Male businessman in suit standing in corporate conference room using phone. Screen not visible. Photo taken from outside of office, through windows.

Mauritius: Cloud in Public Sector

An Interactive Guide for Legal and Compliance
Professionals

DOWNLOAD OUR WHITEPAPER: Azure for Secure Worldwide
Public Sector Cloud Adoption

DOWNLOAD OUR LATEST WHITEPAPER

REGULATORY OVERVIEW

The Mauritian Government is committed to providing universal, accessible and quality healthcare services free to the population, and recognizes that technology can be leveraged to improve the quality of service delivery across all public health institutions.1 The Government eHealth vision is to “exploit ICT to extend seamless continuity of care through affordable, high-quality, user-centric service to all healthcare stakeholders in Mauritius and to promote knowledge and networking among them.”2

As changes disrupt the very fundamentals of healthcare in the coming years, we at Microsoft want to ensure that stakeholders in the healthcare sector can navigate technological advancements, so they not only cope but thrive.

Being a highly regulated sector, it is crucial to ensure that any move to the cloud complies with applicable regulation and achieves the obvious benefits without undue risk.

MICROSOFT'S COMMITMENT TO THE MAURITIAN HEALTHCARE SECTOR

Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. We are focused on the heroes of the healthcare sector. We want to empower practitioners, clinicians and researchers to improve detection and diagnosis, treatment and management, as well as prediction and prevention of disease - in and out of clinical settings, for both individuals and the public good. This means improved access and more control over patient healthcare data and enhanced connections to care providers when and where needed.

Microsoft has valuable worldwide experience from engagements with healthcare institutions, providers and regulators.

Microsoft is also committed to working with national healthcare regulators, healthcare providers and other stakeholders to ensure our technologies can be used to enable the healthcare sector in ways that meet both international standards and national compliance and regulatory requirements. Indeed, Microsoft is of the view that its cloud solutions can be used to meet and even enhance the level of compliance with regulatory requirements.

In addition, Microsoft will soon deliver the intelligent Microsoft Cloud for the first time from data centres located in South Africa. The new cloud regions will offer enterprise-grade reliability and performance to help enable the tremendous opportunity for economic growth and increase access to cloud and internet services for organizations and people across the African continent. This new investment is a recognition of the enormous opportunity for digital transformation in Africa and is a major milestone in the company’s mission to empower every person and every organization on the planet to achieve more in a safe, secure and legally compliant manner.

Microsoft stands ready to support our healthcare customers in Mauritius with the Microsoft Cloud - including Microsoft Azure, Office 365 and Dynamics 365. Microsoft experts are also available to understand your requirements and provide detailed information on the technical, contractual and practical aspects of any proposed cloud project. Delivering a cloud that is trusted, responsible and inclusive is a key part of our commitment to this digital transformation and to a cloud that serves the global good.

Microsoft also understands that protected health information (PHI), which is special personal information, constitutes some of the most sensitive data that our customers handle and is subject to stringent regulatory requirements related to storage and processing. We have industry leading security and privacy practices that allow customers around the world to use the Microsoft Cloud for storing PHI.3

Microsoft’s cloud services are subject to rigorous audits by internationally accredited third parties and are certified against several key global standards and regulatory requirements for the healthcare sector. Those standards include ISO/IEC 270014 and 27002 as well as the cloud specific extension ISO/IEC 270175 and ISO/IEC 270186 (a series of the most well-known globally accepted information security management standards) and the Service Organization Controls standards SOC1, SOC2 and SOC37 as well as the Cloud Security Alliance’s Security, Trust & Assurance Registry (CSA STAR)8. Microsoft cloud services are also covered by a Business Associate Agreement that outlines how Microsoft handles and protects PHI consistent with the US Health Insurance Portability and Accountability Act (HIPAA).9 Together, the advanced controls embodied within these global standards allow Microsoft to meet or exceed any local information security requirements that apply to health data. In addition, Microsoft’s cloud adheres to the internationally accepted definitions of cloud services captured in ISO/IEC 1778810, ISO/IEC 1778911 and ITU-T Y.350212 to ensure a common understanding of terms and definitions in policies and regulation.

THE REGULATORY ENVIRONMENT

The healthcare industry in Mauritius comprises many different stakeholders and role players.Each role player in the system is, in turn, regulated by specific Acts and Regulations, including:

  • Health practitioners, for example doctors, dentists, physiotherapists and emergency care personnel, are regulated by laws including the Medical Council Act13 and the Dental Council Act, which regulate medication practitioners and dentists, respectively.
  • Nurses are regulated by the Nursing Council Act14;
  • Allied health profession practitioners who engage in, for example, chiropractic, homeopathy, acupuncture, therapeutic massage therapy, therapeutic reflexology and ayurvedic medicine are regulated by the Ayurvedic and Other Traditional Medicines Act15;
  • Health care establishments such as hospitals, clinics and similar facilities, are regulated by the Private Health Institutions Act16;
  • Medical schemes provided under insurance schemes are regulated by the Insurance Act;
  • Pharmacists are regulated by the Pharmacy Council Act17 and, inter alia, the supply of medicines is regulated by the Dangerous Drugs Act18.

Those role players who are organs of state would also be required to comply with public procurement laws in procuring cloud services.

  • The key regulator in this industry is the Ministry of Health and Quality of Life which is responsible for the health sector and the co-ordination of health service delivery generally and regulates health establishments.

    There are also many other regulators regulating practitioners and healthcare industry role-players.19 All these regulatory bodies are established under separate Acts of Parliament but account and answer to the Ministry of Health within their respective mandates.

  • The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be considered, relating to, amongst other things, the obligation on relevant role players to keep confidential and not to disclose certain information (see below).

  • While there is no regulation expressly pertaining to cloud services in Mauritius, the type of information moved to the cloud may fall under the Data Protection Act 2017 (“DPA 2017”). Role players in the healthcare sector would need to be mindful of the following legislative and regulatory provisions, including:

    • Certain general and specific requirements relating to security and protection of the confidentiality of patient and medical scheme beneficiary personal medical information, and precluding disclosure save in specified circumstances, such as with consent of the patient or by court order.
    • Health establishments: the person in charge of the health establishment which is in possession of a person's health records must set up control measures to prevent unauthorized access to those records and to the storage facility in which, or system by which, records are kept.
    • Pharmacies: the person in charge of the pharmacy must ensure that security and organizational measures must be put in place to ensure that the customers’ personal data, including health information are protected from, e.g., unauthorized disclosure or destruction.
  • No, there are no laws requiring approval from health regulatory authorities for use of cloud services, however to the extent that a healthcare customer moves personal data to the cloud, then it will have to comply with the DPA 2017.The role players in the healthcare industry which are organs of state (such as a public healthcare establishment) will also need to follow specific processes (which may necessitate certain approvals) required by the applicable public procurement laws in procuring cloud services.

  • The Regulatory Authorities possess fairly broad inspection powers which include the power to enter the relevant premises (at a reasonable time) and to access relevant information. For example, as regards the activities of a pharmacist, an inspector is empowered under the Pharmacy Act20 to inspect premises registered or licensed under the Act and examine any document required to be kept under the Act. As regards health information, the Medical Council is empowered to request the production of documents if it is investigating a complaint of professional misconduct.21

  • Under DPA 2017, personal data22 may be transferred out of Mauritius provided the requirements of DPA 2017 are met.

    Health data of an individual may be transferred to another country with the explicit consent of the individual concerned (after the individual has been informed of any possible risks of the transfer owing to the absence of appropriate safeguards), or if other statutory derogations apply23. Permitted circumstances include where the Commissioner has been provided with proof of appropriate safeguards, or if such transfer is necessary for the performance of a contract with the individual or in order to protect the vital interests of the individual or of other persons (where the individual is physically or legally incapable of giving consent).24

    Microsoft holds itself accountable and subject to the laws of general application applicable to information technology service providers, and has binding agreements, which, in our view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.

WE BUILD OUR TRUSTED CLOUD ON FOUR FOUNDATIONAL PRINCIPLES

Security

We build our services from the ground up to help safeguard your data

Privacy

Our policies and processes help keep your data private and in your control

Compliance

We provide industry-verified conformity with global standards

Transparency

We make our policies and practices clear and accessible to everyone

INDUSTRY RESOURCES

Slide %{start} of %{total}. %{slideTitle}

CUSTOMER STORIES

*EXPLANATORY NOTE AND DISCLAIMER: This website is intended to provide a summary of key legal obligations that may affect customers using Microsoft cloud services. It indicates Microsoft’s view of how its cloud services may facilitate a customer's compliance with such obligations. This website/document is intended for informational purposes only and does not constitute legal advice nor any assessment of a customer's specific legal obligations. You remain responsible for ensuring compliance with the law. As far as the law allows, use of this website/document is at your own risk and Microsoft disclaims all representations and warranties, implied or otherwise.