A patient’s name, diagnosis, treatment history, and contact details are among the most sensitive categories of personal data that any organisation can hold. In the wrong hands — a data breach, an employee with access they shouldn’t have, or a WhatsApp message sent to the wrong person — that data can affect someone’s employment, their insurance, their relationships, and their dignity.
Tanzania’s Personal Data Protection Act (2022) treats health data as sensitive personal data, placing additional obligations on organisations that process it. Most Tanzanian healthcare providers — from large private hospitals to single-doctor clinics — have no formal data protection framework in place. This post explains what the PDPA actually requires of healthcare providers, where the most common gaps are, and what practical, affordable controls look like for a small medical practice.
Health Data Under the PDPA
The Tanzania PDPA distinguishes between ordinary personal data and sensitive personal data. Health data — including medical records, diagnoses, prescriptions, test results, and anything that reveals a person’s physical or mental health condition — falls in the sensitive category.
The distinction matters because sensitive personal data attracts stricter rules:
Higher consent requirements. Processing sensitive personal data generally requires explicit consent from the data subject, or must fall within one of the specified legal bases (medical treatment, public health necessity, legal obligation, or vital interest). Implied consent or a general terms-of-service agreement is not sufficient.
Stronger security obligations. The PDPA requires that data controllers implement technical and organisational measures appropriate to the risk. For sensitive health data, the bar is higher — encryption of records where technically feasible, access limited to those with a clinical or administrative need, and documented controls.
Breach notification. If a breach of sensitive personal data occurs, the PDPC must be notified. Affected individuals must also be informed if the breach is likely to result in high risk to their rights and freedoms.
Data subject rights. Patients have the right to access their records, correct inaccuracies, and in some circumstances request deletion. You need a process for handling these requests.
Where Tanzanian Healthcare Providers Typically Fall Short
In conversations with healthcare administrators and IT leads, several patterns appear consistently:
WhatsApp as a patient communication channel. WhatsApp is the dominant communication tool in Tanzania, and healthcare providers use it extensively — to send appointment reminders, test results, referral letters, and prescription notes. WhatsApp messages to individual patients are generally lower risk. Group chats — common in referral networks — are a significant exposure: a patient’s condition can be inadvertently shared with everyone in the group. Attachments containing records are stored on personal phones, unencrypted, accessible to anyone who picks up the device.
Shared workstations with shared credentials. A single reception desk PC accessed by all front desk staff under one login. The Electronic Medical Record (EMR) system accessed by multiple clinicians under the same account. When data is accessed inappropriately — whether accidentally or deliberately — there is no audit trail. No one can determine who saw what, when.
Paper records stored insecurely. Paper patient records in open filing rooms, accessible to cleaning staff, relatives of patients, and anyone who walks through an unlocked door. Some practices have partially digitised but continue to generate paper as a parallel system, with no clear policy on retention or destruction.
No offboarding process for IT access. When a nurse, receptionist, or doctor leaves the practice, their email account remains active for months. If they had access to the EMR system, that access persists. Former employees of healthcare providers are among the most common sources of data breaches globally, because access is rarely revoked promptly.
No privacy notice. Patients have a right under the PDPA to know how their data will be used, who it will be shared with, and how long it will be kept. A privacy notice — whether displayed in the waiting room, given at registration, or posted on a website — is a legal requirement for new patients. Most practices have nothing in place.
What the PDPA Requires in Practice
Here is a practical reading of the PDPA’s core requirements for a healthcare provider:
Register with the PDPC. Data controllers processing sensitive personal data must register with the Personal Data Protection Commission. This is a formal administrative step. Failure to register is itself a compliance gap.
Privacy notice for patients. You must inform patients — before or at the point of first processing their data — of what data you collect, why, who it is shared with (labs, referral hospitals, insurers, Ministry of Health reporting), how long you keep it, and their rights. This can be a laminated notice at registration, a form patients sign, or both.
Lawful basis for each category of processing. Routine clinical care is covered by the treatment necessity basis. Insurance billing is typically covered by legal obligation or legitimate interest. Marketing communications require explicit consent. You need to have mapped this and be able to explain your basis for each category.
Data minimisation. Collect only the data you need for the specific clinical or administrative purpose. If a phone number is sufficient for appointment reminders, you do not need to require a home address. If a diagnosis is needed for treatment, it should not also appear on the billing record sent to an employer’s HR department.
Access control. Access to patient records — digital and paper — should be limited to staff with a legitimate need. Reception staff do not need access to clinical notes. Junior clinical staff should not have access to records of patients who are not under their care.
Retention policy. How long do you keep patient records? Tanzania’s medical regulations specify minimum retention periods. The PDPA requires you to delete personal data that is no longer needed. You need a written policy that reconciles these requirements.
Breach response. What do you do if a receptionist accidentally emails a patient’s records to the wrong address? If a laptop containing patient data is stolen? If a former employee accesses records after leaving? You need a documented procedure that includes notification to the PDPC where required.
Practical Controls for a Small Practice
A solo GP or a small clinic does not need enterprise-grade infrastructure to achieve a meaningful baseline. Here is what practical compliance looks like:
Quick wins: Enable MFA on all email accounts. This blocks the most common route to mass exposure — an attacker gaining access to a doctor’s email and accessing months of patient correspondence. Set email to not auto-sync to personal phones, or require device management if it does. Review EMR user accounts and create individual logins for each clinical and administrative user (if your system supports this). Revoke access for any departed staff immediately.
First month: Draft a one-page patient privacy notice. It does not need to be long or complex — it needs to tell patients what data you collect, why, and what their rights are. Display it at registration. Train front desk staff to mention it to new patients. Create a simple process for handling data access requests from patients (a designated email address and a commitment to respond within 21 days, as the PDPA requires).
First quarter: Conduct a data inventory. List every place patient data is stored: the EMR system, the email server, the filing room, the WhatsApp group with the referral lab, the spreadsheet the billing team keeps. For each, document who has access and why. Identify the highest-risk storage locations (the open filing room, the shared laptop) and address them.
Establish a protocol for WhatsApp. You will not eliminate WhatsApp from clinical communication — it is too embedded. But you can establish rules: no full patient records over WhatsApp, no group chats that include patient-identifying information, a named staff member responsible for clinical communications. Document the protocol and train staff on it.
The Cost of Getting This Wrong
The risks from inadequate patient data protection are not only regulatory. A breach of patient data — a test result shared to the wrong contact, a record accessed by a former employee, a laptop left in a taxi — carries genuine harm to the patient affected and significant reputational harm to the practice. Patients trust their healthcare providers with information they share with almost no one else. That trust is the foundation of the relationship.
The PDPC has authority to investigate complaints, conduct audits, and impose sanctions. As the Commission becomes more active, healthcare providers will face increasing scrutiny.
The controls described in this post are not expensive or technically complex. They require leadership commitment, a small amount of staff time, and the discipline to make them routine.
If you are a healthcare administrator or practice manager wanting to understand your full PDPA exposure and what to prioritise, a Tanzania PDPA Compliance Pack assessment is the right starting point — or if you want the full picture across data protection, cloud, and access controls first, the Security & Compliance Health Check covers all of it in two to three weeks.
Patient data is the most sensitive data your organisation holds. Treating it that way is both a legal requirement and the right thing to do.