How we protect and handle your data
Last updated: January 15, 2025
AfriBiobank ("we," "us," "our") operates a federated medical imaging platform connecting African healthcare institutions. This Privacy Policy explains how we collect, use, protect, and share data.
Key Principle: Medical data remains under the control of originating institutions. Patients maintain rights over their data even after contribution to research. We are stewards, not owners, of African medical data.
AfriBiobank is committed to protecting the privacy and security of medical data. We adhere to the highest international standards for data protection including GDPR (EU), POPIA (South Africa), NDPR (Nigeria), and other regional African data protection laws.
We collect only the minimum data necessary for platform operation and research purposes. All medical images are de-identified before sharing, with advanced techniques including facial detection in medical scans.
Data is used exclusively for stated research purposes. Any change in data usage requires explicit consent from data controllers (healthcare institutions) and, where applicable, from patients.
De-identified medical images (X-rays, CT, MRI, ultrasound, pathology slides) with associated clinical metadata. All personally identifiable information (PII) is removed using automated and manual review processes.
Name, email, institutional affiliation, research credentials, and access permissions. This information is necessary for authentication, authorization, and audit purposes.
Technical data including API calls, dataset downloads, compute usage, and platform interactions. This helps us improve services and detect unauthorized usage.
Project descriptions, collaboration networks, publication citations, and model training logs. This supports transparency and reproducibility in African medical research.
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed using hardware security modules (HSMs) in African data centers.
Role-based access control (RBAC), multi-factor authentication (MFA), and just-in-time access for privileged operations. All access is logged and auditable.
Sensitive data can remain at source institutions using federated learning. Only model updates (not raw data) are shared centrally, preserving data sovereignty.
Third-party security audits, penetration testing, and compliance assessments conducted quarterly. Vulnerability management with 24-hour SLA for critical issues.
You can request access to all data associated with your account, including usage logs and contributed datasets. We provide machine-readable exports within 30 days.
Institutions can request deletion of their contributed data. We provide detailed reports of where data has been used before deletion. Note: data used in published research may persist in public repositories.
You can correct inaccurate metadata or annotations. Major corrections trigger notifications to researchers who have used the affected datasets.
Export your data in standard formats (DICOM, NIfTI, CSV) at any time. No vendor lock-in.
You can object to specific data processing activities, including automated decision-making and profiling. We honor these requests within legal constraints.
Data is shared with approved researchers subject to data use agreements. All recipients undergo ethics training and agree to citation requirements.
Commercial access requires explicit consent from contributing institutions and revenue-sharing agreements. We maintain a public registry of commercial data usage.
We use trusted cloud providers (AWS, Azure, Google Cloud) for infrastructure, all with data processing agreements and African hosting options. Providers cannot access medical data without explicit authorization.
We may disclose data to comply with valid legal requests (court orders, regulatory investigations). We challenge overly broad requests and notify affected parties when legally permitted.
We never sell personal data or medical imaging data. Revenue sharing with institutions is based on collaborative use, not data sales.
Session management, authentication tokens, and security features. These cannot be disabled without breaking platform functionality.
We use privacy-respecting analytics (not Google Analytics) to understand platform usage. These are optional and can be disabled in your account settings.
We do not use advertising trackers, social media pixels, or other third-party tracking technologies. Your research activity is private.
We prioritize African data sovereignty. Primary data storage is in African data centers (Nigeria, Kenya, South Africa, Egypt). Data may be transferred outside Africa only:
Medical images from patients under 18 require additional protections. We obtain parental/guardian consent (documented in institutional records), apply stricter de-identification (face blurring, dental charts redaction), and limit usage to ethically approved pediatric research. Pediatric data is flagged in our systems and subject to extra access controls.
Medical Images:Retained indefinitely for research continuity (unless deletion requested)
User Accounts:Active + 3 years after last activity
Access Logs:7 years (regulatory requirement)
Usage Analytics:2 years
For privacy-related inquiries:
Data Protection Officer:
privacy@afribiobank.org
AfriBiobank Foundation
Lagos, Nigeria
We may update this policy as regulations evolve. Material changes will be announced via: