Strategies and techniques for data security in the health information systems in South Africa

Thumbnail Image

Files

lyner_nsc_m_2025.pdf (2.77 MB)

Date

2025

Authors

Journal Title

Journal ISSN

Volume Title

Publisher

University of the Western Cape

Abstract

South Africa’s healthcare sector faces a misalignment between regulatory mandates and technical implementation. While the Protection of Personal Information Act (POPIA) requires strict data minimisation, municipal health systems often maintain an expansive data collection model. This thesis investigates this "policy translation gap", using a simulation-based approach to argue that patient record vulnerability stems from a failure to translate abstract legal mandates into concrete technical constraints. Specifically, this study evaluates how data anonymisation techniques can be enhanced to balance POPIA requirements with data utility. Using a mixed-methods design, the study employed a high-fidelity synthetic dataset and a custom Python-based risk-scoring framework to conduct a technical assessment of health data infrastructure. The quantitative results provided empirical evidence of vulnerabilities in current practices. Baseline re-identification risk scores consistently exceeded 15 (critical risk) on the developed metric, confirming a saturation of unnecessary personal identifiers. This technical assessment was triangulated with a qualitative analysis of stakeholder perspectives, which identified institutional barriers and a lack of technical guidance as the primary drivers of exposure. Crucially, the research demonstrates that these risks are not inevitable. By applying specific "Field Suppression Protocols", risk scores were reduced to a compliant range (8–9) while preserving the utility of demographic data. The study further validated the feasibility of Privacy-Enhancing Technologies (PETs), specifically Differential Privacy and synthetic data generation, as a "Phase 2" solution. The thesis concludes that compliance requires a transition to a "Privacy-by-Design" architecture, proposing a phased implementation strategy that utilises technical intervention as the primary mechanism for enforcing regulatory governance.

Description

Keywords

Data anonymisation, Data governance, Data minimisation, Data security, Data utility

Citation

URI

https://hdl.handle.net/10566/24433

Collections

Magister Scientiae - MSc (Computer Science)