Research & secondary use of health data — governance baseline
Status: Normative governance baseline (policy + technical hooks; legal text is external)
Date: 2026-04-11
Audience: MoPH, IRB/ethics, universities, donors
1. Scope
This document frames secondary use of data originating in the Ghasi platform (analytics, public health, research) while clinical care remains governed by module SPEC.md and COMPLIANCE_SECURITY.md.
2. Principles
- Primary use first: Care delivery and legally mandated reporting take precedence.
- Purpose limitation: Secondary use requires documented purpose (surveillance vs research vs quality improvement).
- Minimum necessary:
access-policyand ABAC enforce scope. - De-identification: Research datasets SHOULD use de-identified or limited datasets per national law; identifiable research requires consent and IRB approval.
- Audit: Exports and researcher access emit audit events per
audit.
3. Technical hooks (existing)
| Capability | Role |
|---|---|
| Aggregate / cohort exports | health-population — exports, quality metrics, cohort refresh |
| Access policy | Row-level / attribute-level decisions for who may run analytics |
| Audit service | Evidence of who exported or accessed datasets |
| FHIR gateway | Standard partner API for authorized flows |
4. Not covered in application code
- IRB protocols, data use agreements, national data protection law — MoPH / legal owns these artifacts.
- Trusted research environment (TRE) or federated learning — roadmap; may extend platform with separate deployables.
5. Related documents
NATIONAL_HMIS_INDICATORS.mdDONOR_OUTCOMES_FRAMEWORK.mdMODULE_SHARED_STANDARDS.md§3 (consent & disclosure)