Angola: Cloud in Healthcare Services

a. Health practitioners are regulated by the professional boards mentioned above, i.e., the Doctors Bar Association and the Nurses Bar Association;

b. The Public Health National Institute regulates the laboratories national network, traditional medicine, primary health care, and hygiene environment²³;

c. The Ministry of Heath regulates the overall activities and institutions related to the health care system; and

d. Health establishments are regulated by the relevant Provincial Departments of Health.

The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be taken into account, relating to, amongst other things, the obligation on relevant role players to keep confidential and not to disclose certain information (see below).

There is presently no uniform regulation of cloud services in Angola. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in moving to the cloud:

• Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, and precluding disclosure save in specified circumstances, such as with consent of the patient or by court order (such duty is foreseen as an ethical rule for the medical professions and is sustained by the constitutional right to privacy).²⁴
• Health establishments: the person in charge of the health establishment which is in possession of a person's health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept (such obligation is inherent to the constitutional right to privacy).
• Medical schemes: where managed health care is undertaken by the medical scheme itself or by a third party managed health care organization, the scheme must ensure that a written protocol is in place (which forms part of any contract with a managed health care organization) that deals with confidentiality of clinical and proprietary information. These protocols may need to be amended to reflect the move to cloud services. This is inherent to the right to privacy set forth in the Angolan Constitution.²⁵
• Pharmacies: the minimum standards for record keeping procedures provide that patient medication records must be kept in the pharmacy, and that the pharmacist is bound by professional secrecy²⁶.

Given the sensitive nature of health information, it goes without saying that the chosen cloud solution must be secure, and help customers ensure compliance with their data privacy obligations. That said, the relevant provisions of Law No. 22/2011 of 17 June (Data Protection Law)²⁷ must be complied with, including article 14º, which requires the written consent of the relevant person and/or authorization from the data protection authority for such health data to be disclosed.

No, there are no laws requiring approval from healthcare regulatory authorities for use of cloud services. Regard must however be had to the above considerations given that stringent obligations are placed on the sector's role players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

The role players in the healthcare industry which are organs of state (such as a public healthcare establishment) will also need to follow specific processes (which may necessitate certain approvals) required by the applicable public procurement laws in procuring cloud services.

To the extent that health information is to be transferred outside of Angola without compliance with the data transfer requirements set out below, the responsible party will require prior notification to the Angolan data protection authority.²⁸

The Heath Inspection Services²⁹ of the Ministry of Heath have broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, a health officer may require the person in charge of a health establishment such as a hospital to produce for inspection or for purposes of making copies or extracts any document including any health record that the establishment is required to maintain. These inspections usually entail the inspectors attending at the scheme's premises and requesting copies of any information considered necessary for the inspection.

There are no data transfer requirements specifically for the healthcare industry, but the Data Protection Law will regulate the transfer of personal information and provides that the communication of data to a sub-contracted data processor can only be carried out if the following conditions are complied with³⁰: (a) the subcontractor and the data controller must enter into a written agreement or other legally valid written document, under which terms the subcontractor undertakes to comply with the provisions of the Data Protection Law and to act according to the instructions of the data controller; and (b) notification to the Angolan data protection authority³¹. These rules only apply to any information with respect to any natural person (individual), but do not apply to companies.

The data controller may only transfer personal data to a third party outside Angola after notifying the Angolan data protection authority and if the country has a level of protection at least identical to that provided by the Data Protection Law³². Otherwise, the transfer of personal data to a third party outside Angola has to be authorized by the Angolan data protection authority, and such authorization may only be granted when the specific circumstances set out in the Data Protection Law are complied with³³.

Microsoft holds itself accountable and subject to the laws of general application applicable to information technology service providers, and has binding agreements, which, in its view, are likely to constitute adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.