Privacy & Data Protection Policy

Medic’s Privacy and Data Protection Policy, which applies to the Community Health Toolkit

Note

This policy is reviewed and updated periodically by our Responsible Data Working Group and is intended as a resource for the CHT community.

If you have any questions, please reach out to our Data Protection Officer at support@medic.org.

Our responsible data promise

As a non-profit organization, Medic Mobile (“Medic”)’s mission is to advance good health and human flourishing by building open source technology with and for hard-to-reach communities. We value humanity, creativity, initiative, solidarity, and openness. Being responsible stewards of people’s data is critically important to our mission.

We use the concept of Responsible Data (RD) to outline our collective duty to prioritise and respond to the ethical, legal, social, and privacy-related challenges that come from using data in new and different ways in healthcare, advocacy, and social change. We have an obligation to account for unintended consequences of working with data by:

Prioritising people’s rights to consent, privacy, security and ownership when using data in social change and advocacy efforts
Implementing values and practices of transparency and openness

As an organization, we promise to do our best to live up to these obligations. We promise to show initiative, to seek feedback, and to proactively seek out ways to work with data more responsibly. We promise to accompany patients, health workers, researchers, organizational partners, and our open source community in the journey from best intentions to best practices in data-driven projects. The purpose of Medic’s data policy is to help our organization deliver on this responsible data promise.

Compliance with applicable data regulations and policies

Medic serves as a technical partner to governments and non-governmental organizations around the world. As a result, our projects comply with a range of country-specific and region-specific data protection regulations, and the details of compliance are addressed on a project-by-project basis. Adhering to all data regulations that are relevant to a given project is a central element of Medic’s global privacy and data protection policy.

In most cases, the Ministries of Health, other government agencies, and non-governmental organizations that Medic supports (Medic “Partner(s)”) serve as data controlling entities, and they work with Medic as a business associate. Partners establish additional data handling policies and standard operating procedures, which are typically documented in Memoranda of Understanding or/and Data Sharing Agreements signed by these Partners as well as Medic.

Data and protected health information

Use of software to collect and process data

Medic has developed an open-source software toolkit (“Software”) that combines smart messaging, decision support, easy data gathering and management, and health system analytics. The Software can be accessed via many types of devices, including feature phones, smartphones, tablets, and desktop computers. Certain aspects of the Software can be downloaded for use on such end user devices. Health workers and families can use the Software to help monitor pregnancies, track outbreaks faster, treat illnesses, keep stock of essential medicines, and communicate about emergencies, among other things.

The Software is made available to the public on a free and open source basis, under licenses approved by the Open Source Initiative. These licenses limit Medic’s liability or responsibility with respect to any uses of the Software in which Medic personnel are not directly involved in Processing Data (defined below). The Software source code and the relevant licenses can be accessed at http://github.com/medic.

Medic hosts, maintains and supports certain components of the Software on Medic managed servers where Data obtained by use of Software on end user devices is received, accessed, handled, and/or stored (collectively, “Processed”). “Data” means any and all data, information and other content uploaded, posted, input or transmitted to the Software, or generated by the use of the Software, by or on behalf of End Users.

Subject to compliance with applicable law, Medic and its permitted subcontractors and agents shall not disclose Data to any third party and shall not use or access the Data for any purpose, except the following specific purposes:

To provide services or conduct activities as permitted in writing by a Partner acting as the data controlling entity for the specific Data being accessed or shared (which may require execution of a memorandum of understand or data use agreement);
To maintain and improve the Software;
To perform routine monitoring and public reporting on aggregated Impact Metrics (defined below).

For the purposes of this policy, “Impact Metrics” refers to aggregated Data which does not include personally identifiable information or Protected Health Information (defined below), and which is useful for Medic’s charitable purpose of monitoring the use of the Software and understanding its impacts on health systems. Examples of Impact Metrics include the total number of households registered in the Software, the total number of health workers using the Software, the total number of households visited in a given month, and the total number of Software-supported actions on antenatal care, postnatal care, integrated community case management, family planning, malnutrition, and immunization services. It may also include aggregate Data concerning COVID-19 services such as community event-based surveillance, contact tracing, CHW self-checks, and support for self-isolation provided in Medic-supported projects.

Any Impact Metrics shared with the general public will be aggregated globally; Medic personnel shall not de-aggregate the Impact Metrics to identify activities in any particular Country, without obtaining prior written consent from the Partner(s) acting as the relevant data controlling entities. Examples of previously reported Impact Metrics are available to the public in Medic’s quarterly and annual reports, which can be accessed at https://medic.org/reports/.

All additional uses of data for research and reporting will comply with applicable Ministry of Health policies and existing Partner policies for health data access and sharing. Medic personnel shall not use any Data for research purposes unless Medic has obtained the prior written consent of the relevant Partner(s), which may involve execution of a data sharing agreement.

Protected health information policy

For purposes of this policy, protected health information (“PHI”) is defined as any physically or electronically-encoded information containing at least one of the following:

patient name(s);
patient-related dates (including birth, registration, visit, death);
patient-related ages;
patient and/or family phone/fax numbers, e-mail addresses, and/or social media account names;
references to a patient-related geographical subdivision (if smaller than 20,000 people);
social security, tax identification, or other patient account numbers;
patient-related device identifiers, addresses, or serial numbers (including IP addresses, MAC addresses, computer/-device serial numbers, beneficiary numbers, account numbers, and personally-identifying URLs);
licensure information (including drivers’ license and license plate numbers, and numbers related to professional membership/licensing);
images containing the face of a patient, patient’s family member, or any other patient-related contact;
any biometric data describing a patient (including eye/hand measurements, height, weight, or clothing sizes); and
any unique identifier or code, other than a study-specific unique identifier assigned for purposes of managing an approved research protocol

Medic’s PHI policy requires that:

Access to protected health information – and to devices containing protected health information – must be password protected.
Any and all protected health information must be stored and retrieved using a full-disk encryption system.
Any device that connects to or uses any of Medic’s mission-critical services must use a full-disk encryption system at all times.
When communicating information electronically, any and all protected health information must be protected using a secure transfer system.
Each person is responsible for his/her own compliance. If any person becomes aware of a violation of this policy, they have a duty to report the incident directly to Medic’s People Operations Manager, and/or COO.

All Medic personnel sign a Protected Health Information (PHI) policy which mandates the use of full disk encryption, secure communication channels, and two factor authentication when handling PHI. This policy applies to all Medic personnel – including, but not limited to, employees, contractors, associates, fellows, interns, advisors, and board members. This policy applies to computer equipment and/or systems that are either: (i) property of Medic; (ii) property of any Medic personnel; or (iii) used directly by Medic personnel to carry out any assigned duties.

Exceptions to this policy may be granted – on a task-specific or project-specific basis only – at the discretion of the CPO or COO. This policy does not confer any ownership of data; Partner-submitted data remains in the control of Partner organizations. This policy does not apply to equipment stored in an authorized secure data center / facility (e.g. Amazon Web Services), or to equipment wholly owned and operated by an external Partner, or to external software deployments to which Medic has no access.

Security practices

Medic is committed to data security. In addition to adhering to data security standards established by our Partners, we also recognize the security benefits and drawbacks of different technology tools and work with our partners to make the best choices and mitigate risk.

Technology security overview

Web app: Medic uses secure transfers over HTTPS for all communication between the browser and our web application, with perfect forward secrecy (PFS) and 4096-bit SHA-2 certificates by default. We use a non-standard port for SSH access to reduce our exposure to automated brute-force attacks and can configure the web app to accept only public key authentication for SSH connections. Access to the web application requires a password, and user access can be established to varying degrees using a role-based access control facility (e.g. full access, restricted access, data entry only, and data export only).

Data storage: Medic uses Amazon Web Services (AWS) with enforced two-factor authentication, HTTPS, and Identity and Access Management (IAM) for all hosted instances. We use IAM policies on AWS to restrict what any one individual Medic developer/administrator can do. Please see below for more information on AWS data security.

SMS: We train users to input data using simple SMS codes or freeform SMS. We use “plain text encoding” which means viewers can see the value but not know the context of the data. As an example: when health workers text P 3 Jane (“P” for pregnancy, “3” for number of weeks pregnant, name), Medic registers the pregnancy, creates a patient ID, calculates the expected delivery date, and schedules automated reminder messages. SMS is inherently insecure but we work with every partner on safety practices to reduce and minimize mishandling of data and transmission of protected health information.

Android phones: To secure the data, each device must be configured to use Full Disk Encryption and a Screen Lock.

Security training for our Partners

We work with every partner to make sure they are trained and equipped to handle their data. This includes advising partners on how to create secure passwords and PINs, how to secure hardware, and how to safely transport data.

Inquiries with Medic’s Data Protection Officer

For any inquiries, please reach out to Medic’s Data Protection Officer, by emailing support@medic.org with the words “Data Protection” in the subject line.