Data Protection & Institutional Security: Your Health Information Is Not Institutional Property
Picture this: A colleague walks past you in the corridor and pauses. There is something in their expression, not quite sympathy, not quite curiosity, but something in between. They ask how you are feeling. You say you are fine. They nod slowly, in the way people nod when they already know the answer. You think nothing of it at the time.
Later, you find out. The clinic told someone. That someone told someone else. And now, in the institution where you work, where you have built your reputation and your professional relationships over years, people know health information about you that you never chose to share with them.
This is not a rare occurrence. It is not an exceptional failure. It is the quiet, everyday reality of how health information moves, and is mishandled, in institutional hospitals and clinics across this country. And it is happening right now, to people who trusted the system with their most private information and received no protection in return.
The Law Is Clear. The Practice Is Not.
Under Ghana's data protection framework, institutions that determine how health information is collected, stored, and used bear primary responsibility for ensuring its lawful processing and protection.
Ghana has had formal data protection legislation since 2012. The Data Protection Act (Act 843) classifies health data as special category personal data, the highest tier of legal protection available. The Public Health Act, 2012 (Act 851) is equally direct: a patient’s medical information shall not be divulged to any third party without that patient’s consent, except where required by law or demanded by public interest. The Constitution of Ghana affirms every individual’s right to determine what is known about their private life.
Together, these laws place a clear and enforceable obligation on every institutional health facility: health records must be handled only by authorised persons, stored securely, used only for the specific purpose for which they were collected, and not shared without the patient’s informed consent. Every receptionist, every records officer, every nurse, every administrator who handles a patient file is operating within the scope of this law. Most of them have never been told. Lack of awareness does not remove legal responsibility. Institutions remain accountable for ensuring that personnel handling health records understand their obligations under the law.
What Is Actually in That File
A health record is not a routine administrative document. It holds a person’s diagnosis, medication history, laboratory results, mental health assessments, reproductive health information, and a record of every visit they have made to that facility. The name of a medication alone, an antiretroviral, a psychiatric drug, a fertility treatment, can disclose a diagnosis the patient has shared with nobody. When this information is improperly disclosed, the consequences are not administrative. They are personal, professional, and in many cases permanent.
The Institution Itself Creates the Risk
Before any individual makes a careless or deliberate decision with a patient’s health record, the institution’s own policies have often already created the conditions for breach. Three practices are particularly widespread and particularly damaging.
The first is the authorisation requirement.
Many institutions insist that members who seek treatment at an external hospital bring their medical certificate to the institutional health facility for endorsement before HR or management will accept it. When that certificate arrives, a clinic officer reads it in full, the diagnosis, the doctor, the hospital attended. It is then recorded in the facility’s own system. A condition the patient chose to treat privately, at a facility specifically outside their institution, is now an institutional record. The patient never consented to that transfer. The system simply assumed the right to make it.
The second is the medical refund claim.
When a patient submits a claim for reimbursement, they are typically required to provide prescriptions, receipts, and in many cases diagnosis letters or clinical reports. These documents land on the desk of a finance officer whose training is entirely financial and whose understanding of health data confidentiality is, in most cases, non-existent. The prescription is reviewed, discussed with a colleague to confirm eligibility, queried upward to a supervisor for approval, photocopied for records, and filed in a general cabinet alongside budget documents and procurement invoices. A patient submitted a financial claim. They did not submit their medical history for review by the accounts department. The system made no distinction between the two.
The third is the sick leave chain.
A medical certificate submitted for sick leave passes from the patient to a secretary, to a head of department, to HR, to a senior officer, with the full diagnosis visible at every stage to every person in the chain. The head of department needs to know the duration of absence, not the diagnosis. The approving officer needs confirmation of medical support, not clinical details. Yet because no institution has formally defined what each person is entitled to receive, everyone receives everything. The law already requires the opposite: each person in the chain receives only the minimum information necessary for their specific function. Nothing beyond what is necessary.
The principle of data minimisation requires that only the information necessary for a specific purpose be disclosed. A supervisor may need confirmation that an employee is medically unfit for work, but not the diagnosis itself. A finance officer may need evidence that an expense qualifies for reimbursement, but not unrestricted access to a patient's medical history. When institutions fail to distinguish between what is necessary and what is merely available, privacy violations become inevitable.
What Health Facility Staff Get Wrong Every Day
Beyond policy failures, the daily practices of health facility staff introduce their own serious risks, most of them rooted not in malice but in habit, familiarity, and a complete absence of training.
- A receptionist receives a call from a head of department asking why a staff member has been absent. Without seeking authorisation, without any awareness of the law, they explain the diagnosis. It feels like helpfulness. It is a breach, and the affected patient receives no notification that it happened.
- Health staff who know patients personally, as colleagues, neighbours, or members of the same community, sometimes discuss cases informally. In the canteen, in the corridor, in a brief exchange that feels inconsequential. Research conducted in Ghana found that gossip was the single most common form of health-related stigma experienced by patients, occurring more frequently than verbal insults or any other form of discrimination. It begins, in many cases, inside the facility that was trusted to prevent it.
- A clinic administrator, trying to be efficient, photographs a medical certificate and sends it to HR via personal phone. HR forwards it to finance. Finance forwards it to a supervisor. What began as a single confidential document now lives permanently on multiple personal devices and cloud accounts, outside any institutional control, beyond any policy reach, and entirely unknown to the patient. This practice is common. In many circumstances, it may constitute a breach of confidentiality obligations and data protection requirements.
- Another increasingly common practice occurs when health workers photograph laboratory results, scan reports, prescriptions, referral notes, or other clinical records and send them through personal messaging applications to colleagues for review, consultation, prescribing decisions, or follow-up action. The explanation is usually one of convenience: the doctor is unavailable, the pharmacist is off-site, or a colleague's opinion is needed urgently. Yet convenience does not eliminate confidentiality obligations. The fact that both individuals work within the same facility does not automatically authorise unrestricted access to patient information. Access should be limited to persons with a legitimate role in that patient's care and conducted through approved institutional channels. Once a clinical document is photographed and transmitted through personal devices or messaging platforms, the institution loses control over where that information is stored, who may access it, and how long it may remain in circulation. Professional consultation is often necessary in healthcare, but it must be conducted in a manner that protects patient confidentiality, respects the principle of data minimisation, and complies with applicable data protection requirements.
- A health staff member is occupied and asks a nearby colleague, perhaps someone on attachment or from another unit, to run a test on their behalf. That colleague now handles the patient’s identity, the nature of the test, and potentially its result, without any authorisation, training, or confidentiality obligation. The patient consented to a specific designated person. They did not consent to this. The institution has no record of it.
When It Becomes Deliberate
In workplaces where power is unequal and professional survival depends on relationships, and in Ghana, we know this dynamic well, health information can be, and is, used as a tool of control. A junior receptionist who feels they cannot refuse a senior officer demanding information. A supervisor who learns of a staff member’s condition and uses it not through formal process, but through quiet exclusion, manufactured doubt, and the slow reassignment of responsibilities. The affected patient feels the shift but cannot name the source. Nothing is ever said directly.
A colleague who learns of a chronic illness builds a quiet narrative around the affected patient, raising doubts about reliability, suggesting reassignment of projects, positioning themselves more favourably at the other person’s expense. The source of the damage is invisible. The harm is entirely real.
And then there are those who hold information and wait, not to act on it immediately, but to keep it as leverage. To produce it during a disciplinary process, a performance dispute, or any moment of institutional conflict where they need to silence, discredit, or diminish another person. The patient lives their daily life completely unaware that somewhere in the institution, someone is sitting on their most private health information, waiting for the right moment to deploy it. This is not a hypothetical. It is the lived experience of people in institutions who went to the health facility in good faith and found, too late, that what they gave in trust had been quietly turned into a weapon.
If This Has Already Happened to You
If you are reading this and recognising your own experience, if your health information was shared without your consent, used against you, or handled in ways that have affected your reputation, your career, or your peace of mind, you are not without recourse. Ghana’s Data Protection Act gives you the right to file a complaint with the Data Protection Commission. You have the right to know who accessed your information, the right to demand accountability, and the right to seek redress. What was done to you was not acceptable. It was not inevitable. And it was not legal. Do not suffer in silence when the law is on your side.
The Consequences That Follow a Patient for Life
Health privacy violations do not stay inside office walls. They follow people, into their careers, their families, their communities, and their sense of who they are.
A patient whose reproductive health matter becomes known beyond the clinic may find that one of the most painful experiences of their private life has become institutional conversation, referenced in whispers, embedded in assumptions, present in every professional interaction that follows.
A patient whose condition is used against them by a supervisor or colleague may find their career permanently altered, promotions withheld, contracts quietly not renewed, responsibilities reassigned, on the basis of information that should never have left the consultation room. They may spend years not knowing why. The decisions made about them will never reference the real reason.
For some, the damage extends beyond work entirely. Into their marriage. Into their standing in their community. Into how they see themselves. A person can recover from an illness. Recovery from its institutional exposure, particularly where it has been deliberately used against them, is far less certain. Some never fully do.
What Must Change - And It Must Change Now
Every institution that operates a hospital or clinic, that processes sick leave applications, that handles medical refund claims, is already legally obligated to act. Not eventually. Now.
Health records must be formally separated from administrative and finance processes. Prescriptions, diagnosis letters, and clinical reports must remain within the health facility, handled exclusively by designated, confidentiality-bound officers. Finance receives only what is necessary to process a claim. HR receives only the duration of incapacitation and fitness to return. The diagnosis goes no further.
Personal messaging platforms must be immediately prohibited for the transmission of any health-related documentation. Every institution that permits this practice is accumulating legal liability with every message sent.
Unauthorised delegation of clinical procedures must be formally prohibited. Informed consent must be obtained before every additional test, without exception. These are not procedural suggestions. They are the baseline of what every patient is already legally entitled to expect.
Every member of health facility staff, clinical and administrative, must receive formal training on their obligations under the Data Protection Act and the Public Health Act. And when a breach occurs, there must be documented, proportionate consequences. Because without accountability, nothing changes. The same practices continue. The same patients are harmed.
To every Chief Executive, Vice Chancellor, Director-General, and institutional leader reading this: the law does not exempt you by virtue of your position. It holds you responsible because of it. The health information entrusted to your institution is your legal responsibility, and protecting the dignity of those to whom it belongs is your institutional obligation.
A Closing Word
Every person who has ever walked into an institutional hospital or clinic carrying a condition they were afraid to name, who handed over a certificate they would rather have kept private, who sat in a consultation room and answered questions about their body because the system required it, did so on the basis of a promise.
That promise is being broken. Quietly, routinely, and in ways that some never recover from.
The health information contained in that file is not merely data. It is a person's dignity, reputation, and right to decide who knows the most private details of their life.
In our culture, we say that what you do in secret will one day stand in the open. For those who mishandle the health records of others, that day is coming.
Guard it as though someone’s life depends on it. Because in ways that matter more than medicine can measure, it does.
About the Author
Jeremiah Salia is a Certified Data Protection Officer, Security Professional, and registered member of the Ghana Association of Privacy Professionals (GAPP), with hands-on experience in data governance and institutional security within higher education. He writes on data protection and the everyday administrative practices that shape how institutions handle personal information. This article is part of a series addressing physical data protection risks commonly overlooked in institutional environments.
Disclaimer: "The views expressed in this article are the author’s own and do not necessarily reflect ModernGhana official position. ModernGhana will not be responsible or liable for any inaccurate or incorrect statements in the contributions or columns here."