Privacy Policy

How we protect and handle your data

Last updated: January 15, 2025

Introduction

AfriBiobank ("we," "us," "our") operates a federated medical imaging platform connecting African healthcare institutions. This Privacy Policy explains how we collect, use, protect, and share data.

Key Principle: Medical data remains under the control of originating institutions. Patients maintain rights over their data even after contribution to research. We are stewards, not owners, of African medical data.

Data Protection Principles

Our Commitment

AfriBiobank is committed to protecting the privacy and security of medical data. We adhere to the highest international standards for data protection including GDPR (EU), POPIA (South Africa), NDPR (Nigeria), and other regional African data protection laws.

Data Minimization

We collect only the minimum data necessary for platform operation and research purposes. All medical images are de-identified before sharing, with advanced techniques including facial detection in medical scans.

Purpose Limitation

Data is used exclusively for stated research purposes. Any change in data usage requires explicit consent from data controllers (healthcare institutions) and, where applicable, from patients.

What Data We Collect

Medical Imaging Data

De-identified medical images (X-rays, CT, MRI, ultrasound, pathology slides) with associated clinical metadata. All personally identifiable information (PII) is removed using automated and manual review processes.

User Account Information

Name, email, institutional affiliation, research credentials, and access permissions. This information is necessary for authentication, authorization, and audit purposes.

Usage Analytics

Technical data including API calls, dataset downloads, compute usage, and platform interactions. This helps us improve services and detect unauthorized usage.

Research Metadata

Project descriptions, collaboration networks, publication citations, and model training logs. This supports transparency and reproducibility in African medical research.

How We Protect Your Data

Encryption

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are managed using hardware security modules (HSMs) in African data centers.

Access Controls

Role-based access control (RBAC), multi-factor authentication (MFA), and just-in-time access for privileged operations. All access is logged and auditable.

Federated Architecture

Sensitive data can remain at source institutions using federated learning. Only model updates (not raw data) are shared centrally, preserving data sovereignty.

Regular Audits

Third-party security audits, penetration testing, and compliance assessments conducted quarterly. Vulnerability management with 24-hour SLA for critical issues.

Your Rights

Right to Access

You can request access to all data associated with your account, including usage logs and contributed datasets. We provide machine-readable exports within 30 days.

Right to Erasure ("Right to be Forgotten")

Institutions can request deletion of their contributed data. We provide detailed reports of where data has been used before deletion. Note: data used in published research may persist in public repositories.

Right to Rectification

You can correct inaccurate metadata or annotations. Major corrections trigger notifications to researchers who have used the affected datasets.

Right to Data Portability

Export your data in standard formats (DICOM, NIfTI, CSV) at any time. No vendor lock-in.

Right to Object

You can object to specific data processing activities, including automated decision-making and profiling. We honor these requests within legal constraints.

Data Sharing & Third Parties

Research Collaborators

Data is shared with approved researchers subject to data use agreements. All recipients undergo ethics training and agree to citation requirements.

Commercial Partners

Commercial access requires explicit consent from contributing institutions and revenue-sharing agreements. We maintain a public registry of commercial data usage.

Service Providers

We use trusted cloud providers (AWS, Azure, Google Cloud) for infrastructure, all with data processing agreements and African hosting options. Providers cannot access medical data without explicit authorization.

Legal Requirements

We may disclose data to comply with valid legal requests (court orders, regulatory investigations). We challenge overly broad requests and notify affected parties when legally permitted.

No Sale of Data

We never sell personal data or medical imaging data. Revenue sharing with institutions is based on collaborative use, not data sales.

Cookies & Tracking

Essential Cookies

Session management, authentication tokens, and security features. These cannot be disabled without breaking platform functionality.

Analytics Cookies

We use privacy-respecting analytics (not Google Analytics) to understand platform usage. These are optional and can be disabled in your account settings.

No Third-Party Tracking

We do not use advertising trackers, social media pixels, or other third-party tracking technologies. Your research activity is private.

International Data Transfers

We prioritize African data sovereignty. Primary data storage is in African data centers (Nigeria, Kenya, South Africa, Egypt). Data may be transferred outside Africa only:

  • With explicit institutional consent
  • For collaboration with international research partners
  • Using Standard Contractual Clauses (SCCs) or equivalent protections
  • With data processing agreements ensuring equivalent protection

Pediatric Data

Medical images from patients under 18 require additional protections. We obtain parental/guardian consent (documented in institutional records), apply stricter de-identification (face blurring, dental charts redaction), and limit usage to ethically approved pediatric research. Pediatric data is flagged in our systems and subject to extra access controls.

Data Retention

Medical Images:Retained indefinitely for research continuity (unless deletion requested)

User Accounts:Active + 3 years after last activity

Access Logs:7 years (regulatory requirement)

Usage Analytics:2 years

Contact Us

For privacy-related inquiries:

Data Protection Officer:

privacy@afribiobank.org

AfriBiobank Foundation

Lagos, Nigeria

Policy Changes

We may update this policy as regulations evolve. Material changes will be announced via:

  • Email to registered users
  • Platform notifications
  • 30-day notice period