{"success":true,"data":{"@context":"https://schema.org","@type":"Dataset","name":"ZenoXCare — Pan-African Standards & Compliance Registry","description":"Canonical inventory of the international standards, frameworks, third-party attestations, and African country-level data-protection regimes ZenoXCare aligns to or operates under.","license":"https://creativecommons.org/licenses/by/4.0/","schemaVersion":"1.0","lastUpdated":"2026-04-21T09:28:57.793Z","summary":{"standardsCount":26,"certificationsCount":8,"africanJurisdictionsCount":54,"dataProtectionCoverage":{"total":54,"enactedEnforced":29,"enactedDormant":12,"pending":8,"none":5}},"standards":[{"category":"infosec","title":"Information Security","description":"Foundational ISMS controls and third-party attestations governing how ZenoXCare protects systems, data, and customer trust.","entries":[{"id":"iso-27001","name":"ISO/IEC 27001:2022","publisher":"ISO/IEC","framework":"ISO_27001","alignment":"PLANNED","summary":"International standard for an Information Security Management System (ISMS) — risk-based controls covering organisation, people, processes, and technology.","scope":"All production cloud workloads, the engineering org, and supporting business processes (HR, vendor management, change management).","authoritativeUrl":"https://www.iso.org/standard/72852.html","relatedCertificationId":"iso-27001-2022"},{"id":"soc-2","name":"SOC 2 (Trust Services Criteria)","publisher":"AICPA","framework":"SOC2","alignment":"IN_PROGRESS","summary":"Reporting framework on controls relevant to Security, Availability, Confidentiality, Processing Integrity, and Privacy of a service organisation.","scope":"Next.js platform, Postgres tenant data plane, payment orchestration, identity stack.","authoritativeUrl":"https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2","relatedCertificationId":"soc-2-type-2"},{"id":"soc-1","name":"SOC 1 (ICFR)","publisher":"AICPA","framework":"SOC1","alignment":"PLANNED","summary":"Reporting framework on controls relevant to user entities' Internal Control over Financial Reporting (ICFR).","scope":"HIC ledger, payment intent state machine, MoMo settlement reconciliation, payout disbursement.","authoritativeUrl":"https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-1","relatedCertificationId":"soc-1-type-2"}]},{"category":"privacy","title":"Privacy","description":"Privacy-by-design controls extending the ISMS to personal data lifecycle management.","entries":[{"id":"iso-27701","name":"ISO/IEC 27701:2019","publisher":"ISO/IEC","framework":"ISO_27701","alignment":"PLANNED","summary":"Privacy Information Management System (PIMS) extension to ISO/IEC 27001, providing requirements for processing personally identifiable information.","scope":"Patient PHI, member PII, partner financial PII across all jurisdictions of operation.","authoritativeUrl":"https://www.iso.org/standard/71670.html","relatedCertificationId":"iso-27701-2019"}]},{"category":"application_security","title":"Application Security","description":"Verification standards for secure software development and runtime defence.","entries":[{"id":"owasp-asvs","name":"OWASP ASVS v4","publisher":"OWASP Foundation","framework":"OWASP_ASVS","alignment":"ALIGNED","summary":"Application Security Verification Standard — a basis for testing web application technical security controls and providing a list of requirements for secure development.","scope":"All public Next.js routes, authenticated APIs, server actions, and webhook ingress.","authoritativeUrl":"https://owasp.org/www-project-application-security-verification-standard/","relatedCertificationId":null}]},{"category":"business_continuity","title":"Resilience & Business Continuity","description":"Operational continuity, disaster recovery, and incident-response disciplines.","entries":[{"id":"iso-22301","name":"ISO 22301:2019","publisher":"ISO","framework":"ISO_22301","alignment":"ALIGNED","summary":"Business Continuity Management System (BCMS) — requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve business continuity.","scope":"Quarterly DR drills, RTO ≤ 4h / RPO ≤ 15min for production workloads, and provider failover procedures.","authoritativeUrl":"https://www.iso.org/standard/75106.html","relatedCertificationId":null}]},{"category":"payments","title":"Payments","description":"Card and mobile-money compliance, settlement integrity, and payout safeguards.","entries":[{"id":"pci-dss-v4","name":"PCI DSS v4.0","publisher":"PCI Security Standards Council","framework":"PCI_DSS_V4","alignment":"PLANNED","summary":"Payment Card Industry Data Security Standard — protects card-data environments through technical and operational requirements.","scope":"Card-payment integration scope: tokenization via gateway; no PAN storage; partner-mediated card-on-file. Mobile-money rails are out of PCI scope.","authoritativeUrl":"https://www.pcisecuritystandards.org/standards/pci-dss/","relatedCertificationId":"pci-dss-v4-saq-a-ep"}]},{"category":"clinical_interop","title":"Clinical Interoperability","description":"Open standards for safely exchanging clinical information between systems.","entries":[{"id":"hl7-fhir","name":"HL7 FHIR R5","publisher":"HL7 International","framework":"HL7_FHIR","alignment":"ALIGNED","summary":"Fast Healthcare Interoperability Resources — modern web standard for exchanging healthcare information electronically.","scope":"All clinical resources exposed via federation: Patient, Practitioner, Encounter, Observation, MedicationRequest, DiagnosticReport, Provenance.","authoritativeUrl":"https://hl7.org/fhir/","relatedCertificationId":null}]},{"category":"clinical_terminology","title":"Clinical Terminology","description":"Globally-recognised vocabularies for unambiguous clinical meaning.","entries":[{"id":"snomed-ct","name":"SNOMED CT","publisher":"SNOMED International","framework":"SNOMED_CT","alignment":"ALIGNED","summary":"Comprehensive, multilingual clinical healthcare terminology used for clinical documentation and reporting.","scope":"Clinical concept normalisation in care signals, triage protocols, and diagnostic interpretation.","authoritativeUrl":"https://www.snomed.org/","relatedCertificationId":null},{"id":"icd-11","name":"ICD-11","publisher":"World Health Organization","framework":"ICD_11","alignment":"ALIGNED","summary":"WHO International Classification of Diseases, 11th revision — global standard for diagnostic health information.","scope":"Diagnosis coding for clinical encounters and case-mix reporting.","authoritativeUrl":"https://www.who.int/standards/classifications/classification-of-diseases","relatedCertificationId":null}]},{"category":"health_governance","title":"Health-System Governance","description":"Sector-specific operating standards for digital health systems and clinical workflows.","entries":[{"id":"iso-27799","name":"ISO 27799:2016","publisher":"ISO","framework":"ISO_27799","alignment":"ALIGNED","summary":"Health-sector application of ISO/IEC 27002 — security management in health using ISO/IEC 27002 controls.","scope":"All PHI processing surfaces (clinical records, telemedicine sessions, prescription, diagnostic artifacts).","authoritativeUrl":"https://www.iso.org/standard/62777.html","relatedCertificationId":null},{"id":"who-smart-guidelines","name":"WHO SMART Guidelines","publisher":"World Health Organization","framework":"WHO_SMART_GUIDELINES","alignment":"ALIGNED","summary":"Standards-based, Machine-readable, Adaptive, Requirements-based, Testable — WHO's framework for digital adaptation kits in health systems.","scope":"Care pathway design, clinical workflow logic, and decision-support content.","authoritativeUrl":"https://www.who.int/teams/digital-health-and-innovation/smart-guidelines","relatedCertificationId":null}]},{"category":"ai_governance","title":"AI Governance","description":"Lifecycle controls for trustworthy, ethical, and human-supervised AI in healthcare.","entries":[{"id":"iso-42001","name":"ISO/IEC 42001:2023","publisher":"ISO/IEC","framework":"ISO_42001","alignment":"ALIGNED","summary":"AI Management System — requirements for establishing, implementing, maintaining and continually improving an AI management system within an organisation.","scope":"WebLLM on-device assist, federated AI inference, agentic workflows; AI register and lifecycle controls.","authoritativeUrl":"https://www.iso.org/standard/42001","relatedCertificationId":null},{"id":"nist-ai-rmf","name":"NIST AI RMF 1.0","publisher":"NIST (USA)","framework":"NIST_AI_RMF","alignment":"ALIGNED","summary":"AI Risk Management Framework — voluntary guidance to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.","scope":"AI lifecycle risk register, model evaluation harnesses, replayable traces, regression gates.","authoritativeUrl":"https://www.nist.gov/itl/ai-risk-management-framework","relatedCertificationId":null},{"id":"who-ai-ethics-health","name":"WHO AI Ethics in Health","publisher":"World Health Organization","framework":"WHO_AI_ETHICS_HEALTH","alignment":"ALIGNED","summary":"Ethics and governance of artificial intelligence for health — six principles ensuring AI works to the public benefit of all countries.","scope":"Clinical decision support boundaries (non-authoritative AI surfaces), human-in-the-loop overrides, equity guardrails.","authoritativeUrl":"https://www.who.int/publications/i/item/9789240029200","relatedCertificationId":null}]},{"category":"medical_device","title":"Medical Device (Reserved)","description":"Standards held in reserve until any feature is classified as Software as a Medical Device.","entries":[{"id":"iso-13485","name":"ISO 13485:2016","publisher":"ISO","framework":"ISO_13485","alignment":"MONITORING","summary":"Quality management systems for medical devices — requirements for regulatory purposes.","scope":"Reserved for the eventuality that ZenoXCare ships a feature classified as Software as a Medical Device (SaMD).","authoritativeUrl":"https://www.iso.org/standard/59752.html","relatedCertificationId":null},{"id":"imdrf-samd","name":"IMDRF SaMD Framework","publisher":"International Medical Device Regulators Forum","framework":"IMDRF_SAMD","alignment":"MONITORING","summary":"Regulatory framework for Software as a Medical Device — risk categorisation and clinical evaluation guidance.","scope":"Reserved; assessment trigger is any AI/CDS feature making regulated medical claims.","authoritativeUrl":"https://www.imdrf.org/working-groups/software-medical-device-samd","relatedCertificationId":null}]},{"category":"africa_regional","title":"Africa — Regional Instruments","description":"Continental and regional instruments framing pan-African data, privacy, and digital-trade obligations.","entries":[{"id":"malabo-convention","name":"AU Malabo Convention","publisher":"African Union","framework":"MALABO_CONVENTION","alignment":"ALIGNED","summary":"African Union Convention on Cyber Security and Personal Data Protection — continental instrument harmonising data protection and cybersecurity.","scope":"Continental baseline informing every African country deployment.","authoritativeUrl":"https://au.int/en/treaties/african-union-convention-cyber-security-and-personal-data-protection","relatedCertificationId":null},{"id":"au-data-policy-framework","name":"AU Data Policy Framework","publisher":"African Union","framework":"AU_DATA_POLICY_FRAMEWORK","alignment":"ALIGNED","summary":"Continental policy framework governing data, cross-border flows, and digital trade across African Union member states.","scope":"Pan-African data flow architecture and regional rollout sequencing.","authoritativeUrl":"https://au.int/en/documents/20220728/au-data-policy-framework","relatedCertificationId":null},{"id":"ecowas-data-protection","name":"ECOWAS Data Protection Act","publisher":"ECOWAS","framework":"ECOWAS_DATA_PROTECTION","alignment":"ALIGNED","summary":"ECOWAS Supplementary Act on Personal Data Protection — regional instrument governing data processing across West African member states.","scope":"West Africa rollout (Ghana, Nigeria, Côte d'Ivoire, Senegal, etc.).","authoritativeUrl":"https://www.ecowas.int/wp-content/uploads/2015/02/SIGNED-Personal-Data-Protection.pdf","relatedCertificationId":null},{"id":"sadc-model-law","name":"SADC Model Law on Data Protection","publisher":"Southern African Development Community","framework":"SADC_MODEL_LAW","alignment":"ALIGNED","summary":"Model law adopted by SADC to harmonise data-protection rules across Southern African states.","scope":"Southern Africa rollout (South Africa, Zambia, Botswana, etc.).","authoritativeUrl":"https://www.sadc.int/","relatedCertificationId":null},{"id":"afcfta-digital-trade","name":"AfCFTA Digital Trade Protocol","publisher":"African Continental Free Trade Area","framework":"AFCFTA_DIGITAL_TRADE","alignment":"ALIGNED","summary":"Continental protocol on digital trade — common rules for cross-border digital trade, payments, and data flows across AfCFTA members.","scope":"Cross-border payment, e-prescription, and partner-network expansion strategy.","authoritativeUrl":"https://au-afcfta.org/","relatedCertificationId":null}]},{"category":"data_protection_law","title":"Africa — Country Data Protection Laws","description":"National statutes that overlay the pan-African baseline as ZenoXCare enters each market.","entries":[{"id":"ndpa-gh","name":"Ghana — Data Protection Act 2012 (Act 843)","publisher":"Data Protection Commission, Ghana","framework":"NDPA_GH","alignment":"ALIGNED","summary":"Statutory data protection law in Ghana; controllers and processors must register with the Data Protection Commission.","scope":"ZenoXCare Ghana operations including patient records, payment data, KYC.","authoritativeUrl":"https://dataprotection.org.gh/","relatedCertificationId":"ghana-dpc-registration"},{"id":"popia-za","name":"South Africa — POPIA","publisher":"Information Regulator, South Africa","framework":"POPIA_ZA","alignment":"PLANNED","summary":"Protection of Personal Information Act — South Africa's primary data protection statute; requires Information Officer registration.","scope":"Triggered when South African deployment commences (Wave 1).","authoritativeUrl":"https://inforegulator.org.za/","relatedCertificationId":null},{"id":"ndpr-ng","name":"Nigeria — NDPA 2023","publisher":"Nigeria Data Protection Commission","framework":"NDPR_NG","alignment":"PLANNED","summary":"Nigeria Data Protection Act, 2023 — established the Nigeria Data Protection Commission; recognises lawful bases including contract, legal obligation, and vital interests.","scope":"Triggered when Nigerian deployment commences (Wave 1).","authoritativeUrl":"https://cert.gov.ng/ngcert/resources/Nigeria_Data_Protection_Act_2023.pdf","relatedCertificationId":null},{"id":"odpc-ke","name":"Kenya — Data Protection Act 2019","publisher":"Office of the Data Protection Commissioner, Kenya","framework":"ODPC_KE","alignment":"PLANNED","summary":"Kenya Data Protection Act 2019 — health data treated as sensitive personal data; cross-border transfer constraints and data-localisation expectations.","scope":"Triggered when Kenyan deployment commences (Wave 1).","authoritativeUrl":"https://www.odpc.go.ke/","relatedCertificationId":null}]}],"certifications":[{"id":"soc-1-type-2","name":"SOC 1 Type II","status":"PLANNED","issuingAuthority":"External CPA firm (engagement TBD)","issuedOn":null,"expiresOn":null,"scope":"Internal controls over financial reporting (ICFR) for the HIC ledger, payment intent state machine, MoMo settlement reconciliation, and payout disbursement workflows.","category":"infosec_attestation","satisfies":["SOC1"],"renewalCadence":"annual"},{"id":"soc-2-type-2","name":"SOC 2 Type II","status":"IN_PROGRESS","issuingAuthority":"External CPA firm (engagement TBD)","issuedOn":null,"expiresOn":null,"scope":"Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) covering the Next.js platform, Postgres tenant data plane, payment orchestration, and identity stack.","category":"infosec_attestation","satisfies":["SOC2"],"renewalCadence":"annual"},{"id":"iso-27001-2022","name":"ISO/IEC 27001:2022 (ISMS)","status":"PLANNED","issuingAuthority":"Accredited certification body (e.g., BSI, DNV, TÜV)","issuedOn":null,"expiresOn":null,"scope":"Information Security Management System covering all production cloud workloads, the engineering org, and supporting business processes (HR, vendor management, change management).","category":"infosec_certification","satisfies":["ISO_27001"],"renewalCadence":"triennial"},{"id":"iso-27701-2019","name":"ISO/IEC 27701:2019 (PIMS)","status":"PLANNED","issuingAuthority":"Accredited certification body (joint scope with 27001)","issuedOn":null,"expiresOn":null,"scope":"Privacy Information Management System extension to the 27001 ISMS, covering processing of patient PHI, member PII, and partner financial PII across all jurisdictions of operation.","category":"privacy_certification","satisfies":["ISO_27701"],"renewalCadence":"triennial"},{"id":"ghana-dpc-registration","name":"Ghana Data Protection Commission registration (Act 843)","status":"PLANNED","issuingAuthority":"Data Protection Commission, Ghana","issuedOn":null,"expiresOn":null,"scope":"Statutory data controller registration under the Data Protection Act 2012 (Act 843) covering ZenoXCare Ghana operations including patient records, payment data, and KYC data.","category":"data_protection_registration","satisfies":["NDPA_GH"],"renewalCadence":"biennial"},{"id":"vapt-baseline","name":"Vulnerability Assessment & Penetration Test (baseline)","status":"PLANNED","issuingAuthority":"External CREST/OSCP-credentialed pentest firm (engagement TBD)","issuedOn":null,"expiresOn":null,"scope":"Black-box + grey-box pentest of the Next.js public surface (auth, payments, partner portal, compliance console), authenticated APIs, and the cloud infrastructure perimeter (Vercel + Supabase + Upstash).","category":"security_assessment","satisfies":["SOC2","ISO_27001","PCI_DSS_V4"],"renewalCadence":"annual"},{"id":"pci-dss-v4-saq-a-ep","name":"PCI DSS v4.0 Self-Assessment (SAQ A-EP)","status":"PLANNED","issuingAuthority":"Self-assessed; QSA validation when card data scope expands","issuedOn":null,"expiresOn":null,"scope":"Card payment integration scope: tokenization via gateway, no PAN storage, partner-mediated card-on-file. Mobile money rails (MTN MoMo) are out of PCI scope.","category":"payments_certification","satisfies":["PCI_DSS_V4"],"renewalCadence":"annual"},{"id":"hitrust-csf-e1","name":"HITRUST CSF e1 Assessment","status":"NOT_PURSUED","issuingAuthority":"HITRUST-authorised external assessor","issuedOn":null,"expiresOn":null,"scope":"Deferred until US healthcare expansion. Tracked here so the option remains visible in governance reviews; do not represent as in-scope to customers.","category":"infosec_certification","satisfies":["HITRUST"],"renewalCadence":"annual"}],"africaJurisdictions":[{"iso2":"GH","iso3":"GHA","name":"Ghana","bloc":"ECOWAS","rolloutWave":"wave_1_anchor","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2012 (Act 843)","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Data Protection Commission","url":"https://dataprotection.org.gh/"},"healthDataSensitive":true},{"iso2":"NG","iso3":"NGA","name":"Nigeria","bloc":"ECOWAS","rolloutWave":"wave_1_anchor","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Nigeria Data Protection Act 2023 (NDPA)","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Nigeria Data Protection Commission","url":"https://ndpc.gov.ng/"},"healthDataSensitive":true},{"iso2":"KE","iso3":"KEN","name":"Kenya","bloc":"EAC","rolloutWave":"wave_1_anchor","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2019","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Office of the Data Protection Commissioner","url":"https://www.odpc.go.ke/"},"healthDataSensitive":true},{"iso2":"ZA","iso3":"ZAF","name":"South Africa","bloc":"SADC","rolloutWave":"wave_1_anchor","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Protection of Personal Information Act (POPIA)","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Information Regulator (South Africa)","url":"https://inforegulator.org.za/"},"healthDataSensitive":true},{"iso2":"RW","iso3":"RWA","name":"Rwanda","bloc":"EAC","rolloutWave":"wave_2_extension","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Law No. 058/2021 on Protection of Personal Data and Privacy","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"National Cyber Security Authority (data protection office)","url":"https://cyber.gov.rw/"},"healthDataSensitive":true},{"iso2":"EG","iso3":"EGY","name":"Egypt","bloc":"COMESA","rolloutWave":"wave_2_extension","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Personal Data Protection Law No. 151 of 2020","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Personal Data Protection Center","url":"https://mcit.gov.eg/"},"healthDataSensitive":true},{"iso2":"MA","iso3":"MAR","name":"Morocco","bloc":"AMU","rolloutWave":"wave_2_extension","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Law 09-08 on Protection of Personal Data","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"CNDP (Commission Nationale de Contrôle de la Protection des Données)","url":"https://www.cndp.ma/"},"healthDataSensitive":true},{"iso2":"TZ","iso3":"TZA","name":"Tanzania","bloc":"EAC","rolloutWave":"wave_2_extension","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Personal Data Protection Act 2022","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Personal Data Protection Commission","url":"https://www.pdpc.go.tz/"},"healthDataSensitive":true},{"iso2":"UG","iso3":"UGA","name":"Uganda","bloc":"EAC","rolloutWave":"wave_2_extension","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection and Privacy Act 2019","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Personal Data Protection Office","url":"https://www.pdpo.go.ug/"},"healthDataSensitive":true},{"iso2":"CI","iso3":"CIV","name":"Côte d'Ivoire","bloc":"ECOWAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2013-450 sur la protection des données à caractère personnel","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"ARTCI","url":"https://www.artci.ci/"},"healthDataSensitive":true},{"iso2":"SN","iso3":"SEN","name":"Senegal","bloc":"ECOWAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2008-12 sur la protection des données personnelles","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Commission de Protection des Données Personnelles","url":"https://www.cdp.sn/"},"healthDataSensitive":true},{"iso2":"BJ","iso3":"BEN","name":"Benin","bloc":"ECOWAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Code du Numérique 2017 (Book V)","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"APDP","url":"https://apdp.bj/"},"healthDataSensitive":true},{"iso2":"TG","iso3":"TGO","name":"Togo","bloc":"ECOWAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2019-014 sur la protection des données à caractère personnel","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"IPDCP","url":"https://ipdcp.tg/"},"healthDataSensitive":true},{"iso2":"BF","iso3":"BFA","name":"Burkina Faso","bloc":"ECOWAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°010-2004/AN sur la protection des données à caractère personnel","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"CIL Burkina Faso","url":"https://www.cil.bf/"},"healthDataSensitive":true},{"iso2":"ML","iso3":"MLI","name":"Mali","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2013-015","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"APDP Mali","url":"https://apdp.ml/"},"healthDataSensitive":true},{"iso2":"NE","iso3":"NER","name":"Niger","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2017-28","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"HAPDP","url":null},"healthDataSensitive":true},{"iso2":"GN","iso3":"GIN","name":"Guinea","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi L/2016/037/AN","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":{"name":"APDP Guinea","url":null},"healthDataSensitive":true},{"iso2":"GW","iso3":"GNB","name":"Guinea-Bissau","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Lei n°9/2018","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"SL","iso3":"SLE","name":"Sierra Leone","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"LR","iso3":"LBR","name":"Liberia","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"GM","iso3":"GMB","name":"The Gambia","bloc":"ECOWAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"CV","iso3":"CPV","name":"Cabo Verde","bloc":"ECOWAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","ECOWAS_DATA_PROTECTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Lei n°133/V/2001","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"CNPD Cabo Verde","url":"https://www.cnpd.cv/"},"healthDataSensitive":true},{"iso2":"ET","iso3":"ETH","name":"Ethiopia","bloc":"IGAD","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Personal Data Protection Proclamation 2024","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Ethiopian Communications Authority (interim)","url":"https://eca.et/"},"healthDataSensitive":true},{"iso2":"DJ","iso3":"DJI","name":"Djibouti","bloc":"IGAD","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°107/AN/18","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"ER","iso3":"ERI","name":"Eritrea","bloc":"IGAD","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK"],"dataProtectionLaw":null,"dataProtectionStatus":"NONE","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"SO","iso3":"SOM","name":"Somalia","bloc":"IGAD","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"SS","iso3":"SSD","name":"South Sudan","bloc":"IGAD","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK"],"dataProtectionLaw":null,"dataProtectionStatus":"NONE","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"SD","iso3":"SDN","name":"Sudan","bloc":"IGAD","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"BI","iso3":"BDI","name":"Burundi","bloc":"EAC","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"SC","iso3":"SYC","name":"Seychelles","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2003","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Data Protection Commissioner","url":null},"healthDataSensitive":true},{"iso2":"MU","iso3":"MUS","name":"Mauritius","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2017","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Data Protection Office","url":"https://dataprotection.govmu.org/"},"healthDataSensitive":true},{"iso2":"BW","iso3":"BWA","name":"Botswana","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2018","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Information and Data Protection Commission","url":null},"healthDataSensitive":true},{"iso2":"ZM","iso3":"ZMB","name":"Zambia","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act No. 3 of 2021","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"Data Protection Commissioner","url":null},"healthDataSensitive":true},{"iso2":"ZW","iso3":"ZWE","name":"Zimbabwe","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Cyber and Data Protection Act 2021","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"POTRAZ (interim)","url":"https://www.potraz.gov.zw/"},"healthDataSensitive":true},{"iso2":"MW","iso3":"MWI","name":"Malawi","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2024","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"MACRA (interim)","url":"https://www.macra.org.mw/"},"healthDataSensitive":true},{"iso2":"MZ","iso3":"MOZ","name":"Mozambique","bloc":"SADC","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"AO","iso3":"AGO","name":"Angola","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Lei 22/11","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"APD Angola","url":null},"healthDataSensitive":true},{"iso2":"NA","iso3":"NAM","name":"Namibia","bloc":"SADC","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"PENDING","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"LS","iso3":"LSO","name":"Lesotho","bloc":"SADC","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2011","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"SZ","iso3":"SWZ","name":"Eswatini","bloc":"SADC","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Data Protection Act 2022","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"MG","iso3":"MDG","name":"Madagascar","bloc":"SADC","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","SADC_MODEL_LAW","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2014-038","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"CMIL","url":null},"healthDataSensitive":true},{"iso2":"KM","iso3":"COM","name":"Comoros","bloc":"COMESA","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":null,"dataProtectionStatus":"NONE","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"CD","iso3":"COD","name":"Democratic Republic of the Congo","bloc":"ECCAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°20/017","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"CG","iso3":"COG","name":"Republic of the Congo","bloc":"ECCAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°29-2019","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"CM","iso3":"CMR","name":"Cameroon","bloc":"ECCAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2010/012 (cybersecurity / partial DP)","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":{"name":"ANTIC","url":"https://www.antic.cm/"},"healthDataSensitive":true},{"iso2":"GA","iso3":"GAB","name":"Gabon","bloc":"ECCAS","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°001/2011","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"CNPDCP","url":null},"healthDataSensitive":true},{"iso2":"GQ","iso3":"GNQ","name":"Equatorial Guinea","bloc":"ECCAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Ley nº 1/2016","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"CF","iso3":"CAF","name":"Central African Republic","bloc":"ECCAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK"],"dataProtectionLaw":null,"dataProtectionStatus":"NONE","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"TD","iso3":"TCD","name":"Chad","bloc":"ECCAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°007/PR/2015","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"ST","iso3":"STP","name":"São Tomé and Príncipe","bloc":"ECCAS","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK"],"dataProtectionLaw":"Lei n°3/2016","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"TN","iso3":"TUN","name":"Tunisia","bloc":"AMU","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi organique n°2004-63","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"INPDP","url":"https://www.inpdp.tn/"},"healthDataSensitive":true},{"iso2":"DZ","iso3":"DZA","name":"Algeria","bloc":"AMU","rolloutWave":"wave_3_expansion","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°18-07","dataProtectionStatus":"ENACTED_ENFORCED","dataProtectionAuthority":{"name":"ANPDP","url":null},"healthDataSensitive":true},{"iso2":"LY","iso3":"LBY","name":"Libya","bloc":"AMU","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK"],"dataProtectionLaw":null,"dataProtectionStatus":"NONE","dataProtectionAuthority":null,"healthDataSensitive":true},{"iso2":"MR","iso3":"MRT","name":"Mauritania","bloc":"AMU","rolloutWave":"wave_4_assessment","applicableBaselines":["MALABO_CONVENTION","AU_DATA_POLICY_FRAMEWORK","AFCFTA_DIGITAL_TRADE"],"dataProtectionLaw":"Loi n°2017-020","dataProtectionStatus":"ENACTED_DORMANT","dataProtectionAuthority":null,"healthDataSensitive":true}]}}