South Africa has taken a paperless approach to the rollout of the Covid-19 vaccinations, with the Electronic Vaccine Data System (EVDS) being used to store and process patient information. EVDS also tracks these vaccines and the logistics processes around their delivery.
While this system should offer a number of benefits over a more manual approach, not least of which is preventing loss of the vaccines data, it does bring a critical need for data management to the fore. The health records created by the system contain not only confidential medical information, but many elements of Personally Identifiable Information (PII) as well. All data must therefore be adequately managed, stored and secured across the entire chain, to prevent compliance breaches.
The benefits of a digital system
EVDS generates an electronic health record which will include information like the demographics of patients, the number of doses given, where the vaccine was administered and which vaccine was administered. As part of best practice pharmacovigilance, it will also record any adverse events following immunisation, and generate a record of the vaccination issued.
Digitalising the vaccine effort will provide data for analysis necessary for monitoring vaccine uptake and coverage as well as effectiveness. In addition, EVDS will enable track and trace of vaccines with barcode scanning, to ensure vaccine safety and prevent theft. This will also be used to ensure safe and secure disposal of the packaging and vials. Data can be verified according to the volumes that have been submitted.
The entire process of EVDS will not only help to streamline the Covid-19 vaccination efforts, it can also be applied more broadly to other vaccines as well as essential healthcare services.
The challenge of compliance
While the value of the EVDS lies in the data generated, this also introduces compliance challenges. The Health Professionals Council of South Africa (HPCSA) has various recommendations on the retention of medical records, which may be a period of up to 25 years after treatment has ended depending on the circumstances.
However, Section 14 of the Protection of Personal Information Act (PoPIA) requires that ‘records of personal information must not be retained any longer than is necessary for achieving the purpose for which the information was collected and processed’. This means that medical records cannot simply be retained randomly or indefinitely, and some kind of strategy must be in place.
The importance of strategy
Data protection in a system like the EVDS is complex. Information needs to be stored at various remote sites, before being sent to a central location for processing and analysis, as well as long-term storage. Local storage is required, which must be adequately protected. This requires temporary data protection at the satellite locations, in other words clinics and hospitals, so that data is not lost before it can be uploaded.
Local storage and protection is especially important in rural areas, where connectivity may be limited and data may only be able to be uploaded once a day. However, data at satellite locations does not need to be retained long term, so a deletion strategy is also essential. In addition, data needs to be protected while it is in transit, and once it has reached the central location each layer must be protected, with the right retention periods in place depending on the information and its use.
Data must be protected from accidental deletion, malware attacks and other cybersecurity threats, it must be recoverable in the event of a data loss incident, and it must be available for reporting purposes. All while maintaining compliance with all applicable legislation. This is an incredibly complex landscape which requires the right combination of strategy and technology. To ensure compliance with retention requirements as well as PoPIA, effective data management needs to be applied.