Strengthening health data governance legislative frameworks: The foundation of trusted digital health and AI
The discussion focused on strengthening legislative frameworks for health data governance as the basis for trusted digital health and AI. Mathilde Forslund argued that digital technology and AI can improve planning, innovation, patient care and health systems, but only if governance keeps pace and earns public trust through rights-based, equitable and people-centred approaches.
She said this requires inclusive engagement, stronger national legislation on health data and AI, and regional and global alignment to avoid fragmented rules that undermine trust and cross-border data sharing.Forslund also stressed that countries do not need to start from scratch because existing principles, model laws and international guidance already provide a foundation for national, regional and global frameworks.She highlighted growing momentum, including support at the World Health Assembly for a global health data governance resolution, the Global Digital Compact, regional work by Africa CDC, and the European Health Data Space.Kirsten Mathieson framed the panel around identifying national legal challenges and pathways towards global alignment and concrete action.
Speaking from Zambia, Andrew Kashoka said the country’s experience showed that technology moves faster than policy, and policy moves faster than legislation - yet to build trust and achieve sustainability, countries ultimately need all three elements. Policies and guidelines provide direction, but legislation establishes rights, responsibilities, and enforceable accountability: it defines who may access health data, under what conditions that data may be shared, how consent is managed, how privacy is protected, and what remedies exist when trust is breached. In this context, the Africa CDC process offers a way to build shared principles, legal interoperability and trusted cross-border collaboration.Linda Bonyo argued that the main problems are poor coordination, siloed processes and weak implementation rather than a lack of policy.
She criticised the exclusion of parliaments and judiciaries from governance discussions, called for capacity-building for data protection authorities, and said African participation in global forums must be improved through more accessible and representative processes.Simao Ferraz de Campos Neto added that private-sector involvement, technical standards, data discoverability and clearer risk-based AI regulation are all necessary to make data sharing workable without stifling innovation.Jamal Alshanfari said the strong support seen at the World Health Assembly showed readiness to move from rules to implementation, and he outlined four priorities: broader consensus, stronger national capacities and laws, practical implementation guidance, and inclusive consultation involving governments, academia, civil society, the private sector and end users.The session closed with a sense of momentum towards a World Health Assembly resolution and broader cooperation to turn existing governance principles into practical, trusted health data systems.
- The discussion centred on the urgent need for stronger, rights-based legislative frameworks for health data and AI governance, because digital health and AI are advancing rapidly and public trust depends on governance keeping pace. Speakers stressed that laws must define rights, responsibilities, consent, privacy protections, accountability and remedies, not just policies or guidelines.
- A major point was that national action alone is insufficient; regional and global alignment is needed to avoid fragmented or incompatible rules and to enable trusted cross-border data sharing, research, interoperability and health security. Examples cited included the Africa CDC continental framework, the European Health Data Space, the Global Digital Compact, and momentum towards a possible World Health Assembly resolution.
- Speakers highlighted that useful foundations already exist and the challenge is not starting from scratch but improving coordination, alignment and implementation. Existing resources mentioned included Transform Health’s health data governance principles and model law, OECD recommendations, WHO AI guidelines, and other emerging regulatory tools. Linda Bonyo especially argued that there is a coordination problem, with siloed initiatives and duplication across institutions and forums.
- Another major discussion point was that effective governance requires broader inclusion and capacity building across stakeholder groups. Participants argued that member states, parliaments, judiciaries, civil society, academia, the private sector and end users all need to be involved, while technical and institutional capacity must be strengthened, especially for data protection authorities and implementation bodies.
- The panel repeatedly emphasised that implementation is the real bottleneck: many countries and organisations already have strategies or policy ideas, but lack budgets, skills, technical standards, legal clarity and practical guidance to operationalise them. This included concerns about over-reliance on imported models, insufficient contextualisation to local realities, slow progress, and the need for interoperable standards and practical mechanisms for safe data sharing.
- The overall purpose of the discussion was to examine how stronger legislative and governance frameworks for health data and AI can be built at national, regional and global levels in order to support trusted, equitable and rights-based digital health transformation. The session aimed to identify gaps, highlight existing initiatives, and build momentum towards more coordinated action, including possible global action through the World Health Assembly.
- The overall tone was constructive, collaborative and policy-focused throughout, with a strong sense of urgency. It began as a welcoming and agenda-setting discussion, moved into a more critical and candid assessment of fragmentation, exclusion and implementation failures, and concluded on a pragmatic but hopeful note about political momentum and next steps.
The session focused on how stronger legislative frameworks for health data governance can support trusted digital health and AI. Opening the discussion, Mathilde Forslund thanked participants and introduced the session as part of the WSIS Forum’s rights-based digital cooperation agenda. She explained that Transform Health works to support universal health coverage through equitable, inclusive and sustainable digital transformation grounded in rights-based use of data.Forslund said digital technologies and AI are transforming health systems rapidly, with data as the fuel behind improvements in planning, innovation, patient care, outbreak prediction and stronger health systems, but argued that these benefits will only be realised equitably and responsibly if governance keeps pace and public trust is maintained.She described health data and AI governance as requiring fair, transparent and representative rules, systems and decision-making processes that benefit all populations.She highlighted four needs in particular: value-based principles grounded in human rights and equity; inclusive processes so populations are informed, engaged and empowered about their data rights, know where their data goes and how it is used, and have avenues for redress in cases such as misinformation or misuse; stronger national legislation on the collection and use of health data and AI; and regional and global alignment to avoid fragmented and incompatible rules that weaken trust and obstruct cross-border data sharing.
Forslund added that the field does not need to start from scratch because substantial work already exists at national, regional and global levels.She pointed to Transform Health’s 2022 health data governance principles, endorsed by more than 175 organisations and governments, and to a model law designed to help countries draft national legislation.She also referred to OECD health data governance recommendations, WHO AI guidance and ongoing work by the Health Data Collaborative.She said the discussion was taking place at a critical moment, citing political support at the World Health Assembly in May for a possible global health data governance resolution, the 2024 Global Digital Compact, the continuing relevance of WSIS action lines, regional work led by Africa CDC towards a continental framework, and the development of the European Health Data Space by the European Commission.Her argument was that these should be connected through a global framework with shared standards and clear protocols for responsible cross-border data sharing while still supporting country-level implementation.Kirsten Mathieson then framed the panel as a discussion moving from national legal challenges to regional and global alignment. She introduced a panel drawn from government, diplomacy, law, the private sector and the ITU.Andrew Kashoka linked global commitments to Zambia’s national experience. He said Zambia had co-facilitated, with Sweden, the negotiations leading to adoption of the Global Digital Compact in 2024, which recognises trusted and interoperable data governance as essential for digital transformation while protecting human rights, privacy and security and calling for stronger international cooperation on data governance and AI.He also described Zambia as the first mover country of the WHO Global Initiative on Digital Health, the GUIDE, through which it had improved coordination, assessed digital health maturity, advanced a digital health blueprint and mobilised partners around a single country plan.Kashoka argued that legislation is necessary because “technology moves faster than policy and policy moves faster than legislation”.He said Zambia’s National Digital Health Strategy 2022-2026 addresses health information governance, data quality, interoperability, privacy, security and the responsible use of health data, but stressed that these are governance issues requiring legal certainty, institutional accountability and public trust.In his account, policies and guidelines can provide direction, but legislation is what establishes enforceable rights and duties, defines who may access health data, under what conditions it may be shared, how consent is managed, how privacy is protected and what remedies are available when trust is breached.He said this legal foundation becomes even more important as countries adopt electronic health records, digital public infrastructure and AI.Kashoka also described the Africa CDC process as a regional effort shaped by consultations across African Union member states.He said the resulting continental health data governance framework reflects African priorities, experiences and aspirations, supports countries in developing coherent legal and regulatory approaches, and facilitates trusted cross-border collaboration, interoperability and health security as part of broader digital transformation.He added that for Zambia this regional approach offers an alternative to each country legislating in isolation, while supporting legal interoperability, regional research, disease surveillance, responsible AI innovation and public trust across borders.Mathieson responded by underlining his point that legislative frameworks are needed to establish rights, enforceability and accountability, and by linking this to regional and global processes.Linda Bonyo shifted the discussion towards coordination and implementation. After apologising for arriving late, she said she wanted to focus on the initiatives already under way and argued that the field’s main difficulty is not simply lack of policy but lack of coordination.She described a siloed environment in which multiple actors are working on similar issues without speaking to each other, and said that in the Africa data governance policy working group it had been striking to see national offices unaware of what was happening in other spaces.She added that member states often send different focal points to Geneva, Nairobi, Addis Ababa and New York, and these representatives are not always aligned with one another.Bonyo also argued that key institutions are being left out of governance processes. She said parliamentarians continue to be excluded even though they need to be involved, and that judiciaries are similarly neglected despite the fact that they are often “stating what needs to be the law”, especially where there is a vacuum or lacuna in existing rules.Mathieson later agreed that parliaments should be brought in from the beginning and can help champion legislative change.A further focus of Bonyo’s remarks was capacity building. She said “a lot of people do not know the difference between sensitive data and where health data rests and what it sits on”, and argued that capacity building should start with data protection authorities.She said many countries have borrowed European data governance frameworks without also building the institutional capacity and budgets needed to make them work.She linked this problem to AI governance, saying that data protection authorities often become the default AI regulators without the necessary technical expertise.She mentioned Rwanda’s new AI agency as one example of a different approach, while noting that in countries such as Ghana AI governance still sits within the data protection authority.Her view was that health sector actors need to work more closely with data protection authorities and that technical and policy skills must be strengthened together.Bonyo also raised barriers to African participation in global governance discussions. She said there were very few Africans present across the week’s AI discussions and linked this to visa barriers and the cost of taking part in Geneva-based processes.She argued that if policy processes run for several years, it is unrealistic to expect meaningful participation through repeated short-term visas and expensive travel, and she suggested longer-term visas or multi-year passes, as well as partnerships that would reduce those barriers.She summarised the practical challenge by saying it is “not a policy problem… it’s implementation”.She noted that many African countries are already developing national AI strategies, some with provisions relevant to health data, but said implementation is constrained by limited budgets, weak skills and over-reliance on imported models.She illustrated this by saying countries were trying to have “Beyoncé’s hair without Beyoncé’s budget or stylist”, meaning they were borrowing sophisticated models without the resources and institutional support behind them.She argued for frameworks rooted in African realities, including realities such as the role of community health workers.In a brief follow-up, she added that there is an opportunity to connect working groups deliberately and bring them together rather than letting them continue separately.Simao Ferraz de Campos Neto focused on technical standards, private sector participation and the complexity of AI regulation. He said the discussion had already shown fragmentation in legislative frameworks, problems of literacy and insufficient inclusion of some stakeholders.He argued that the private sector is often missing from these conversations even though organisations such as the ITU work closely with both member states and companies, and much of the ICT standards infrastructure is driven by industry.He said the private sector wants clarity and understandable rules.Campos Neto also addressed the problem sometimes described as data hoarding. He said institutions and companies may hold back data not only because of greed, but also because they fear liability or do not know how to share data safely.He added that pharmaceutical companies often treat data as trade secrets and rely on bilateral agreements, making data discovery and sharing slow and costly.As practical responses, he called for stronger technical standards, better data formatting, machine-discoverable datasets and template agreements that would clarify permitted uses and help automate safe sharing processes.He referred to the European Health Data Space as an example of movement in the right direction, while saying that some technical interconnections were still missing.On AI regulation, Campos Neto said AI is not a single technology but a collection of technologies with different histories, maturity levels, implications and risk profiles.He therefore argued for legislation that is risk-aware and proportionate to context and use case, because some applications are much riskier than others and require more safeguards.He also stressed the need for greater literacy among policymakers and warned against frameworks so burdensome that they stifle innovation and discourage productive private sector engagement.Mathieson briefly drew out his point that legislative frameworks need to provide enough clarity for data to be used responsibly for health outcomes.Jamal Alshanfari closed the panel with a political perspective on next steps. He said the discussion itself was a useful first step because it brought stakeholders together, and he pointed to the strong political support visible at the World Health Assembly high-level meeting as a sign that member states were ready to move towards implementation.He also agreed with earlier speakers that many rules already exist and that what is needed now is implementation in practice.He then outlined four priorities: broader consensus among member states and stakeholders; stronger national capacities and laws; practical implementation guidance, including with WHO advice; and continued consultations involving governments, international organisations, academia, civil society, the private sector and end users.Alshanfari stressed that “everybody forgets about the end user”, even though end users are the people who will actually use and be affected by these tools.He also said that future frameworks need to support countries with different levels of digital health maturity, respect national sovereignty, and rely on a strong legal framework to build trust.He concluded that the route towards a global framework begins with practical cooperation among all these actors.In her closing remarks, Forslund thanked the speakers, said the discussion showed encouraging progress at national, regional and global levels, and pointed to the coming World Health Assembly as an opportunity to advance a health data governance resolution.The audience intervention added a practical challenge. A participant from Belgium said progress on the European Health Data Space had been very slow and asked whether there is any place in the world where citizens can currently share their data publicly through a public institution.In response, Alshanfari did not give a concrete example. Instead, he referred to the forthcoming draft resolution and said it would be pushed through the next Executive Board process with support from member states and other stakeholders.Across the discussion, speakers repeatedly called for stronger national legislation, better coordination across initiatives, regional and global alignment, broader inclusion of parliaments, judiciaries, the private sector and end users, and greater attention to implementation capacity, budgets and technical expertise.
The audience question highlighted a remaining gap between high-level governance efforts and concrete citizen-facing mechanisms for sharing health data.
The knowledge base confirms Forslund’s role and Transform Health’s mission in closely related remarks at UNGA, where she identified herself as Executive Director of Transform Health and described it as a global coalition working to harness digital transformation to achieve universal health coverage by 2030, stressing equity and rights-based principles [S98]. The WSIS-specific framing in the report is not directly evidenced in the cited knowledge base extract, but the broader organisational description is consistent [S98].
This is consistent with the knowledge base, which says AI has been used for diagnosis, screening, clinical care, outbreak surveillance, and public health response, while also creating risks around privacy, inclusiveness, accountability and cybersecurity that require governance attention [S21]. It also aligns with the broader point that policymaking must catch up with technical innovation in digital health [S23].
The knowledge base directly supports this. In her UNGA remarks, Forslund called for 'strong legislative and regulatory environments' for digital transformation in health, including stronger health data governance regulation to govern data collection and use and support responsible innovation [S98].
The knowledge base supports the underlying emphasis on rights-respecting and transparent data practices, including concerns about consent, personal data use, and fair and transparent data practices in health and pharmaceutical contexts [S22]. It does not directly confirm the specific language about public redress mechanisms, but it adds relevant human-rights context [S22].
This is corroborated by the knowledge base. WHO-linked discussion notes that health technologies often involve stakeholders across borders and that privacy regulation should therefore be harmonised internationally [S21]. Additional Africa-focused material also describes fragmentation in data governance rules and the need for harmonisation to enable cross-border data flows while protecting rights [S48].
The knowledge base supports the general point that relevant international guidance already exists. It notes WHO’s first guidelines on digital health interventions from 2019 and continuing intergovernmental momentum on digital health governance [S23]. However, the specific references to OECD recommendations and the Health Data Collaborative are not substantiated in the provided sources [S23].
No provided knowledge base source confirms this reported World Health Assembly development. The available material discusses digital health and AI governance broadly, but does not evidence a WHA decision or support in May for a possible global health data governance resolution [S21] [S23]. This claim should therefore be treated cautiously unless supported by another source.
The knowledge base confirms the relevance of the Global Digital Compact and ongoing WSIS-related processes in current digital governance debates [S101] [S102] [S106]. It also confirms that Africa is discussing continental approaches to data governance and harmonisation, though the provided sources refer more generally to AU and Africa-wide frameworks than specifically to Africa CDC [S48] [S100]. The European Health Data Space reference is not evidenced in the supplied extracts.
This is consistent with knowledge base discussions of harmonisation, shared standards, and cross-border data governance. Data governance is described as needing technical standards for interoperability, legal protections, and international coordination [S112]. Africa-focused material likewise stresses harmonised frameworks and data-sharing mechanisms to enable cross-border flows while safeguarding rights [S48].
The knowledge base shows Zambia has been in wider digital governance processes, including co-facilitating the Global Digital Compact after taking over from Rwanda in 2023, and articulating positions on inclusion, human rights, cross-border data governance, and interoperability [S101] [S102]. This supports the plausibility of a Zambian speaker linking global commitments to national experience, although it does not directly identify Andrew Kashoka or his remarks.
The only provided knowledge base figure for Transform Health’s scale is that it is a coalition of 'more than two hundred organisations' [S98]. The specific endorsement claim about 'more than 175 organisations and governments' is not confirmed in the supplied sources and should not be treated as verified on this evidence alone [S98].
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
Arg. 1Forslund argues that digital health and AI can only earn and retain public trust if they are governed through rights-based, equitable and people-centred rules. She says this requires not only fair and transparent governance at national level, but also stronger legislation and regional or global alignment so that countries do not end up with incompatible systems.
She states that digital technology and AI offer major benefits for planning, innovation, patient care, outbreak prediction and stronger health systems, but says those benefits can only be realised equitably and responsibly if governance keeps pace . She then defines the needed governance as fair, transparent, representative and beneficial for all populations, calls for stronger national legislation on collection and use of health data and AI, and warns that without regional and global alignment there will be a patchwork of incompatible rules that undermines trust and cross-border data sharing .
on: Public trust, rights protection and accountability are central to successful health data and AI governance
on: Whether AI governance should be approached through broad common rules or more differentiated risk-based regulation
Existing tools mean the field does not need to start from scratch; endorsed principles, model laws, OECD recommendations, WHO AI guidance and regional initiatives can form the basis of national, regional and global frameworks (Mathilde Forslund)
Arg. 2Forslund argues that health data governance work already has a substantial foundation, so governments and institutions should focus on alignment and coordination rather than starting anew. She presents existing principles, model laws and international guidance as practical building blocks for future national, regional and global frameworks.
She says the foundations already exist and that there has been progress at national, regional and global levels, meaning the field does not need to start from scratch . As evidence, she cites Transform Health’s 2022 health data governance principles endorsed by more than 175 organisations and governments, its model law used to support national legislation, the OECD Health Data Governance recommendations backed by 38 member states, WHO AI guidelines, and work by the Health Data Collaborative as possible starting points for broader frameworks .
on: Existing frameworks and current political momentum provide a practical basis for further action rather than requiring a completely new start
on: Whether current governance efforts are meaningful despite slow progress, or insufficient without concrete public-facing data-sharing mechanisms
Inclusive processes are necessary so people understand their data rights, know how their data is used and have avenues for redress when misuse occurs (Mathilde Forslund)
Arg. 3Forslund stresses that governance must involve meaningful public engagement, not only formal rules. Her point is that people need to be informed and empowered regarding their data rights, and governance systems must provide remedies when data is misused or misinformation causes harm.
She says populations should be informed, engaged and empowered about their data rights, should know where their data goes and how it is used, and should have avenues to seek redress . She adds that if there is misuse of data or problems such as misinformation, people must have practical means to address those harms .
on: Public trust, rights protection and accountability are central to successful health data and AI governance
Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka)
Arg. 1Kashoka argues that successful digital health governance requires a full chain of technology, policy and law. In his view, policies and guidelines may provide direction, but only legislation can create enforceable rights, define responsibilities and guarantee accountability when data governance fails.
He says Zambia’s experience has shown that technology moves faster than policy and policy faster than legislation, but that countries need all three to build trust and sustainability . He explains that policies and guidelines provide direction, whereas legislation establishes rights, responsibilities and enforceable accountability, including rules on access to health data, data sharing, consent, privacy protection and remedies when trust is breached .
on: Public trust, rights protection and accountability are central to successful health data and AI governance
on: Whether AI governance should be approached through broad common rules or more differentiated risk-based regulation
Zambia’s experience and the Africa CDC process show that regional frameworks can help countries develop coherent laws, improve interoperability, support surveillance and research, and contribute African perspectives to global governance debates (Andrew Kashoka)
Arg. 2Kashoka presents regional cooperation as a practical way to help countries avoid developing laws in isolation. He argues that the Africa CDC process can support legal coherence, cross-border collaboration and interoperable systems, while also allowing African priorities and perspectives to shape global governance discussions.
He notes that Zambia participated in consultations on the Africa CDC-led continental framework and says those consultations have helped shape a framework reflecting African priorities, experiences and aspirations . He adds that the framework can help countries build coherent legal and regulatory approaches, facilitate trusted cross-border collaboration, interoperability, surveillance and research, and ensure that Africa contributes its own people-centred and rights-based perspective to global debates rather than merely adopting external models .
on: Existing frameworks and current political momentum provide a practical basis for further action rather than requiring a completely new start
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
Arg. 1Alshanfari argues that the political will for health data governance is already visible, especially from recent high-level processes, but that momentum must now be translated into implementation. He says the priority is to strengthen national legal frameworks, build wider agreement among stakeholders and develop practical guidance so trust can be established in practice.
He says the political support shown during the World Health Assembly high-level meeting demonstrated that states are ready to act . He then identifies four next-step priorities: building broader consensus, strengthening national capacities and laws, and developing practical implementation guidance, concluding that strong legal frameworks are needed because what is now required is trust .
on: Existing frameworks and current political momentum provide a practical basis for further action rather than requiring a completely new start
on: Whether current governance efforts are meaningful despite slow progress, or insufficient without concrete public-facing data-sharing mechanisms
A future global framework should be built through practical cooperation, support countries at different levels of digital maturity, respect sovereignty and involve governments, international organisations, academia, civil society, private sector and end users (Jamal Alshanfari)
Arg. 2Alshanfari argues that a workable global framework must be cooperative and flexible rather than one-size-fits-all. He says it should reflect different national levels of digital health maturity, preserve sovereignty and include a broad multistakeholder process that also brings in end users.
He says future work should continue consultations involving governments, international organisations, academia, civil society, the private sector and end users, adding that end users are often forgotten even though they are the people who will use these tools . He further argues that any future framework should support countries at different levels of digital health maturity, respect national sovereignty and proceed through practical cooperation .
on: Governance processes must be inclusive and multistakeholder, involving not only governments but also parliamentarians, judiciary, private sector, civil society, affected regions and end users
on: How far private sector involvement should be foregrounded in health data and AI governance
Any framework must include practical implementation support and recognise that countries have different levels of readiness and digital health maturity (Jamal Alshanfari)
Arg. 3Alshanfari emphasises that governance frameworks cannot stop at principles or declarations. They must come with implementation support tailored to the fact that countries differ significantly in their capacity, readiness and stage of digital health development.
He says that although many rules already exist, the real need now is implementation on the ground . He also calls for practical implementation guidance and says future frameworks should support countries at different levels of digital health maturity rather than assuming all countries are equally prepared .
on: Implementation, capacity and practical guidance are now the main challenges, not just producing more principles or policies
End users are frequently forgotten, but they must be included in consultations because they are the people who will use and be affected by these systems (Jamal Alshanfari)
Arg. 4Alshanfari argues that inclusive governance must extend beyond institutions and experts to the people directly affected by digital health tools. He highlights end users as a stakeholder group that is often neglected, even though their participation is essential for legitimacy and practical success.
He calls for consultations involving a wide set of actors and explicitly says that everybody forgets about the end user . He explains that end users are the people who will actually use these tools, which is why they must be part of the governance process .
on: Governance processes must be inclusive and multistakeholder, involving not only governments but also parliamentarians, judiciary, private sector, civil society, affected regions and end users
Fragmentation and siloed policymaking are major problems, with different actors and institutions working in parallel without coordination, which creates duplication and weakens implementation (Linda Bonyo)
Arg. 1Bonyo argues that one of the biggest governance failures is not the absence of initiatives, but the fact that they are poorly coordinated. She says multiple actors are working on similar frameworks in isolation, which leads to duplication, parallel processes and weaker implementation.
She explicitly says there is a coordination problem that is creating duplicity, and describes how many actors are in the space but are not talking to each other . Drawing on her experience in drafting the Africa data governance policy, she says national offices often did not know what was happening and were developing their own parallel frameworks, illustrating the siloed nature of the process .
on: Regional and global alignment are needed to avoid fragmentation and support trusted cross-border data sharing and cooperation
on: What should be prioritised in global and regional governance: alignment around existing frameworks or broader representational and institutional inclusion
Legislatures and judiciaries are too often excluded, even though members of parliament are necessary for lawmaking and courts are increasingly filling legal gaps in data and AI governance (Linda Bonyo)
Arg. 2Bonyo argues that governance discussions are too focused on executive actors and too often leave out other institutions with crucial legal roles. She stresses that parliaments are needed to pass laws, while judiciaries are increasingly shaping rules where legal frameworks are incomplete.
She says members of parliament are excluded from these processes and refers to comments from the chairperson of the parliamentary network on internet governance, who raised this issue at the Africa Tech AI and Governance Summit . She also says the judiciary is often neglected even though courts are increasingly determining what the law should be in areas where there is a vacuum or lacuna in data and AI governance .
on: Governance processes must be inclusive and multistakeholder, involving not only governments but also parliamentarians, judiciary, private sector, civil society, affected regions and end users
on: How far private sector involvement should be foregrounded in health data and AI governance
The main challenge is not the absence of policy but weak implementation caused by limited budgets, low technical capacity and copying Western frameworks without adapting them to African realities such as community health workers (Linda Bonyo)
Arg. 3Bonyo argues that many countries already have strategies and policies, but struggle to put them into practice. She attributes this to weak budgets, insufficient skills and the uncritical importation of Western governance models that do not fit local health systems and realities.
She says that from the Africa AI Governance Index, the conclusion was that policy is not the problem; implementation is, because many African countries have national AI strategies and some include health data, but they lack budgets and the skill sets needed to implement them . She also criticises the borrowing of Western strategies without local adaptation, using the example that African systems must account for realities such as community health workers, who are central locally but do not exist in the same way in Western models .
on: Implementation, capacity and practical guidance are now the main challenges, not just producing more principles or policies
on: Whether the main bottleneck is strengthening legislative frameworks or fixing coordination and implementation failures
Data protection authorities are often used as default AI regulators without sufficient technical expertise, showing the need to connect policy and technical skill in the health data ecosystem (Linda Bonyo)
Arg. 4Bonyo argues that institutional arrangements are often mismatched to the technical complexity of AI and health data governance. She says data protection authorities are being given AI governance responsibilities by default, even when they lack the technical expertise and resources required, so policy and technical capacity need to be linked more effectively.
She says many people do not understand the distinction between sensitive data and health data, and argues that capacity building should begin with data protection authorities . Referring to the Africa AI Governance Index, she says data protection authorities are often acting as default AI officers, noting that Rwanda only recently launched a dedicated AI agency while Ghana’s AI functions still sit within the data protection authority, which demonstrates the need to give these institutions stronger technical skills for health data governance .
on: Implementation, capacity and practical guidance are now the main challenges, not just producing more principles or policies
Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
Arg. 1Mathieson frames the discussion as a progression from national legal challenges to regional and global alignment, with an emphasis on actionable outcomes. Her moderation highlights the need to connect different policy processes and stakeholder perspectives so that discussions lead to concrete next steps rather than remaining fragmented.
She introduces the panel as bringing diverse perspectives on challenges, needs and the path forward, and says she expects the discussion to lead to very concrete actions . She also explicitly describes the intended sequence of the discussion as starting with national legal issues and challenges, then building up to global alignment, opportunities and actions .
on: Existing frameworks and current political momentum provide a practical basis for further action rather than requiring a completely new start
on: What should be prioritised in global and regional governance: alignment around existing frameworks or broader representational and institutional inclusion
The private sector must be involved because it builds much of the underlying digital and standards infrastructure and needs legal clarity to innovate responsibly (Simao Ferraz de Campos Neto)
Arg. 1Campos Neto argues that the private sector is a core actor in digital health and AI governance because it develops much of the ICT and standards infrastructure on which these systems depend. He says governance frameworks must include private sector actors and provide legal clarity so they can innovate responsibly within predictable rules.
He says one major stakeholder frequently missing from these discussions is the private sector, and explains that within ITU, work on ICTs and standards is strongly driven by private sector members . He adds that if high-speed technologies such as AI are brought into the system without private sector involvement, governance will not work, and that what these actors want is a clear and understandable legal environment in which to operate .
on: Governance processes must be inclusive and multistakeholder, involving not only governments but also parliamentarians, judiciary, private sector, civil society, affected regions and end users
on: How far private sector involvement should be foregrounded in health data and AI governance
Data sharing is often blocked not only by commercial interests but also by fear of liability and lack of safe mechanisms, so technical standards, discoverable datasets and template agreements are needed to enable responsible data use (Simao Ferraz de Campos Neto)
Arg. 2Campos Neto argues that data sharing failures are not simply a result of greed or commercial secrecy. He says actors often hold data because they fear liability or do not know how to share it safely, which is why better technical standards, machine-discoverable datasets and standardised agreements are necessary.
He says data is often hoarded not only by the private sector but also by institutions, and that this is sometimes due to fear and uncertainty about how to share it safely rather than simple greed . As practical examples, he refers to the European Health Data Space as a positive initiative, but says it still needs more interconnecting technical frameworks, machine-discoverable datasets and template agreements to automate safe data use and reduce the time and difficulty involved in negotiating bilateral access arrangements, especially where firms treat data as trade secrets .
on: Public trust, rights protection and accountability are central to successful health data and AI governance
AI should not be regulated as a single technology; legislation should be risk-aware, sensitive to maturity and use case, and avoid creating excessive burdens that hinder innovation (Simao Ferraz de Campos Neto)
Arg. 3Campos Neto argues that AI is a broad label covering technologies with very different ages, risks and levels of maturity, so a single uniform regulatory approach would be misguided. He supports risk-based and context-sensitive legislation that reflects actual use cases and does not impose unnecessary burdens that would suppress innovation.
He says AI is a misnomer because it is not one thing, but many technologies ranging from decades-old systems to tools developed only months ago, each with different implications, maturity and risk profiles . He therefore argues that legislation should reflect risk, speed of technological change, maturity and use case, with stronger safeguards for riskier applications, while also ensuring frameworks do not overburden innovation .
on: Whether AI governance should be approached through broad common rules or more differentiated risk-based regulation
Citizens need concrete, publicly accountable mechanisms for sharing health data, and slow progress without practical proposals risks making governance efforts seem unhelpful (Participant)
Arg. 1The participant argues that governance discussions will have limited value unless they produce practical systems that citizens can actually use to share their health data. They express frustration with the slow pace of current initiatives and ask whether any jurisdiction already offers a public institution through which citizens can share data in practice.
The participant says that the European Health Data Space is moving incredibly slowly and suggests that if there are no concrete proposals for actual data sharing, the process is not very meaningful . They then ask whether there is anywhere in the world where citizens who want to share their data can do so through a public institution, which underscores the demand for a practical and publicly accountable mechanism .
on: Public trust, rights protection and accountability are central to successful health data and AI governance
on: Whether current governance efforts are meaningful despite slow progress, or insufficient without concrete public-facing data-sharing mechanisms
Session Knowledge Graph
Speakers · Topics · Arguments · Relationships
There was broad agreement that policy and guidelines are insufficient on their own and that stronger national legal frameworks are needed to create clear rules, accountability, rights protection and trust in digital health and AI. Forslund explicitly called for strengthening national legislation and clear rules for the collection and use of health data and AI . Kashoka reinforced this by arguing that legislation establishes rights, responsibilities, accountability, consent, privacy protection and remedies when trust is breached . Alshanfari likewise said the next step is implementation through stronger national capacities and laws because trust is what is now needed . Mathieson’s framing of the session also centred on national legal issues as the starting point for action . Bonyo did not reject the need for law, but stressed that implementation of existing frameworks is the core challenge, which still aligns with the shared view that legal frameworks matter but must function in practice .
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka)
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
This aligns with evidence that many countries have data protection frameworks but major gaps remain in scope, complexity and enforcement, especially in developing regions [S64]. It is also reinforced by health-specific analysis arguing current legal frameworks are often inadequate for AI in health and need adaptation to address privacy, bias, safety and regulatory oversight [S61].
Speakers converged on the need for frameworks that go beyond isolated national action and instead align rules regionally and globally. Forslund warned that without regional and global alignment there would be a patchwork of incompatible rules undermining trust and cross-border data sharing, and she argued existing principles and model laws provide a basis for broader frameworks . Kashoka said the Africa CDC process can help countries avoid legislating in isolation and support interoperability, surveillance, research and cross-border collaboration . Alshanfari argued that a future global framework should be built through practical cooperation and broad consultation while respecting different levels of readiness and sovereignty . Mathieson explicitly structured the discussion as moving from national issues to global alignment and action . Bonyo supported this direction by identifying fragmentation, duplication and lack of coordination across institutions and processes as a major problem .
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
Existing tools mean the field does not need to start from scratch; endorsed principles, model laws, OECD recommendations, WHO AI guidance and regional initiatives can form the basis of national, regional and global frameworks (Mathilde Forslund)
Zambia’s experience and the Africa CDC process show that regional frameworks can help countries develop coherent laws, improve interoperability, support surveillance and research, and contribute African perspectives to global governance debates (Andrew Kashoka)
A future global framework should be built through practical cooperation, support countries at different levels of digital maturity, respect sovereignty and involve governments, international organisations, academia, civil society, private sector and end users (Jamal Alshanfari)
Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
Fragmentation and siloed policymaking are major problems, with different actors and institutions working in parallel without coordination, which creates duplication and weakens implementation (Linda Bonyo)
This reflects established discussion that international norms and standards are needed for responsible data use and cross-border collaboration [S58], while regional actors can translate global norms into national practice through cascading mechanisms and peer learning [S62]. Health diplomacy literature also frames research and data sharing as a multilevel diplomatic practice spanning national, regional and global arenas [S65].
A strong area of agreement was that the field already has many frameworks and political commitments, but the pressing issue is implementation capacity and practical support. Bonyo said policy is not the problem; implementation is, because countries often lack budget, technical skills and contextualised approaches, and because institutions such as data protection authorities are expected to regulate AI without adequate expertise . Alshanfari similarly said that although there are many rules, what is needed now is implementation on the ground, practical implementation guidance and support for countries at different levels of digital maturity . Kashoka’s point that countries need technology, policy and legislation together also implied that legal and policy texts must be backed by operational systems . Forslund’s presentation that the foundations already exist and need better alignment and coordination further supports the shared emphasis on practical next steps rather than starting from scratch . Mathieson repeatedly pushed the discussion towards concrete actions moving forward .
The main challenge is not the absence of policy but weak implementation caused by limited budgets, low technical capacity and copying Western frameworks without adapting them to African realities such as community health workers (Linda Bonyo)
Data protection authorities are often used as default AI regulators without sufficient technical expertise, showing the need to connect policy and technical skill in the health data ecosystem (Linda Bonyo)
Any framework must include practical implementation support and recognise that countries have different levels of readiness and digital health maturity (Jamal Alshanfari)
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka)
This is supported by findings that governance progress is often undermined by weak implementation and outdated enforcement despite the existence of frameworks [S64]. It also matches wider governance experience that countries need technical assistance, strong institutions and practical capacity-building to turn high-level goals into action [S60], and that digital health implementation gaps such as lapsed country training support remain pressing [S67].
Speakers agreed that effective governance cannot be built by executive actors alone and must include a wider set of stakeholders. Forslund argued for inclusive processes so people are informed about data rights, understand how data is used and have avenues for redress . Bonyo highlighted the exclusion of members of parliament and the judiciary, despite their central roles in lawmaking and filling legal gaps . Campos Neto argued that the private sector is too often absent even though it builds much of the standards and ICT infrastructure and needs legal clarity . Alshanfari also called for consultations involving governments, international organisations, academia, civil society, private sector and end users, stressing that end users are often forgotten . Mathieson echoed the need for diverse stakeholder and geographic representation and for connecting different perspectives and processes .
Inclusive processes are necessary so people understand their data rights, know how their data is used and have avenues for redress when misuse occurs (Mathilde Forslund)
Legislatures and judiciaries are too often excluded, even though members of parliament are necessary for lawmaking and courts are increasingly filling legal gaps in data and AI governance (Linda Bonyo)
The private sector must be involved because it builds much of the underlying digital and standards infrastructure and needs legal clarity to innovate responsibly (Simao Ferraz de Campos Neto)
A future global framework should be built through practical cooperation, support countries at different levels of digital maturity, respect sovereignty and involve governments, international organisations, academia, civil society, private sector and end users (Jamal Alshanfari)
End users are frequently forgotten, but they must be included in consultations because they are the people who will use and be affected by these systems (Jamal Alshanfari)
Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
This is strongly grounded in multistakeholder governance literature emphasising diverse participation beyond states, including civil society, academia and the private sector [S63]. WHO guidance likewise recommends involving a diverse group of stakeholders across sectors and communities to secure buy-in and legitimacy [S66], while health diplomacy explicitly identifies governments, international organisations, NGOs, private sector, academia and civil society as core actors [S65].
There was clear agreement that trust is the central condition for health data sharing and AI adoption, and that trust depends on rights, accountability and safe mechanisms. Forslund said digital transformation can only keep public trust if governance is rights-based, equitable and people-centred, and if people know how their data is used and can seek redress when harmed . Kashoka linked trust to legal guarantees on access, sharing, consent, privacy and remedies . Alshanfari explicitly concluded that strong legal frameworks are needed because what is now required is trust . Campos Neto added that even data holders who want to share data may be deterred by liability concerns and lack of safe mechanisms, so standards and template agreements are needed . The participant’s question underscored the same trust issue from a citizen perspective by asking for a practical, public mechanism for people who want to share their data .
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
Inclusive processes are necessary so people understand their data rights, know how their data is used and have avenues for redress when misuse occurs (Mathilde Forslund)
Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka)
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
Data sharing is often blocked not only by commercial interests but also by fear of liability and lack of safe mechanisms, so technical standards, discoverable datasets and template agreements are needed to enable responsible data use (Simao Ferraz de Campos Neto)
Citizens need concrete, publicly accountable mechanisms for sharing health data, and slow progress without practical proposals risks making governance efforts seem unhelpful (Participant)
This is directly supported by health and data governance sources that stress human rights, privacy, algorithmic bias and accountability as central governance concerns in digital health and AI [S61]. International policy analysis similarly frames ethical standards, transparency and accountability as necessary to ensure technological progress does not come at the expense of rights [S58].
Another point of agreement was that the policy space already contains useful tools, institutions and political momentum that can be built upon. Forslund said the foundations already exist, citing endorsed principles, model laws, OECD recommendations, WHO guidance and regional initiatives, and argued that efforts should now be aligned rather than restarted . Kashoka pointed to Zambia’s national work and the Africa CDC process as examples of regional building blocks . Alshanfari said the political support shown at the World Health Assembly demonstrates readiness to act and should now be translated into implementation . Mathieson’s focus on concrete next steps and connecting processes also reflected this shared sense that the moment is ripe for action .
Existing tools mean the field does not need to start from scratch; endorsed principles, model laws, OECD recommendations, WHO AI guidance and regional initiatives can form the basis of national, regional and global frameworks (Mathilde Forslund)
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
Zambia’s experience and the Africa CDC process show that regional frameworks can help countries develop coherent laws, improve interoperability, support surveillance and research, and contribute African perspectives to global governance debates (Andrew Kashoka)
Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
This is consistent with evidence that many governance frameworks already exist and the main challenge is strengthening and implementing them rather than starting from scratch [S64]. It also fits broader governance experience that existing processes and institutions often evolve incrementally through practical improvements rather than wholesale replacement [S77].
These speakers shared a closely aligned view that trust in digital health and AI depends on enforceable legal frameworks, not only policy aspirations. Forslund called for stronger legislation within rights-based governance . Kashoka explained why legislation is needed to establish rights, duties, consent, privacy protection and remedies . Alshanfari similarly argued that stronger national laws and practical implementation are necessary to build trust . These speakers agreed that isolated national or institutional approaches are inadequate and that greater regional and global coordination is needed. Forslund warned against a patchwork of incompatible rules and urged alignment across levels . Kashoka argued that regional frameworks such as the Africa CDC process can create coherence and interoperability . Bonyo described current policymaking as siloed and duplicative . Mathieson likewise framed the discussion as moving towards global alignment and connecting separate processes . These speakers shared the view that the gap is now practical implementation rather than lack of frameworks in principle. Bonyo said implementation is the main problem because of weak budgets, weak skills and poor contextualisation , and she also highlighted institutional capacity gaps . Alshanfari said there are already many rules and that the next need is practical implementation guidance tailored to differing country maturity levels . Forslund added that the foundations already exist and should be built upon . These speakers all argued for broader inclusion in governance, though each highlighted different missing groups. Forslund focused on meaningful public engagement and redress . Bonyo stressed that parliaments and judiciaries are being left out . Campos Neto said the private sector is often absent despite its importance to infrastructure and standards . Alshanfari called for a multistakeholder process that also includes end users, who are often forgotten . Although coming from different angles, these speakers converged on the need for practical, trusted mechanisms for data sharing. Campos Neto discussed liability fears, technical standards and template agreements as enablers of safe sharing . The participant asked for a real public mechanism through which citizens can share data, expressing frustration with slow and abstract processes . Forslund and Kashoka both grounded this need in rights, consent, privacy and redress .
This was somewhat unexpected because the session focused heavily on legislative frameworks, yet several speakers converged on the idea that the problem is not a lack of frameworks in principle. Forslund said the foundations already exist and do not require starting from scratch . Bonyo explicitly said policy is not the problem and that implementation, budget and skills are the real obstacles . Alshanfari similarly said many rules already exist and what is needed now is implementation guidance adapted to varying country maturity levels .
An unexpected area of consensus was the breadth of actors considered essential. Rather than limiting governance to states and technical experts, speakers highlighted overlooked groups from very different angles: the public and rights-holders , parliaments and courts , private sector infrastructure actors , and end users . This suggests a shared recognition that governance legitimacy and practicality depend on much wider participation than is often assumed.
It was notable that a participant’s practical challenge about whether citizens can actually share their data through a public institution aligned with panellists’ broader concerns. The participant criticised slow progress and demanded concrete public mechanisms . Campos Neto’s focus on standards and safe sharing tools , Alshanfari’s emphasis on implementation guidance , and Forslund’s emphasis on transparency, rights and redress all point towards the same conclusion: governance must produce usable, trustworthy systems for real people.
The discussion showed strong consensus on the core direction of travel: health data and AI governance should be rights-based, legally grounded, trustworthy, inclusive and coordinated across national, regional and global levels. Speakers repeatedly agreed on the need for stronger national laws, better alignment across jurisdictions, multistakeholder participation, and practical implementation support rather than abstract commitments alone .
Forslund and Kashoka both frame stronger legislation as a central urgent need, with Forslund calling for strengthened legislative frameworks and stronger national legislation to govern health data and AI responsibly , and Kashoka arguing that only legislation can establish enforceable rights, responsibilities, consent rules, privacy protection and remedies . By contrast, Bonyo explicitly says the problem is not policy but implementation, pointing to weak budgets, low skills and poor contextualisation rather than lack of frameworks . Alshanfari sits between these positions: he agrees stronger national laws are needed, but stresses that many rules already exist and the immediate need is implementation, consensus and practical guidance .
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka)
The main challenge is not the absence of policy but weak implementation caused by limited budgets, low technical capacity and copying Western frameworks without adapting them to African realities such as community health workers (Linda Bonyo)
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
External sources support both sides of this tension: some stress the need for stronger and more comprehensive legal frameworks for data and AI governance [S61] [S64], while others underline that weak implementation, institutional fragmentation and lack of focal points or practical coordination are often the more immediate obstacles [S67] [S69].
Forslund emphasises that the foundations already exist and that the task now is better alignment and coordination around current principles, model laws and international guidance . Bonyo agrees there are many initiatives, but argues the bigger problem is that actors are working in silos, national offices are not connected, and key institutions such as parliaments and judiciaries are excluded . Alshanfari broadens the inclusion argument further by insisting future cooperation must involve governments, international organisations, academia, civil society, private sector and end users, while respecting different levels of digital maturity and sovereignty . Mathieson also frames the discussion as one about linking separate processes and perspectives into concrete action . The disagreement is therefore about what deserves priority: aligning existing instruments, or redesigning the process to include missing actors and institutions.
Existing tools mean the field does not need to start from scratch; endorsed principles, model laws, OECD recommendations, WHO AI guidance and regional initiatives can form the basis of national, regional and global frameworks (Mathilde Forslund)
Fragmentation and siloed policymaking are major problems, with different actors and institutions working in parallel without coordination, which creates duplication and weakens implementation (Linda Bonyo)
Legislatures and judiciaries are too often excluded, even though members of parliament are necessary for lawmaking and courts are increasingly filling legal gaps in data and AI governance (Linda Bonyo)
A future global framework should be built through practical cooperation, support countries at different levels of digital maturity, respect sovereignty and involve governments, international organisations, academia, civil society, private sector and end users (Jamal Alshanfari)
Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
This reflects a live governance trade-off. Some sources emphasise international norms, common frameworks and regional cascading of standards to avoid fragmentation [S58] [S62]. Others warn that formal multistakeholderism often falls short in practice because participation is unequal and representative inclusion, especially from the Global South, remains weak [S63] [S74].
Campos Neto argues that the private sector is a major missing stakeholder and that governance will not work without it because private actors drive ICT standards and need clarity to innovate . Alshanfari includes the private sector as one stakeholder among many in future consultations . By contrast, Forslund's framing concentrates on rights-based public-interest governance, public trust, legislation and redress rather than explicitly foregrounding private sector participation . Bonyo focuses instead on the exclusion of parliaments, judiciaries and African representatives, not on a deficit of private sector inclusion . This suggests a difference in emphasis over whether private sector participation is the main missing ingredient or one concern among several.
The private sector must be involved because it builds much of the underlying digital and standards infrastructure and needs legal clarity to innovate responsibly (Simao Ferraz de Campos Neto)
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
A future global framework should be built through practical cooperation, support countries at different levels of digital maturity, respect sovereignty and involve governments, international organisations, academia, civil society, private sector and end users (Jamal Alshanfari)
Legislatures and judiciaries are too often excluded, even though members of parliament are necessary for lawmaking and courts are increasingly filling legal gaps in data and AI governance (Linda Bonyo)
This debate is well grounded in the literature. Health diplomacy and investment frameworks highlight the private sector as an important partner for innovation, finance and implementation [S60] [S65]. At the same time, health data governance sources raise concerns about data control, benefit sharing, competition, capture and the need for strong public safeguards when private actors are involved [S61] [S67].
Forslund advocates shared rules, common standards and harmonised legislative provisions for health data and AI to avoid incompatible systems and support trusted cross-border sharing . Kashoka similarly stresses legislation that clearly defines rights, responsibilities, access, consent and remedies as a basis for trust . Campos Neto does not reject regulation, but cautions against treating AI as one technology and argues for a risk-aware approach tailored to maturity, pace of change and use case, while avoiding overburdensome frameworks . The disagreement is therefore over the degree of uniformity versus differentiation needed in AI regulation.
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund)
AI should not be regulated as a single technology; legislation should be risk-aware, sensitive to maturity and use case, and avoid creating excessive burdens that hinder innovation (Simao Ferraz de Campos Neto)
Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka)
Relevant sources frame the issue indirectly. International analysis supports common norms and standards for transparency, accountability and rights protection across contexts [S58], while health-specific discussions stress that AI risks in clinical and data settings are varied and may require context-sensitive oversight on bias, safety, efficacy and post-market monitoring [S61].
The participant expresses scepticism about slow-moving initiatives such as the European Health Data Space and says that without concrete proposals for actual sharing, the process is not very interesting, asking whether any place already lets citizens share their data through a public institution . By contrast, Forslund presents the current landscape of principles, model laws and international initiatives as a strong foundation that can be built upon , while Alshanfari responds by pointing to an upcoming draft resolution and member state process rather than a direct existing mechanism for citizens . The disagreement concerns whether current progress should be viewed as meaningful groundwork or as too abstract without operational public mechanisms.
Citizens need concrete, publicly accountable mechanisms for sharing health data, and slow progress without practical proposals risks making governance efforts seem unhelpful (Participant)
Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
Existing tools mean the field does not need to start from scratch; endorsed principles, model laws, OECD recommendations, WHO AI guidance and regional initiatives can form the basis of national, regional and global frameworks (Mathilde Forslund)
This mirrors broader governance debates between valuing incremental institutional progress and demanding more tangible outcomes. Some sources note that existing institutions and processes have gradually become more inclusive and effective through low-profile changes [S77], while others stress that frameworks remain insufficient when they do not produce concrete implementation or workable data-sharing arrangements [S64].
This is unexpected because the panel is broadly aligned on the need for multistakeholder governance, yet they spotlight very different missing actors. Campos Neto says one big stakeholder frequently absent is the private sector and argues governance will not work without it . Bonyo instead highlights excluded parliaments, judiciaries and African participants . Forslund's opening framing does not single out the private sector, instead centring rights-based rules, legislation and public trust . The disagreement is less ideological than surprising in emphasis: each speaker identifies a different core constituency as insufficiently included.
This tension is unexpected because the panel largely presents the current moment as a positive window of opportunity. Forslund says the foundations already exist and there is important progress at national, regional and global level . Alshanfari similarly highlights political support and next-step work on a draft resolution . The participant, however, openly questions the value of such progress if it remains slow and does not produce practical public ways for citizens to share data . This introduces a sharper challenge from the user perspective than the panel itself voiced.
The discussion showed high agreement on the overall goal: trusted, rights-based, interoperable governance for health data and AI, supported by stronger laws, better cooperation and broader inclusion . The main disagreements were about priorities and pathways: whether legislation or implementation is the biggest immediate gap, whether alignment can build from existing frameworks or requires deeper process reform, how central private sector inclusion is, and how far governance must already deliver concrete public-facing mechanisms .
All four speakers agree on the goal of trusted, effective health data and AI governance. Forslund calls for rights-based governance, stronger legislation and alignment . Kashoka agrees legislation is necessary for rights and accountability . Bonyo shares the goal of workable governance but argues implementation, budgets and local adaptation are the real route to success . Alshanfari likewise agrees on stronger laws but says the next practical step is implementation support and consensus-building . They therefore agree on the destination, but differ on whether law reform or implementation capacity is the immediate priority.
Rights-based governance is essential for trusted digital health and AI, requiring fair, transparent, representative and people-centred rules, stronger national legislation, and cross-border alignment to avoid fragmented systems (Mathilde Forslund) Countries need technology, policy and legislation together because policy guidance alone cannot guarantee rights, accountability, consent, privacy protection and remedies when trust is breached (Andrew Kashoka) The main challenge is not the absence of policy but weak implementation caused by limited budgets, low technical capacity and copying Western frameworks without adapting them to African realities such as community health workers (Linda Bonyo) Political support already exists, but the next step is implementation through stronger national laws, broader consensus and practical guidance that builds trust (Jamal Alshanfari)
There is broad agreement that global or regional alignment is needed. Forslund says existing tools and initiatives can be aligned into broader frameworks . Kashoka supports regional frameworks as a means to coherent law and African contribution to global debates . Mathieson explicitly frames the discussion as moving from national issues to global alignment and concrete actions . Bonyo agrees on the need for coordination but argues present processes are siloed and insufficiently connected . Alshanfari also supports a future global framework, but insists it must be multistakeholder, practical and sensitive to different national maturity levels . So they agree on alignment as a goal, but differ on whether existing processes are adequate foundations or need substantial redesign.
Existing tools mean the field does not need to start from scratch; endorsed principles, model laws, OECD recommendations, WHO AI guidance and regional initiatives can form the basis of national, regional and global frameworks (Mathilde Forslund) Zambia’s experience and the Africa CDC process show that regional frameworks can help countries develop coherent laws, improve interoperability, support surveillance and research, and contribute African perspectives to global governance debates (Andrew Kashoka) Fragmentation and siloed policymaking are major problems, with different actors and institutions working in parallel without coordination, which creates duplication and weakens implementation (Linda Bonyo) A future global framework should be built through practical cooperation, support countries at different levels of digital maturity, respect sovereignty and involve governments, international organisations, academia, civil society, private sector and end users (Jamal Alshanfari) Moderation of these discussions should move from national legal issues towards global alignment and concrete actions, highlighting the need to connect separate processes and perspectives (Kirsten Mathieson)
All four interventions support broader inclusion and public trust, but they define the needed inclusion differently. Forslund focuses on informing and empowering populations about data rights and providing redress . Bonyo stresses the inclusion of parliaments, judiciaries and underrepresented African actors . Alshanfari says end users are too often forgotten and must be part of consultations . The participant pushes this logic further by asking for a concrete public institution through which citizens can actually share data . Thus, they agree participation matters, but differ on whether the key gap is citizen empowerment, institutional representation or operational public mechanisms.
Inclusive processes are necessary so people understand their data rights, know how their data is used and have avenues for redress when misuse occurs (Mathilde Forslund) Legislatures and judiciaries are too often excluded, even though members of parliament are necessary for lawmaking and courts are increasingly filling legal gaps in data and AI governance (Linda Bonyo) End users are frequently forgotten, but they must be included in consultations because they are the people who will use and be affected by these systems (Jamal Alshanfari) Citizens need concrete, publicly accountable mechanisms for sharing health data, and slow progress without practical proposals risks making governance efforts seem unhelpful (Participant)
These speakers agree that governance must be workable in practice and supported by appropriate capacities. Campos Neto stresses technical standards, legal clarity and private sector engagement to make data sharing and AI deployment function . Bonyo emphasises that data protection authorities and health actors need stronger technical skills, because policy capacity alone is insufficient . Alshanfari likewise argues that implementation guidance and support for different levels of digital maturity are necessary . The difference lies in emphasis: private sector and standards, institutional technical capacity, or country readiness and implementation support.
The private sector must be involved because it builds much of the underlying digital and standards infrastructure and needs legal clarity to innovate responsibly (Simao Ferraz de Campos Neto) Data protection authorities are often used as default AI regulators without sufficient technical expertise, showing the need to connect policy and technical skill in the health data ecosystem (Linda Bonyo) Any framework must include practical implementation support and recognise that countries have different levels of readiness and digital health maturity (Jamal Alshanfari)
- There was broad agreement that stronger health data governance legislation is urgently needed to support trusted digital health and AI, because policy and guidelines alone cannot ensure rights, accountability, consent, privacy protection, transparency, redress and public trust.
- Participants emphasised that governance must be rights-based, equitable, people-centred and inclusive, with citizens informed about how their data is used and able to seek remedies when misuse occurs.
- National legislation was described as essential but insufficient on its own; regional and global alignment is also needed to avoid fragmented rules and to enable trusted cross-border data sharing, interoperability, research and health security.
- Speakers noted that the field does not need to start from scratch because a range of existing principles, model laws, OECD recommendations, WHO AI guidance and regional frameworks can serve as building blocks.
- Zambia’s experience and the Africa CDC process were presented as evidence that regional frameworks can help countries develop coherent legal approaches while also contributing African perspectives to global governance discussions.
- A major conclusion was that the key challenge is often not the lack of policy frameworks but weak implementation, driven by limited budgets, inadequate technical capacity, poor coordination and insufficient adaptation to local contexts.
- Participants highlighted significant coordination problems, with fragmented and siloed processes across institutions and geographies leading to duplication and weak implementation.
- There was strong concern that important actors are frequently excluded from governance processes, particularly members of parliament, judiciaries, the private sector, African stakeholders and end users.
- The discussion underlined that private sector participation is necessary because industry builds much of the underlying infrastructure and needs legal clarity and technical standards in order to share data and innovate responsibly.
- Speakers stressed that AI should not be treated as a single technology in regulation; governance should be risk-based, sensitive to maturity and use case, and should avoid unnecessary burdens that could hinder innovation.
- Trust was a recurring theme: stronger legal frameworks, practical implementation guidance, safe data-sharing mechanisms and inclusive consultation were all presented as essential for building and maintaining public trust.
- There was a clear sense that current political momentum, especially following discussions at the World Health Assembly, creates an opportunity to push forward a global health data governance framework or resolution.
“Andrew Kashoka said, "Technology moves faster than policy. And policy moves faster than legislation. So to build trust and achieve the sustainability we're speaking about, countries ultimately need all these three."”
“Andrew Kashoka argued that policies and guidelines provide direction, but legislation establishes rights, responsibilities and enforceable accountability, including who may access health data, under what conditions it may be shared, how consent is managed, how privacy is protected and what remedies exist when trust is breached.”
“Linda Bonyo said, "I think we have a coordination problem, and so that's creating a lot of duplicity... they all are not talking to each other. So it's a very siloed approach."”
“Linda Bonyo observed that member states often send different people to different forums, so "the person who sits in Geneva does not speak to the person in Nairobi or the person in Addis and New York as well."”
“Linda Bonyo said, "We continue to exclude members of parliament... we're only speaking to one phase, which is executive. And that has been the case as well with judiciary."”
“Linda Bonyo argued that the issue is "not a policy problem... it's implementation," and described many national strategies as borrowed from the West, using the analogy: "it's Linda wanting Beyonce's hair without Beyonce's budget or stylist."”
“Linda Bonyo highlighted that African voices are underrepresented in global spaces, linking this directly to visa barriers, costs and access, and argued that if policy processes last years, participation cannot depend on repeated short-term visas.”
“Simao Ferraz de Campos Neto said that a major missing stakeholder is the private sector and that without them, especially in ICT standards and AI implementation, "it is not going to work."”
“Simao Ferraz de Campos Neto suggested that so-called data hoarding is not always greed: organisations often hold data because they fear liability or do not know how to share it safely.”
“Simao Ferraz de Campos Neto said, "AI is a misnomer. It's not one thing. There are many technologies... with very different implications, very different maturity levels, very different risk levels."”
“Jamal Alshanfari identified four pillars for the next step: broader consensus among member states and stakeholders, stronger national capacities and laws, practical implementation guidance, and continued consultation including governments, international organisations, academia, civil society, private sector and end users.”
“Jamal Alshanfari stressed that "everybody forgets about the end user" and that end users are the people who will actually use these tools.”
“The participant from Belgium challenged the pace and practical value of current efforts by saying that if there are no concrete proposals for data sharing, "it's not interesting," and asked whether there is anywhere in the world where citizens can share their data publicly through a public institution.”
How can national legislative frameworks for health data governance be strengthened urgently so that laws are not outpaced by technology and policy?
This is important because multiple speakers stressed that technology is advancing faster than policy and legislation, creating gaps in enforceable rights, accountability, privacy protection and public trust.
What should a global health data governance and AI framework or World Health Assembly resolution include to support responsible cross-border data sharing without being overly prescriptive?
This matters because speakers highlighted the need for global alignment that harmonises essential legislative provisions while still respecting national sovereignty and different levels of digital maturity.
How can regional leadership, especially the Africa CDC continental health data governance framework, be leveraged to shape global consensus and legal interoperability?
This is important because the discussion presented regional frameworks as practical building blocks for broader global standards, particularly for research, surveillance, interoperability and trusted collaboration.
How can coordination be improved across the many parallel health data, AI and data governance initiatives to reduce duplication and siloed policymaking?
This is important because fragmented efforts across Geneva, Addis Ababa, Nairobi, New York and national capitals can lead to duplicated work, inconsistent frameworks and weak implementation.
How can member states ensure better internal coordination so that officials handling related issues in different forums and cities are aligned?
This matters because Linda Bonyo noted that representatives in different diplomatic and policy centres often do not speak to one another, undermining coherent national positions and implementation.
How can members of parliament and the judiciary be meaningfully included in health data and AI governance processes from the outset?
This is important because legislative adoption and legal interpretation depend on parliaments and courts, yet both were described as frequently excluded from current governance discussions.
What capacity-building models are needed for data protection authorities and regulators to govern health data and AI effectively, especially regarding sensitive data?
This matters because many authorities may understand general policy issues but lack the technical expertise, institutional design and budgets needed to oversee health data and AI in practice.
How can technical and policy expertise be better integrated in health data governance, particularly for institutions currently acting as default AI regulators?
This is important because the discussion identified a gap between legal/policy mandates and the technical capability required to regulate AI and complex health data systems responsibly.
How can African countries develop context-specific health data and AI governance frameworks rather than borrowing models from the West that do not fit local realities?
This matters because imported frameworks may overlook local institutions, financing constraints and frontline realities such as the role of community health workers.
What does health data governance mean in practice for community health workers and other local health actors in contexts that differ from Europe and other Western systems?
This is important because governance models must reflect real data practices on the ground, not only high-level legal templates designed for very different health systems.
How can African participation in global health data and AI governance forums be improved, including practical issues such as visas, cost and multi-year access to policy processes?
This matters because inclusive global governance requires participation from those shaping and implementing policy in affected regions, and current logistical barriers undermine representation.
How can working groups and governance forums be linked more systematically across organisations so they meet each other rather than operating separately?
This is important because she suggested that existing working groups should be deliberately connected, which could improve coherence, reduce fragmentation and increase practical progress.
How can the private sector be more effectively included in health data governance and AI discussions?
This matters because the private sector builds much of the underlying digital infrastructure and needs regulatory clarity to innovate while complying with rights-based safeguards.
What kinds of legal and operational clarity does the private sector need in order to share and use health data responsibly?
This is important because uncertainty about liability, access rules and permitted uses can discourage data sharing and slow innovation even when data holders are willing to collaborate.
Why do institutions and companies hold on to health data, and what incentives and safeguards could enable safer sharing?
This matters because the discussion suggested that data hoarding is often driven by fear and liability, not only self-interest, so research is needed on incentive structures and trust mechanisms.
What technical standards are needed to improve the formatting, discoverability and machine-readability of health datasets for secure cross-border use?
This is important because scalable and responsible data sharing depends not only on law but also on interoperable technical frameworks that allow automated, trustworthy use of data.
Could template agreements or standardised permissions be developed to automate and simplify lawful health data sharing?
This matters because standardised agreements could reduce transaction costs, speed up research and implementation, and lower barriers for institutions unsure how to share data safely.
How should AI be regulated in health given that AI is not a single technology but a range of tools with different risks, maturity levels and applications?
This is important because overly broad or simplistic AI regulation could either miss high-risk uses or overburden low-risk innovation, making risk-based approaches essential.
How can literacy about health data governance and AI be improved among stakeholders so they can design proportionate and effective regulation?
This matters because informed policymaking requires stakeholders to understand both technical distinctions and practical implications, especially in fast-evolving AI domains.
How can broader consensus be built among member states and stakeholders ahead of future World Health Assembly discussions on a global framework?
This is important because political support exists, but a shared framework will require sustained consultation and negotiation across governments and stakeholder groups.
What practical implementation guidance should WHO and partners provide to help countries operationalise health data governance frameworks?
This matters because speakers repeatedly stressed that the main challenge is implementation, so countries need actionable guidance beyond high-level principles and resolutions.
How can consultations be broadened to include governments, international organisations, academia, civil society, private sector and end users in future governance design?
This is important because inclusive consultation was presented as essential for legitimacy, trust and practical effectiveness, particularly since end users are often forgotten.
How can any future global framework support countries at different levels of digital health maturity while respecting national sovereignty?
This matters because countries have very different capacities and legal contexts, so a one-size-fits-all approach could be ineffective or exclusionary.
Is there any place in the world at present where citizens can voluntarily share their health data through a public institution in a practical, public-facing way?
This is important because it asks for a concrete real-world example of citizen-enabled public data sharing, moving the conversation from policy ambition to existing implementation.
What concrete proposals or operational models already exist for actual health data sharing, rather than slow-moving framework discussions alone?
This matters because the participant challenged the pace of current initiatives and asked for tangible mechanisms that demonstrate how public-interest data sharing can work in practice.
