The Model Law includes suggested provisions to strengthen the legislative environment governing the collection and use of health data. The areas contained in the Model Law are intended to augment an existing data protection law or the data protection provisions within health legislation. Most countries have a data protection law or are in the process of developing one. The Model Law provisions would introduce new important areas (for example, on emerging developments in digital health systems and community consent) to strengthen the law, to allow for the Regulator to deal with health data governance issues as well. If your country is in the process of drafting a data protection law, then the model law provisions can be incorporated into the process relatively seamlessly. If your country does not have a data protection law and is also not in the process of drafting one, then you will be able to consider not only data protection but also health data governance when considering how to regulate personal data and health data and the model law can serve as a reference to guide your legislative activities in this regard.

Laws dealing with health professions, health facilities, cybercrime, cybersecurity and electronic transactions would be advantageous to effectively using the Model Law but are not necessarily required.

The Model Law was developed on the premise that a country already has a body responsible for overseeing and enforcing that country’s data protection law, and that this body is functional. This body, referred to in the Model Law as the ‘Regulator’, should be adequately funded, with sufficient capacity, to fulfil its mandate. In cases where a country does not have a dedicated body, the implementation and enforcement of relevant laws and provisions can be incorporated into the functions of an existing institution, such as the information technology regulator.

The political will to strengthen legislation dealing with the governance of health data is vital. Care should be taken to avoid making the strengthening of health data governance legislation a partisan issue. The focus should be on the benefits that a more robust legislative environment has on users, the healthcare sector, the public, and even the economy.

Data protection law is itself a legal speciality and health data governance is a sub-speciality of this. Countries that are new to implementing data protection legislation should consider strategies to identify and train the required human capacity for successful strengthening and implementation of health data legislation.

The Model Law and its provisions are primarily concerned with health data that has been digitised and so if the necessary digital infrastructure is lacking (for instance access to the Internet is not widely available) then implementing some of the model law provisions may be difficult. There are substantial resources to assist countries to evaluate their health data infrastructure.

The single law implementation method involves enacting a comprehensive, unified legal framework to govern all aspects of health data. If taking this approach, all sections of the Model Law could be useful. This could also mean enacting the Model Law as it is as a single law. This approach consolidates various aspects of health data governance, such as community consent, interoperability requirements and pandemic responses, under one central piece of legislation. This method simplifies compliance by providing a single point of reference for all stakeholders, including healthcare providers, data processors, and patients. It ensures uniformity across the sector, reducing ambiguity. However, the single law approach can be rigid, making it challenging to adapt to evolving technologies or sector-specific needs. It may also be more difficult to pass and amend, given the complexity of covering all aspects of health data governance in one statute.

The single law implementation method is more suitable for countries with a tradition of comprehensive and centralized legal systems, such as those following civil law traditions, where codification is the norm. These countries are better positioned to adopt a comprehensive health data governance framework that seamlessly integrates various legal provisions under one overarching law.

The multiple law implementation method divides the governance of health data across several laws, each addressing a specific aspect of health data. For instance, separate laws may govern patient privacy, data sharing for research, healthcare provider obligations, and data security standards. This approach allows for more specialised and focused laws and regulation addressing the unique requirements of each area. It also offers greater flexibility in updating or amending specific laws without updating the entire legal framework. However, the complexity of managing multiple laws can result in compliance challenges for stakeholders, as they must navigate different regulations that may occasionally overlap or conflict.

The multiple law implementation method would be particularly suitable for countries with established sector regulators and tailored sectoral enforcement in sectors such as healthcare, telecommunication and information technology. In this case, each sectoral regulator could oversee health data governance within its domain thereby ensuring that the law is enforced in a manner consistent with the sector’s specific requirements and existing legal frameworks. Countries with decentralised legal systems such as federations or those with strong regional governments will also find this approach easier. This is because multiple laws may be necessary to accommodate the different legal and institutional frameworks across regions or sectors. Furthermore, in countries where there are constraints, such as limited technical or human resources, making it difficult to implement the law comprehensively all at once, a multiple law approach becomes more suitable. This method offers flexibility by allowing for the phased implementation of the model law, enabling the country to address specific areas gradually as capacity builds over time.

The sandbox environment implementation method creates a controlled, experimental environment where new regulations, technologies, or health data governance models can be tested before full-scale implementation. This method allows policymakers and stakeholders to explore the impacts of specific regulations on health data usage without the risk of widespread disruption. It fosters innovation by providing a space for regulatory experimentation, allowing both regulators and industry players to better understand the implications of new frameworks. However, sandboxes require careful oversight to ensure that participant activities remain within agreed boundaries and do not negatively affect patient privacy or data security.

Several factors could make the sandbox environment implementation method a preferred initial choice for countries. These include an uncertain or evolving regulatory landscape, where experimentation is needed before full implementation. Countries with an innovative digital health sector may choose this approach to foster innovation while managing regulatory risks. Additionally, in cases of significant resource constraints, countries might prefer starting with a pilot project, like the sandbox method, before committing to a comprehensive implementation. Finally, this method is more suitable for smaller countries with massive institutional support and a good regulator as well as corporate sponsorship.

The incremental implementation method involves the gradual rollout of a health data governance framework over time. Laws or regulations are introduced in phases, allowing for progressive adaptation by healthcare providers, data processors, and other stakeholders. This method is particularly beneficial in jurisdictions where immediate large-scale changes may be disruptive or where healthcare systems are unevenly developed. By implementing changes incrementally, governments can gather feedback, assess challenges, and adjust before advancing to the next phase. However, this approach requires robust project management and may lead to delays or inconsistencies if not carefully managed.

A country may prefer an incremental implementation method when faced with a complex regulatory environment, as this approach allows for gradual adjustments based on stakeholder feedback. It is particularly suitable for countries with limited administrative capacity, enabling them to manage resources effectively without overwhelming existing systems. Additionally, the incremental method fosters stakeholder engagement and consensus-building, ensuring that privacy concerns are adequately addressed at each stage. This flexibility allows for tailoring regulations to the specific needs and contexts of the country, making it a pragmatic choice over other implementation methods.

The hybrid implementation method combines elements of the single and multiple law approaches. A foundational, overarching law may be enacted to establish key principles and rights concerning health data governance, while more specific, sector-focused regulations are implemented separately to address particular issues like data sharing for research, cross-border data transfers, or health data security. This method provides a balance between coherence and flexibility, ensuring that general principles apply universally, while allowing for specialised regulations to be tailored to different sectors or issues. It can, however, be complex to administer, and ensuring that the various laws and regulations are consistent and cohesive requires strong coordination.

The hybrid implementation method is a worthy candidate for a country under specific conditions, such as the need for flexibility in combining regulatory approaches to address diverse challenges. This method is advantageous in environments with varying levels of digital health maturity, allowing tailored strategies for different sectors. Additionally, countries facing both resource constraints and the need for innovation may find this approach beneficial, as it facilitates incremental changes while also enabling pilot projects.

The subsidiary legislation method relies on primary health data governance laws, but delegates authority to administrative bodies to create detailed regulations, guidelines, or codes of practice through secondary or delegated legislation. This method allows for greater adaptability and responsiveness to emerging issues or technological developments. Subsidiary legislation is typically easier to amend than primary laws, enabling faster updates to specific regulations as needed. However, this approach depends heavily on the competency and capacity of the regulatory bodies tasked with developing the subsidiary legislation. Additionally, it may lead to inconsistencies if these bodies produce regulations that conflict with broader legislative objectives or each other.

A country might prefer a subsidiary legislation model if it seeks to provide detailed regulations tailored to specific contexts, ensure flexibility in updating rules without passing new primary legislation, leverage existing legal frameworks for quicker implementation, and address the specific needs of different healthcare sectors or regions. However, this implementation method may be impossible to implement if the primary legislation does not enable the regulatory bodies to create the subsidiary legislation that is required by this method. As a result, it may be necessary to amend the primary legislation first before this method is legally possible.