices and reflects non-compliance with statutory notice obligations.
In relation to data subject rights, LyfPlus recorded improvement, increasing from 43% last year to 57%. This suggests greater articulation of user rights within its privacy framework. Nonetheless, procedural clarity remains limited, particularly regarding complaint escalation and enforcement mechanisms. The other three hospitals again scored 0%, demonstrating no visible structures for enabling access, correction, objection, or other statutory rights. The absence of rights-management systems across most institutions indicates continued failure to operationalize one of the core pillars of data protection law.
Third-party data sharing practices show modest improvement only at LyfPlus, which increased from 32% to 48%. While this reflects enhanced disclosure regarding data transfers, the safeguards remain incomplete, particularly concerning identification of specific third parties and detailed transfer protections. Muhimbili National Hospital, Regency Medical Center, and CRBT Tanzania maintained scores of 0%, as no privacy documentation exists to explain whether and how personal data is shared. This lack of transparency heightens the risk of undisclosed or inadequately governed data transfers, particularly in a healthcare environment where sensitive data is routinely exchanged.
With respect to data security, performance across the facilities remains inconsistent and, in some cases, has declined. LyfPlus, which led the sector last year with 61%, dropped significantly to 45%. Muhimbili National Hospital recorded a marginal increase from 44% to 45%, thereby sharing the highest score in this category. CRBT Tanzania maintained its prior score of 33%, while Regency Medical Center continued to perform weakly. Although all facilities demonstrate some level of technical security effort, the overall scores remain low, raising concerns regarding compliance with Section 27 of the Personal Data Protection Act, which obliges data controllers to ensure appropriate security safeguards. The downward shift at LyfPlus is particularly notable, given that it previously demonstrated comparatively stronger digital governance practices.
Transparency reporting remains entirely absent across the sector. None of the four facilities has published a transparency report, and all maintained a score of 0% in this category from last year. Similarly, internal data breach resolution mechanisms remain underdeveloped. LyfPlus showed improvement, rising from 17% to 33%, indicating some movement toward structured breach management. However, the framework remains incomplete, with no clearly defined notification timelines or investigation procedures. Muhimbili National Hospital, Regency Medical Center, and CRBT Tanzania maintained scores of 0%, reflecting no visible breach response protocols. This continued absence of documented breach management systems exposes facilities to significant regulatory and reputational risks in the event of a data incident.
Comparatively, last year's analysis positioned LyfPlus as the clear sector leader across nearly all privacy metrics, particularly in data security and policy transparency. While it remains the most compliant institution in the current assessment, its performance has declined in accessibility and data security, even as it improved in data subject rights, third-party transparency, and breach management. The other facilities show no measurable progress across most metrics, maintaining persistent non-compliance in transparency, rights facilitation, and accountability.
Overall, the findings indicate that Tanzania's assessed health facilities continue to exhibit widespread weaknesses in privacy governance. With the exception of LyfPlus, there is little evidence of structured compliance with data protection principles. Even LyfPlus, despite leading performance, demonstrates only partial compliance and faces challenges related to policy readability, detailed safeguards, and comprehensive breach response procedures. The stagnation across most institutions suggests that compliance efforts have not been institutionalized sector-wide. Without deliberate reforms aimed at establishing accessible privacy policies, enforceable data subject rights mechanisms, documented third-party safeguards, strengthened cybersecurity standards, and transparent breach response frameworks, the healthcare sector will remain exposed to regulatory enforcement risks and diminished patient trust.
The reassessment of Muhimbili National Hospital, Regency Medical Center, CRBT Tanzania, and LyfPlus Tanzania indicates that compliance with Tanzania's Personal Data Protection Act remains generally weak across the health sector, with limited progress recorded since last year. With the exception of LyfPlus, most institutions continue to demonstrate structural non-compliance in key privacy governance areas.
LyfPlus remains the only facility with a publicly accessible privacy policy. However, its score for policy accessibility declined from 88% last year to 75% in the current assessment. Although the policy is visible and available on its website, its readability has deteriorated, with a readability grade above level 14, making it difficult for the average data subject to understand. While the policy remains comprehensive in length and scope, reduced accessibility undermines the principle of transparency and the requirement that privacy notices be clear and intelligible.
In contrast, Muhimbili National Hospital, Regency Medical Center, and CRBT Tanzania continue to operate without publicly available privacy policies, each maintaining a score of 0% for the second consecutive year. This sustained absence of transparency significantly limits patient awareness of data processing practices and reflects non-compliance with statutory notice obligations.
In relation to data subject rights, LyfPlus recorded improvement, increasing from 43% last year to 57%. This suggests greater articulation of user rights within its privacy framework. Nonetheless, procedural clarity remains limited, particularly regarding complaint escalation and enforcement mechanisms. The other three hospitals again scored 0%, demonstrating no visible structures for enabling access, correction, objection, or other statutory rights. The absence of rights-management systems across most institutions indicates continued failure to operationalize one of the core pillars of data protection law.
Third-party data sharing practices show modest improvement only at LyfPlus, which increased from 32% to 48%. While this reflects enhanced disclosure regarding data transfers, the safeguards remain incomplete, particularly concerning identification of specific third parties and detailed transfer protections. Muhimbili National Hospital, Regency Medical Center, and CRBT Tanzania maintained scores of 0%, as no privacy documentation exists to explain whether and how personal data is shared. This lack of transparency heightens the risk of undisclosed or inadequately governed data transfers, particularly in a healthcare environment where sensitive data is routinely exchanged.
With respect to data security, performance across the facilities remains inconsistent and, in some cases, has declined. LyfPlus, which led the sector last year with 61%, dropped significantly to 45%. Muhimbili National Hospital recorded a marginal increase from 44% to 45%, thereby sharing the highest score in this category. CRBT Tanzania maintained its prior score of 33%, while Regency Medical Center continued to perform weakly. Although all facilities demonstrate some level of technical security effort, the overall scores remain low, raising concerns regarding compliance with Section 27 of the Personal Data Protection Act, which obliges data controllers to ensure appropriate security safeguards. The downward shift at LyfPlus is particularly notable, given that it previously demonstrated comparatively stronger digital governance practices.
Transparency reporting remains entirely absent across the sector. None of the four facilities has published a transparency report, and all maintained a score of 0% in this category from last year. Similarly, internal data breach resolution mechanisms remain underdeveloped. LyfPlus showed improvement, rising from 17% to 33%, indicating some movement toward structured breach management. However, the framework remains incomplete, with no clearly defined notification timelines or investigation procedures. Muhimbili National Hospital, Regency Medical Center, and CRBT Tanzania maintained scores of 0%, reflecting no visible breach response protocols. This continued absence of documented breach management systems exposes facilities to significant regulatory and reputational risks in the event of a data incident.
Comparatively, last year's analysis positioned LyfPlus as the clear sector leader across nearly all privacy metrics, particularly in data security and policy transparency. While it remains the most compliant institution in the current assessment, its performance has declined in accessibility and data security, even as it improved in data subject rights, third-party transparency, and breach management. The other facilities show no measurable progress across most metrics, maintaining persistent non-compliance in transparency, rights facilitation, and accountability.
Overall, the findings indicate that Tanzania's assessed health facilities continue to exhibit widespread weaknesses in privacy governance. With the exception of LyfPlus, there is little evidence of structured compliance with data protection principles. Even LyfPlus, despite leading performance, demonstrates only partial compliance and faces challenges related to policy readability, detailed safeguards, and comprehensive breach response procedures. The stagnation across most institutions suggests that compliance efforts have not been institutionalized sector-wide. Without deliberate reforms aimed at establishing accessible privacy policies, enforceable data subject rights mechanisms, documented third-party safeguards, strengthened cybersecurity standards, and transparent breach response frameworks, the healthcare sector will remain exposed to regulatory enforcement risks and diminished patient trust.
Health Sector - Mauritius
Wellkin Hospital, Clinique Darne, Aegle Clinic and Dr Agarwal’s Eye Hospital Mauritius in Mauritius
The reassessment of Wellkin Hospital, Clinique Darné, Dr. Agarwal's Eye Hospital Mauritius, and Aegle Clinic indicates that Mauritius' private health sector continues to demonstrate relatively stronger transparency practices compared to peers in other jurisdictions assessed. However, despite pockets of progress, important compliance gaps remain, particularly in breach management and detailed security governance. A comparison with last year's findings shows a combination of stability, targeted improvements, and persistent structural weaknesses.
As in the previous assessment, Wellkin Hospital and Clinique Darné remain the sector leaders in privacy policy accessibility, each maintaining a score of 88%. Dr. Agarwal's Eye Hospital also maintained its prior score of 75%, while Aegle Clinic continues to have no accessible privacy policy, scoring 0% for the second consecutive year. The continued absence of a privacy notice at Aegle Clinic represents a fundamental transparency failure and places the institution at clear risk of non-compliance with data protection obligations requiring notice to data subjects.
The privacy policies of Wellkin Hospital and Clinique Darné remain prominently displayed and fairly comprehensive. Both outline the types of personal data collected, including medical and identifying information, explain the purposes of collection, and provide contact information for data protection queries. They recognize core patient rights, including access, rectification, erasure under certain conditions, objection to processing, and the right to lodge complaints with the institution or the national Data Protection Office. Both policies exclude sharing personal data with advertisers and allow disclosure to law enforcement where reasonably required. However, neither policy specifies detailed retention periods nor comprehensively lists all third-party recipients. In addition, while data security is referenced, specific technical and organizational measures are not described, and breach-handling procedures remain undefined.
Dr. Agarwal's Eye Hospital's privacy policy is similarly accessible and fairly detailed. It outlines categories of personal, medical, insurance, and financial data collected, explains processing purposes, and provides mechanisms for access, correction, deletion, and withdrawal of consent. The policy identifies categories of third-party recipients, including service providers and affiliates, and recognizes grievance procedures through a designated officer. Compared to last year, its performance improved notably in several operational areas, particularly third-party transparency and data security. However, retention periods remain broadly defined rather than specific, security measures lack technical detail, and the policy disclaims responsibility for certain third-party breaches, which may weaken accountability expectations.
In relation to data subject rights, Wellkin Hospital and Clinique Darné continue to lead the sector, although both experienced a slight decline from 79% last year to 73% this year. Dr. Agarwal's Eye Hospital improved significantly from 53% to 67%, narrowing the gap with the sector leaders. Aegle Clinic again recorded 0%, reflecting the absence of any publicly articulated rights framework. While the leading institutions demonstrate structured recognition of rights, the marginal decline at Wellkin and Clinique Darné suggests stagnation rather than advancement in strengthening procedural clarity.
Third-party data sharing practices remain an area of moderate but incomplete compliance. Wellkin Hospital and Clinique Darné maintained their prior scores of 44%, continuing to lead the sector but without improvement. Dr. Agarwal's Eye Hospital showed substantial progress, rising from 10% last year to 36%, reflecting enhanced disclosure of sharing arrangements. Nevertheless, across all facilities, third-party transparency remains limited by the absence of exhaustive recipient lists and insufficient clarity on safeguards governing transfers. Aegle Clinic's continued absence of a privacy policy results in a sustained 0% score in this category.
Data security practices show more encouraging developments. Dr. Agarwal's Eye Hospital improved markedly from 61% to 78%, emerging as the leader in this metric. Wellkin Hospital and Clinique Darné maintained their previous scores of 61%, demonstrating stable but not advancing security posture. Aegle Clinic remained at 28%, reflecting minimal improvement in technical safeguards. While the sector shows measurable effort in cybersecurity practices, privacy policies across institutions continue to provide only general references to security measures without detailing breach response frameworks, timelines, or user notification procedures.
A significant positive development this year is the publication of transparency reports by Wellkin Hospital and Clinique Darné, both scoring 100% in this category compared to 0% last year. This represents a substantial improvement in accountability and public reporting practices. Dr. Agarwal's Eye Hospital and Aegle Clinic, however, continue to score 0%, indicating no movement toward structured transparency reporting.
Internal data breach resolution mechanisms remain the weakest area of compliance across the sector. Dr. Agarwal's Eye Hospital improved from 0% to 33%, suggesting some development of internal grievance or response procedures. However, the framework remains incomplete and lacks detailed notification timelines and investigation protocols. Wellkin Hospital, Clinique Darné, and Aegle Clinic maintained scores of 0%, reflecting the absence of clearly articulated breach management systems. Despite general references to security, none of the policies provides comprehensive guidance on breach detection, user notification, or regulator reporting obligations.
Overall, the comparative analysis demonstrates that Mauritius' leading private hospitals continue to perform strongly in privacy policy accessibility and basic transparency, with incremental improvements in third-party disclosures and data security, particularly at Dr. Agarwal's Eye Hospital. The introduction of transparency reporting by Wellkin Hospital and Clinique Darné marks meaningful progress since last year. However, persistent weaknesses in breach management, detailed security documentation, and retention specificity indicate that compliance remains partial rather than fully mature. Aegle Clinic's continued absence of a privacy policy highlights a clear outlier in sector performance and signals ongoing non-compliance.
While the sector shows comparatively stronger privacy governance than many peers, full alignment with data protection laws will require deeper institutionalization of breach response mechanisms, clearer documentation of retention and transfer safeguards, and consistent accountability reporting across all facilities. Without these reforms, even high-performing institutions remain exposed to regulatory scrutiny and reputational risk in the event of data protection failures.
The reassessment of Wellkin Hospital, Clinique Darné, Dr. Agarwal's Eye Hospital Mauritius, and Aegle Clinic indicates that Mauritius' private health sector continues to demonstrate relatively stronger transparency practices compared to peers in other jurisdictions assessed. However, despite pockets of progress, important compliance gaps remain, particularly in breach management and detailed security governance. A comparison with last year's findings shows a combination of stability, targeted improvements, and persistent structural weaknesses.
As in the previous assessment, Wellkin Hospital and Clinique Darné remain the sector leaders in privacy policy accessibility, each maintaining a score of 88%. Dr. Agarwal's Eye Hospital also maintained its prior score of 75%, while Aegle Clinic continues to have no accessible privacy policy, scoring 0% for the second consecutive year. The continued absence of a privacy notice at Aegle Clinic represents a fundamental transparency failure and places the institution at clear risk of non-compliance with data protection obligations requiring notice to data subjects.
The privacy policies of Wellkin Hospital and Clinique Darné remain prominently displayed and fairly comprehensive. Both outline the types of personal data collected, including medical and identifying information, explain the purposes of collection, and provide contact information for data protection queries. They recognize core patient rights, including access, rectification, erasure under certain conditions, objection to processing, and the right to lodge complaints with the institution or the national Data Protection Office. Both policies exclude sharing personal data with advertisers and allow disclosure to law enforcement where reasonably required. However, neither policy specifies detailed retention periods nor comprehensively lists all third-party recipients. In addition, while data security is referenced, specific technical and organizational measures are not described, and breach-handling procedures remain undefined.
Dr. Agarwal's Eye Hospital's privacy policy is similarly accessible and fairly detailed. It outlines categories of personal, medical, insurance, and financial data collected, explains processing purposes, and provides mechanisms for access, correction, deletion, and withdrawal of consent. The policy identifies categories of third-party recipients, including service providers and affiliates, and recognizes grievance procedures through a designated officer. Compared to last year, its performance improved notably in several operational areas, particularly third-party transparency and data security. However, retention periods remain broadly defined rather than specific, security measures lack technical detail, and the policy disclaims responsibility for certain third-party breaches, which may weaken accountability expectations.
In relation to data subject rights, Wellkin Hospital and Clinique Darné continue to lead the sector, although both experienced a slight decline from 79% last year to 73% this year. Dr. Agarwal's Eye Hospital improved significantly from 53% to 67%, narrowing the gap with the sector leaders. Aegle Clinic again recorded 0%, reflecting the absence of any publicly articulated rights framework. While the leading institutions demonstrate structured recognition of rights, the marginal decline at Wellkin and Clinique Darné suggests stagnation rather than advancement in strengthening procedural clarity.
Third-party data sharing practices remain an area of moderate but incomplete compliance. Wellkin Hospital and Clinique Darné maintained their prior scores of 44%, continuing to lead the sector but without improvement. Dr. Agarwal's Eye Hospital showed substantial progress, rising from 10% last year to 36%, reflecting enhanced disclosure of sharing arrangements. Nevertheless, across all facilities, third-party transparency remains limited by the absence of exhaustive recipient lists and insufficient clarity on safeguards governing transfers. Aegle Clinic's continued absence of a privacy policy results in a sustained 0% score in this category.
Data security practices show more encouraging developments. Dr. Agarwal's Eye Hospital improved markedly from 61% to 78%, emerging as the leader in this metric. Wellkin Hospital and Clinique Darné maintained their previous scores of 61%, demonstrating stable but not advancing security posture. Aegle Clinic remained at 28%, reflecting minimal improvement in technical safeguards. While the sector shows measurable effort in cybersecurity practices, privacy policies across institutions continue to provide only general references to security measures without detailing breach response frameworks, timelines, or user notification procedures.
A significant positive development this year is the publication of transparency reports by Wellkin Hospital and Clinique Darné, both scoring 100% in this category compared to 0% last year. This represents a substantial improvement in accountability and public reporting practices. Dr. Agarwal's Eye Hospital and Aegle Clinic, however, continue to score 0%, indicating no movement toward structured transparency reporting.
Internal data breach resolution mechanisms remain the weakest area of compliance across the sector. Dr. Agarwal's Eye Hospital improved from 0% to 33%, suggesting some development of internal grievance or response procedures. However, the framework remains incomplete and lacks detailed notification timelines and investigation protocols. Wellkin Hospital, Clinique Darné, and Aegle Clinic maintained scores of 0%, reflecting the absence of clearly articulated breach management systems. Despite general references to security, none of the policies provides comprehensive guidance on breach detection, user notification, or regulator reporting obligations.
Overall, the comparative analysis demonstrates that Mauritius' leading private hospitals continue to perform strongly in privacy policy accessibility and basic transparency, with incremental improvements in third-party disclosures and data security, particularly at Dr. Agarwal's Eye Hospital. The introduction of transparency reporting by Wellkin Hospital and Clinique Darné marks meaningful progress since last year. However, persistent weaknesses in breach management, detailed security documentation, and retention specificity indicate that compliance remains partial rather than fully mature. Aegle Clinic's continued absence of a privacy policy highlights a clear outlier in sector performance and signals ongoing non-compliance.
While the sector shows comparatively stronger privacy governance than many peers, full alignment with data protection laws will require deeper institutionalization of breach response mechanisms, clearer documentation of retention and transfer safeguards, and consistent accountability reporting across all facilities. Without these reforms, even high-performing institutions remain exposed to regulatory scrutiny and reputational risk in the event of data protection failures.
Health Sector - Zimbabwe
Karanda Mission Hospital, Mpilo Central Hospital, Baines Avenue Clinic, and Pararinyetwa General Hospital (PGH) in Zimbabwe
The reassessment of Karanda Mission Hospital, Parirenyatwa General Hospital (PGH), Baines Avenue Clinic, and Mpilo Central Hospital indicates that Zimbabwe's health sector continues to exhibit systemic weaknesses in privacy governance, with no measurable progress since last year in core transparency and accountability indicators. The comparative analysis confirms that structural compliance gaps identified previously remain largely unaddressed.
For the second consecutive year, none of the assessed facilities has made visible effort to establish or publish accessible privacy policies. All four institutions maintained scores of 0% in this category. The absence of publicly available privacy notices means patients are not informed about how their personal and sensitive health data are collected, processed, stored, or shared. This sustained failure reflects non-compliance with fundamental data protection principles, particularly transparency and lawful processing obligations.
Similarly, performance in relation to data subject rights remains unchanged. All facilities again scored 0%, indicating that there are no visible mechanisms through which patients may exercise rights of access, correction, objection, or complaint. The absence of structured rights-management frameworks leaves data subjects without enforceable procedural protections and exposes institutions to potential legal and regulatory risk.
Third-party data sharing practices also show no meaningful improvement. All facilities maintained 0% in transparency and governance of third-party transfers. Although healthcare operations inherently require data sharing with laboratories, insurers, or service providers, none of the institutions provides public disclosure regarding such arrangements or associated safeguards. This continued opacity increases the risk of unauthorized disclosures and weakens accountability.
The only area where some measurable effort is observed is data security. Karanda Mission Hospital continues to lead the sector, maintaining its 50% score from last year. Parirenyatwa General Hospital retained its score of 28%, while Baines Avenue Clinic maintained 22%. Mpilo Central Hospital again scored 0%, reflecting no visible technical or organizational safeguards. Although these limited technical controls demonstrate some awareness of cybersecurity obligations, they remain isolated efforts unsupported by policy frameworks, documented procedures, or governance structures. As a result, even the highest-performing facility operates without a comprehensive privacy management system.
Transparency reporting and internal data breach resolution mechanisms remain entirely absent across the sector. As in the previous assessment, none of the facilities has published a transparency report, and none demonstrates documented breach detection, investigation, or notification procedures. This sustained absence of accountability mechanisms represents a critical compliance gap, particularly in light of statutory obligations to notify regulators and affected individuals in the event of a data breach.
Compared to last year's findings, there has been no sector-wide improvement. Data security scores remain unchanged, and all other indicators including privacy policy accessibility, data subject rights, third-party governance, transparency reporting, and breach management continue to reflect total non-compliance. The stagnation suggests that privacy governance has not been institutionalized within the assessed facilities and that compliance efforts remain either minimal or nonexistent.
Overall, Zimbabwe's assessed healthcare institutions demonstrate a systemic absence of structured privacy and data protection management. Limited technical safeguards at a few facilities do not compensate for the lack of policy frameworks, accountability systems, or enforceable rights mechanisms. Without the introduction of accessible privacy notices, operational rights procedures, third-party governance controls, transparency reporting, and formal breach response systems, the sector remains highly vulnerable to regulatory enforcement, legal liability, and erosion of patient trust.
The reassessment of Karanda Mission Hospital, Parirenyatwa General Hospital (PGH), Baines Avenue Clinic, and Mpilo Central Hospital indicates that Zimbabwe's health sector continues to exhibit systemic weaknesses in privacy governance, with no measurable progress since last year in core transparency and accountability indicators. The comparative analysis confirms that structural compliance gaps identified previously remain largely unaddressed.
For the second consecutive year, none of the assessed facilities has made visible effort to establish or publish accessible privacy policies. All four institutions maintained scores of 0% in this category. The absence of publicly available privacy notices means patients are not informed about how their personal and sensitive health data are collected, processed, stored, or shared. This sustained failure reflects non-compliance with fundamental data protection principles, particularly transparency and lawful processing obligations.
Similarly, performance in relation to data subject rights remains unchanged. All facilities again scored 0%, indicating that there are no visible mechanisms through which patients may exercise rights of access, correction, objection, or complaint. The absence of structured rights-management frameworks leaves data subjects without enforceable procedural protections and exposes institutions to potential legal and regulatory risk.
Third-party data sharing practices also show no meaningful improvement. All facilities maintained 0% in transparency and governance of third-party transfers. Although healthcare operations inherently require data sharing with laboratories, insurers, or service providers, none of the institutions provides public disclosure regarding such arrangements or associated safeguards. This continued opacity increases the risk of unauthorized disclosures and weakens accountability.
The only area where some measurable effort is observed is data security. Karanda Mission Hospital continues to lead the sector, maintaining its 50% score from last year. Parirenyatwa General Hospital retained its score of 28%, while Baines Avenue Clinic maintained 22%. Mpilo Central Hospital again scored 0%, reflecting no visible technical or organizational safeguards. Although these limited technical controls demonstrate some awareness of cybersecurity obligations, they remain isolated efforts unsupported by policy frameworks, documented procedures, or governance structures. As a result, even the highest-performing facility operates without a comprehensive privacy management system.
Transparency reporting and internal data breach resolution mechanisms remain entirely absent across the sector. As in the previous assessment, none of the facilities has published a transparency report, and none demonstrates documented breach detection, investigation, or notification procedures. This sustained absence of accountability mechanisms represents a critical compliance gap, particularly in light of statutory obligations to notify regulators and affected individuals in the event of a data breach.
Compared to last year's findings, there has been no sector-wide improvement. Data security scores remain unchanged, and all other indicators including privacy policy accessibility, data subject rights, third-party governance, transparency reporting, and breach management continue to reflect total non-compliance. The stagnation suggests that privacy governance has not been institutionalized within the assessed facilities and that compliance efforts remain either minimal or nonexistent.
Overall, Zimbabwe's assessed healthcare institutions demonstrate a systemic absence of structured privacy and data protection management. Limited technical safeguards at a few facilities do not compensate for the lack of policy frameworks, accountability systems, or enforceable rights mechanisms. Without the introduction of accessible privacy notices, operational rights procedures, third-party governance controls, transparency reporting, and formal breach response systems, the sector remains highly vulnerable to regulatory enforcement, legal liability, and erosion of patient trust.
Health Sector - Kenya
Agakhan University Hospital, Nairobi Hospital, Nairobi Women’s Hospital Karen Hospital in Kenya
The reassessment of Aga Khan University Hospital, Nairobi Hospital, Nairobi Women’s Hospital, and Karen Hospital indicates mixed progress within Kenya’s healthcare sector, with improvements in regulatory registration but continued weaknesses in transparency, data governance, and breach accountability. When compared to last year’s findings, the sector reflects incremental administrative compliance gains but regression in certain substantive privacy protections.
In relation to registration with the national regulator, there has been notable improvement. Aga Khan University Hospital and Karen Hospital maintained their perfect registration scores of 100%, consistent with last year's performance. Nairobi Women's Hospital demonstrated significant progress, improving from 0% to 100%, thereby aligning itself with statutory registration requirements. This marks a positive development in formal compliance with Kenya's Data Protection Act and oversight by the Office of the Data Protection Commissioner (ODPC). Nairobi Hospital's registration status, however, remains unchanged from last year. While improved registration strengthens regulatory visibility and accountability, registration alone does not equate to operational compliance.
Despite improvements in registration, transparency through accessible privacy policies remains limited. Aga Khan University Hospital continues to be the only facility with a publicly accessible privacy policy, maintaining its 75% score from last year. Nairobi Hospital, Nairobi Women's Hospital, and Karen Hospital again scored 0%, reflecting the absence of publicly available privacy notices. Given the sensitive nature of medical data processed, including patient records, diagnostic results, and insurance information, the absence of privacy policies at three major institutions represents a serious transparency failure and potential violation of statutory notice obligations.
Aga Khan University Hospital also remains the only institution demonstrating effort to operationalize data subject rights. However, its score declined slightly from 60% to 58%, suggesting stagnation rather than advancement in strengthening procedural clarity. While the hospital recognizes rights of access, correction, and other statutory protections, detailed guidance on timelines and complaint escalation remains limited. The other facilities maintained 0%, indicating no visible mechanisms for facilitating data subject rights. This sustained absence of rights-management systems exposes institutions to enforcement risk and undermines patient trust.
Third-party data sharing practices show marginal improvement only at Aga Khan University Hospital, which increased slightly from 36% to 38%. Although it provides some disclosure regarding third-party transfers, the safeguards remain incomplete and lack comprehensive identification of recipients or detailed transfer protections. Nairobi Hospital, Nairobi Women's Hospital, and Karen Hospital maintained 0%, offering no public transparency on third-party processing arrangements. In a healthcare ecosystem increasingly reliant on insurers, laboratories, digital health platforms, and cloud providers, the absence of clear third-party governance frameworks presents heightened compliance and security risks.
Data security performance reflects regression at previously stronger institutions. Aga Khan University Hospital's score dropped significantly from 56% to 22%, marking a concerning decline in demonstrable security posture. Karen Hospital also declined from 39% to 28%. Nairobi Hospital and Nairobi Women's Hospital maintained their prior scores of 28%. Although all institutions demonstrate some level of technical safeguards, overall performance remains modest, particularly in light of the statutory obligation to implement appropriate technical and organizational measures for sensitive health data. The decline at Aga Khan University Hospital is particularly notable given its prior leadership in this area.
Transparency reporting and internal data breach resolution mechanisms remain critically underdeveloped across the sector. As in the previous year, none of the facilities has published a transparency report. Internal breach management frameworks remain largely absent, with Aga Khan University Hospital's score declining from 25% to 17%, and all other institutions maintaining 0%. The absence of structured breach detection, notification timelines, and regulator reporting procedures represents a major compliance vulnerability under Kenya's data protection regime.
Comparatively, last year's analysis identified Aga Khan University Hospital as the clear sector leader across most metrics, with relatively stronger performance in privacy policy accessibility, third-party disclosures, breach management, and data security. In the current assessment, while the hospital maintains its leadership position in transparency and rights recognition, its decline in data security and breach management signals regression in operational safeguards. Nairobi Women's Hospital's improved registration status marks the most significant positive development this year, but it has not been accompanied by parallel improvements in transparency or rights facilitation.
Overall, the healthcare sector's performance remains concerning. Although registration compliance has improved, substantive privacy governance, particularly policy transparency, enforceable data subject rights, detailed third-party oversight, and structured breach response, remains weak across most institutions. The processing of highly sensitive health data without accessible privacy notices or robust accountability frameworks exposes facilities to legal liability, regulatory sanctions, and reputational harm. As healthcare digitization accelerates through electronic medical records, telemedicine platforms, and integrated insurance systems, the need for comprehensive privacy governance becomes more urgent. Without sustained institutional commitment to strengthening operational compliance beyond basic registration, the sector risks falling short of both statutory requirements and patient trust expectations.
The reassessment of Aga Khan University Hospital, Nairobi Hospital, Nairobi Women’s Hospital, and Karen Hospital indicates mixed progress within Kenya’s healthcare sector, with improvements in regulatory registration but continued weaknesses in transparency, data governance, and breach accountability. When compared to last year’s findings, the sector reflects incremental administrative compliance gains but regression in certain substantive privacy protections.
In relation to registration with the national regulator, there has been notable improvement. Aga Khan University Hospital and Karen Hospital maintained their perfect registration scores of 100%, consistent with last year's performance. Nairobi Women's Hospital demonstrated significant progress, improving from 0% to 100%, thereby aligning itself with statutory registration requirements. This marks a positive development in formal compliance with Kenya's Data Protection Act and oversight by the Office of the Data Protection Commissioner (ODPC). Nairobi Hospital's registration status, however, remains unchanged from last year. While improved registration strengthens regulatory visibility and accountability, registration alone does not equate to operational compliance.
Despite improvements in registration, transparency through accessible privacy policies remains limited. Aga Khan University Hospital continues to be the only facility with a publicly accessible privacy policy, maintaining its 75% score from last year. Nairobi Hospital, Nairobi Women's Hospital, and Karen Hospital again scored 0%, reflecting the absence of publicly available privacy notices. Given the sensitive nature of medical data processed, including patient records, diagnostic results, and insurance information, the absence of privacy policies at three major institutions represents a serious transparency failure and potential violation of statutory notice obligations.
Aga Khan University Hospital also remains the only institution demonstrating effort to operationalize data subject rights. However, its score declined slightly from 60% to 58%, suggesting stagnation rather than advancement in strengthening procedural clarity. While the hospital recognizes rights of access, correction, and other statutory protections, detailed guidance on timelines and complaint escalation remains limited. The other facilities maintained 0%, indicating no visible mechanisms for facilitating data subject rights. This sustained absence of rights-management systems exposes institutions to enforcement risk and undermines patient trust.
Third-party data sharing practices show marginal improvement only at Aga Khan University Hospital, which increased slightly from 36% to 38%. Although it provides some disclosure regarding third-party transfers, the safeguards remain incomplete and lack comprehensive identification of recipients or detailed transfer protections. Nairobi Hospital, Nairobi Women's Hospital, and Karen Hospital maintained 0%, offering no public transparency on third-party processing arrangements. In a healthcare ecosystem increasingly reliant on insurers, laboratories, digital health platforms, and cloud providers, the absence of clear third-party governance frameworks presents heightened compliance and security risks.
Data security performance reflects regression at previously stronger institutions. Aga Khan University Hospital's score dropped significantly from 56% to 22%, marking a concerning decline in demonstrable security posture. Karen Hospital also declined from 39% to 28%. Nairobi Hospital and Nairobi Women's Hospital maintained their prior scores of 28%. Although all institutions demonstrate some level of technical safeguards, overall performance remains modest, particularly in light of the statutory obligation to implement appropriate technical and organizational measures for sensitive health data. The decline at Aga Khan University Hospital is particularly notable given its prior leadership in this area.
Transparency reporting and internal data breach resolution mechanisms remain critically underdeveloped across the sector. As in the previous year, none of the facilities has published a transparency report. Internal breach management frameworks remain largely absent, with Aga Khan University Hospital's score declining from 25% to 17%, and all other institutions maintaining 0%. The absence of structured breach detection, notification timelines, and regulator reporting procedures represents a major compliance vulnerability under Kenya's data protection regime.
Comparatively, last year's analysis identified Aga Khan University Hospital as the clear sector leader across most metrics, with relatively stronger performance in privacy policy accessibility, third-party disclosures, breach management, and data security. In the current assessment, while the hospital maintains its leadership position in transparency and rights recognition, its decline in data security and breach management signals regression in operational safeguards. Nairobi Women's Hospital's improved registration status marks the most significant positive development this year, but it has not been accompanied by parallel improvements in transparency or rights facilitation.
Overall, the healthcare sector's performance remains concerning. Although registration compliance has improved, substantive privacy governance, particularly policy transparency, enforceable data subject rights, detailed third-party oversight, and structured breach response, remains weak across most institutions. The processing of highly sensitive health data without accessible privacy notices or robust accountability frameworks exposes facilities to legal liability, regulatory sanctions, and reputational harm. As healthcare digitization accelerates through electronic medical records, telemedicine platforms, and integrated insurance systems, the need for comprehensive privacy governance becomes more urgent. Without sustained institutional commitment to strengthening operational compliance beyond basic registration, the sector risks falling short of both statutory requirements and patient trust expectations.
Health Sector - Uganda
Case Hospital, IHK Hospital, Lubaga Hospital and Nakasero Hospital in Uganda
The reassessment of IHK Uganda, Nakasero Hospital, Lubaga Hospital, and Case Hospital indicates incremental progress in certain compliance areas, particularly registration and privacy policy publication, but continued weaknesses in accountability, third-party governance, and breach preparedness. Compared to last year's findings, the sector demonstrates modest structural improvements, although performance remains uneven and in several respects fragile.
With respect to registration with the national regulator (NPDPO), compliance levels have either been maintained or improved. IHK Uganda and Nakasero Hospital retained their perfect registration scores of 100%, reflecting continued adherence to formal regulatory requirements. Case Hospital maintained its 50% score, consistent with last year's inactive or partial registration status. Notably, Lubaga Hospital improved from 0% to 50%, marking progress toward regulatory formalization. While these developments strengthen institutional legitimacy and regulatory oversight, registration alone does not ensure operational compliance with Uganda's data protection framework.
Significant movement was observed in the publication of accessible privacy policies. Lubaga Hospital recorded the most notable improvement, rising from 0% last year to 100%, while Nakasero Hospital improved from 88% to 100%. IHK Uganda, although still performing strongly at 88%, declined from last year's perfect score. Case Hospital continues to lack an accessible privacy policy, maintaining 0%. The improvement by Lubaga Hospital represents an important step toward transparency, given that the absence of a privacy notice last year was a critical compliance gap. However, the continued absence of a policy at Case Hospital remains a serious deficiency, particularly for an institution handling sensitive health data.
In the area of data subject rights, performance remains concentrated in a few institutions. IHK Uganda continues to lead, scoring 79%, though this reflects a slight decline from 81% last year. Its privacy framework recognizes rights of access, rectification, erasure, restriction, and complaint to the regulator, and provides multiple contact channels for its data protection office. Lubaga Hospital improved significantly from 0% to 39%, demonstrating growing recognition of statutory rights. Nakasero Hospital, however, declined from 36% to 23%, suggesting reduced clarity or visibility of its rights-management mechanisms. Case Hospital again recorded 0%, underscoring a continued absence of rights-based governance structures.
These disparities indicate that while some institutions are embedding rights-based compliance, sector-wide implementation remains inconsistent.
Third-party data sharing practices remain one of the weakest compliance areas. IHK Uganda improved modestly from 44% to 48%, maintaining its leadership in this category and disclosing that data may be shared with service providers and law enforcement upon lawful request, while excluding advertisers. Lubaga Hospital showed marginal progress from 0% to 10%. However, Nakasero Hospital's performance declined sharply from 60% last year to 0%, representing a significant regression in transparency regarding external data transfers. Case Hospital maintained 0%. Given the routine involvement of insurers, laboratories, and cross-border data hosting arrangements in healthcare delivery, the absence of clearly articulated third-party safeguards presents material legal and operational risk.
Data security remains the area of relatively strongest performance across the sector, though still at moderate levels. IHK Uganda maintained its leading position at 61%, consistent with last year. Lubaga Hospital improved from 39% to 45%, and Nakasero Hospital maintained 45%. Case Hospital remained at 28%, with its score largely attributable to SSL and basic technical safeguards rather than a documented organizational security framework. Although these results show stability or improvement in technical controls, they do not necessarily reflect comprehensive security governance, particularly in relation to documented risk assessments, incident response protocols, and staff training obligations required under data protection law.
As in the previous assessment, transparency reporting remains entirely absent across all four hospitals. None has published a transparency report. Internal data breach resolution mechanisms also remain largely undeveloped. IHK Uganda showed limited improvement, increasing from 0% to 17%, suggesting early steps toward breach management processes.
However, Lubaga Hospital, Nakasero Hospital, and Case Hospital maintained 0%, indicating no visible breach detection, reporting, or notification frameworks. The continued absence of structured breach response mechanisms represents one of the most significant compliance vulnerabilities in the sector, particularly given the sensitivity of health information and statutory notification obligations.
Institution-specific analysis reinforces these patterns. IHK Uganda continues to demonstrate the most comprehensive privacy governance framework. Its privacy policy is accessible and readable, clearly defines categories and purposes of data collection, provides opt-out options for behavioural marketing, subjects retention to legal requirements, and specifies lawful disclosures, including court-ordered access. However, it still lacks detailed breach handling procedures, limiting its overall accountability posture. Lubaga Hospital's improvements in policy publication and rights recognition are commendable, but weaknesses in third-party governance and breach management constrain its compliance maturity. Nakasero Hospital maintains strong registration and policy accessibility but has regressed in third-party transparency and data subject rights clarity. Case Hospital remains the weakest performer, with no accessible privacy policy, no articulated third-party framework, no rights mechanisms, and minimal security safeguards beyond technical encryption.
Compared to last year, the most notable positive changes include Lubaga Hospital's introduction of a privacy policy and improved rights recognition, IHK Uganda's modest progress in breach management, and slight improvements in third-party disclosures. However, the decline in Nakasero Hospital's third-party transparency and the continued absence of accountability mechanisms across most institutions temper these gains.
Overall, Uganda's private healthcare sector demonstrates partial progress in transparency and formal compliance but remains significantly deficient in accountability, breach preparedness, and comprehensive third-party governance. While policy publication has improved, particularly at Lubaga Hospital, effective implementation mechanisms remain underdeveloped. Without strengthened breach management systems, clearer third-party controls, and sustained enforcement oversight, healthcare providers remain exposed to regulatory liability and reputational harm, and patient data protection remains inadequately safeguarded.
The reassessment of IHK Uganda, Nakasero Hospital, Lubaga Hospital, and Case Hospital indicates incremental progress in certain compliance areas, particularly registration and privacy policy publication, but continued weaknesses in accountability, third-party governance, and breach preparedness. Compared to last year's findings, the sector demonstrates modest structural improvements, although performance remains uneven and in several respects fragile.
With respect to registration with the national regulator (NPDPO), compliance levels have either been maintained or improved. IHK Uganda and Nakasero Hospital retained their perfect registration scores of 100%, reflecting continued adherence to formal regulatory requirements. Case Hospital maintained its 50% score, consistent with last year's inactive or partial registration status. Notably, Lubaga Hospital improved from 0% to 50%, marking progress toward regulatory formalization. While these developments strengthen institutional legitimacy and regulatory oversight, registration alone does not ensure operational compliance with Uganda's data protection framework.
Significant movement was observed in the publication of accessible privacy policies. Lubaga Hospital recorded the most notable improvement, rising from 0% last year to 100%, while Nakasero Hospital improved from 88% to 100%. IHK Uganda, although still performing strongly at 88%, declined from last year's perfect score. Case Hospital continues to lack an accessible privacy policy, maintaining 0%. The improvement by Lubaga Hospital represents an important step toward transparency, given that the absence of a privacy notice last year was a critical compliance gap. However, the continued absence of a policy at Case Hospital remains a serious deficiency, particularly for an institution handling sensitive health data.
In the area of data subject rights, performance remains concentrated in a few institutions. IHK Uganda continues to lead, scoring 79%, though this reflects a slight decline from 81% last year. Its privacy framework recognizes rights of access, rectification, erasure, restriction, and complaint to the regulator, and provides multiple contact channels for its data protection office. Lubaga Hospital improved significantly from 0% to 39%, demonstrating growing recognition of statutory rights. Nakasero Hospital, however, declined from 36% to 23%, suggesting reduced clarity or visibility of its rights-management mechanisms. Case Hospital again recorded 0%, underscoring a continued absence of rights-based governance structures.
These disparities indicate that while some institutions are embedding rights-based compliance, sector-wide implementation remains inconsistent.
Third-party data sharing practices remain one of the weakest compliance areas. IHK Uganda improved modestly from 44% to 48%, maintaining its leadership in this category and disclosing that data may be shared with service providers and law enforcement upon lawful request, while excluding advertisers. Lubaga Hospital showed marginal progress from 0% to 10%. However, Nakasero Hospital's performance declined sharply from 60% last year to 0%, representing a significant regression in transparency regarding external data transfers. Case Hospital maintained 0%. Given the routine involvement of insurers, laboratories, and cross-border data hosting arrangements in healthcare delivery, the absence of clearly articulated third-party safeguards presents material legal and operational risk.
Data security remains the area of relatively strongest performance across the sector, though still at moderate levels. IHK Uganda maintained its leading position at 61%, consistent with last year. Lubaga Hospital improved from 39% to 45%, and Nakasero Hospital maintained 45%. Case Hospital remained at 28%, with its score largely attributable to SSL and basic technical safeguards rather than a documented organizational security framework. Although these results show stability or improvement in technical controls, they do not necessarily reflect comprehensive security governance, particularly in relation to documented risk assessments, incident response protocols, and staff training obligations required under data protection law.
As in the previous assessment, transparency reporting remains entirely absent across all four hospitals. None has published a transparency report. Internal data breach resolution mechanisms also remain largely undeveloped. IHK Uganda showed limited improvement, increasing from 0% to 17%, suggesting early steps toward breach management processes.
However, Lubaga Hospital, Nakasero Hospital, and Case Hospital maintained 0%, indicating no visible breach detection, reporting, or notification frameworks. The continued absence of structured breach response mechanisms represents one of the most significant compliance vulnerabilities in the sector, particularly given the sensitivity of health information and statutory notification obligations.
Institution-specific analysis reinforces these patterns. IHK Uganda continues to demonstrate the most comprehensive privacy governance framework. Its privacy policy is accessible and readable, clearly defines categories and purposes of data collection, provides opt-out options for behavioural marketing, subjects retention to legal requirements, and specifies lawful disclosures, including court-ordered access. However, it still lacks detailed breach handling procedures, limiting its overall accountability posture. Lubaga Hospital's improvements in policy publication and rights recognition are commendable, but weaknesses in third-party governance and breach management constrain its compliance maturity. Nakasero Hospital maintains strong registration and policy accessibility but has regressed in third-party transparency and data subject rights clarity. Case Hospital remains the weakest performer, with no accessible privacy policy, no articulated third-party framework, no rights mechanisms, and minimal security safeguards beyond technical encryption.
Compared to last year, the most notable positive changes include Lubaga Hospital's introduction of a privacy policy and improved rights recognition, IHK Uganda's modest progress in breach management, and slight improvements in third-party disclosures. However, the decline in Nakasero Hospital's third-party transparency and the continued absence of accountability mechanisms across most institutions temper these gains.
Overall, Uganda's private healthcare sector demonstrates partial progress in transparency and formal compliance but remains significantly deficient in accountability, breach preparedness, and comprehensive third-party governance. While policy publication has improved, particularly at Lubaga Hospital, effective implementation mechanisms remain underdeveloped. Without strengthened breach management systems, clearer third-party controls, and sustained enforcement oversight, healthcare providers remain exposed to regulatory liability and reputational harm, and patient data protection remains inadequately safeguarded.