← All Insights
Policy Brief Regulation & Policy January 2026 11 min read

Digital Health Data Governance Frameworks

Navigating the tension between pandemic preparedness and patient privacy in an era of cross-border genomic data flows

Digital health data governance visualisation

Executive Summary

The COVID-19 pandemic revealed both the transformative potential and the governance deficits of cross-border health data sharing. Genomic sequencing data shared through platforms like GISAID enabled vaccine development in record time, yet the same period exposed profound inequities in data access: countries contributing genomic sequences often lacked the computational infrastructure and intellectual property protections to benefit from the innovations their data enabled. The WHO's Pandemic Treaty negotiations, ongoing since 2022, have foregrounded health data governance as a first-order geopolitical issue.

This policy brief analyses digital health data governance through the lens of public goods theory and institutional economics. Health data exhibits characteristics of both a public good (non-rivalrous in use, with significant positive externalities from sharing) and a sensitive personal asset requiring robust privacy protections. The governance challenge is to design institutional frameworks that maximise the public health benefits of data sharing while respecting individual privacy rights and ensuring equitable benefit distribution. We examine three emerging governance models — the European Health Data Space, the African Union's health data sovereignty framework, and the WHO's proposed Pathogen Access and Benefit-Sharing System — and propose design principles for a multilateral health data governance architecture.

Health Data as a Public Good: The Market Failure Analysis

Health data sharing for research and public health purposes exhibits classic public goods characteristics. Once collected and de-identified, health datasets can be used by multiple researchers simultaneously without diminishing their value — non-rivalry in consumption. Moreover, the benefits of health data analysis extend far beyond the immediate users: epidemiological insights, drug safety signals, and treatment effectiveness evidence benefit entire populations — positive externalities that individual data subjects or institutions cannot fully capture.

These characteristics predict systematic underinvestment in health data sharing infrastructure. The Lancet Digital Health Commission (2024) documented that fewer than 12% of clinical datasets generated in low- and middle-income countries (LMICs) are available for secondary research use, compared to approximately 45% in high-income countries. The OECD's Health at a Glance 2025 estimates that inadequate health data interoperability costs OECD economies $150–250 billion annually in duplicated research, delayed drug approvals, and preventable adverse events.

The underinvestment problem is compounded by information asymmetries. Patients providing health data often lack the technical knowledge to assess how their data will be used, creating a "market for lemons" dynamic where low-trust equilibria prevail. A 2025 Wellcome Trust survey found that while 78% of respondents supported health data sharing for research in principle, only 34% trusted that adequate safeguards were in place — a trust deficit that constrains data availability and undermines the potential for population-level health insights.

Genomic Data Sovereignty: The New Frontier

Genomic data presents particularly acute governance challenges. The global genomics market, valued at approximately $32 billion in 2025 by Grand View Research, relies on large-scale datasets that increasingly flow across borders. Yet genomic data is uniquely sensitive: it reveals information not only about individuals but about their biological relatives and ethnic communities, raising collective privacy concerns that individual consent frameworks cannot adequately address.

The concept of "genomic data sovereignty" has gained traction, particularly among Indigenous communities and developing nations whose genetic diversity is disproportionately valuable for pharmaceutical research. The Nagoya Protocol on Access and Benefit-Sharing, originally designed for biological resources, is increasingly invoked as a framework for genomic data governance. Several African nations — notably South Africa, Kenya, and Nigeria — have enacted or proposed legislation requiring that genomic data generated within their borders be stored domestically and that benefits arising from its use be equitably shared.

The tension between genomic sovereignty and collaborative research is not merely political but has concrete scientific consequences. The Global Alliance for Genomics and Health (GA4GH) estimates that approximately 86% of participants in genome-wide association studies are of European descent, creating a systematic bias that limits the applicability of genomic medicine to diverse populations. Restrictive data governance regimes, while protecting sovereignty, risk perpetuating this bias by impeding the cross-border data flows necessary for inclusive genomic research.

The WHO Pandemic Treaty: Health Data as Geopolitical Leverage

The WHO's negotiations on a Pandemic Prevention, Preparedness and Response Treaty have elevated health data governance to the highest level of international diplomacy. The draft treaty's provisions on pathogen access and benefit-sharing (PABS) represent an attempt to codify the principle that countries sharing pathogen genomic sequences should receive equitable access to the medical countermeasures developed using that data.

The PABS negotiations reveal a fundamental game-theoretic tension. Pathogen-rich countries (typically LMICs with high disease burden) possess data that is essential for global health security but lack the manufacturing capacity and intellectual property protections to benefit from the vaccines and therapeutics developed using their data. Technology-rich countries (typically high-income nations with advanced pharmaceutical sectors) require pathogen data for research but resist binding benefit-sharing commitments that could constrain commercial returns.

This strategic interaction resembles an asymmetric bargaining game. Without binding agreements, pathogen-rich countries face incentives to withhold data as leverage — as Indonesia famously did with H5N1 avian influenza samples in 2007. This data withholding is individually rational but collectively catastrophic, as delayed pathogen sharing can cost weeks or months in pandemic response time. The WHO estimates that each week of delay in genomic sequence sharing during a novel pandemic can result in thousands of additional deaths globally.

Comparative Analysis: Three Emerging Governance Models

The European Health Data Space (EHDS). Adopted in 2025, the EHDS establishes a regulatory framework for the secondary use of health data across EU member states. Its key innovation is the "data permit" system, whereby accredited researchers can access de-identified health data through secure processing environments without the data leaving its country of origin. The EHDS applies GDPR protections while creating standardised access procedures that reduce transaction costs. Early implementation evidence suggests a 40% increase in cross-border health research collaborations within the EU, though interoperability challenges remain.

The African Union Health Data Governance Framework. The AU's 2024 framework takes a sovereignty-first approach, requiring that health data generated in Africa be stored on the continent and that any cross-border transfers be subject to benefit-sharing agreements. The framework explicitly addresses the historical pattern of "data colonialism" — the extraction of African health data for pharmaceutical research that primarily benefits populations and shareholders in high-income countries. While principled, implementation faces infrastructure challenges: the Africa CDC estimates that only 22% of African countries currently have the data centre capacity to comply with local storage requirements.

The WHO PABS System. The proposed Pathogen Access and Benefit-Sharing System would create a multilateral mechanism linking pathogen data sharing to guaranteed benefits — including technology transfer, capacity building, and affordable access to medical countermeasures. Modelled partly on the International Treaty on Plant Genetic Resources for Food and Agriculture, the PABS system would operate through a multilateral fund financed by pharmaceutical companies that use shared pathogen data. Negotiations remain contentious, with disagreements over the scope of benefit-sharing obligations and the enforcement mechanisms for non-compliance.

Design Principles for Multilateral Health Data Governance

Drawing on institutional economics and the comparative analysis above, we propose five design principles for an effective multilateral health data governance framework:

  • Federated access over centralised storage: Data should remain under the sovereign control of originating jurisdictions, with access provided through secure computation environments that enable analysis without physical data transfer.
  • Graduated consent with community governance: Individual consent should be supplemented by community-level governance mechanisms for collectively sensitive data types, particularly genomic data from identifiable populations.
  • Automatic benefit-sharing triggers: Commercial products developed using shared health data should trigger automatic benefit-sharing payments to contributing jurisdictions, reducing the need for bilateral negotiation.
  • Interoperability standards with local implementation: Adopting common data standards (such as FHIR for clinical data and GA4GH protocols for genomic data) while permitting jurisdictional variation in privacy protections and access procedures.
  • Capacity building as a prerequisite: Meaningful participation in data governance requires technical infrastructure. Framework design should incorporate binding commitments to build data management capacity in LMICs.

Implications for GDEF's Regulation & Policy Working Group

Health data governance sits at the intersection of GDEF's core concerns: cross-border data flows, institutional design, and equitable benefit distribution in the digital economy. The pandemic preparedness context adds urgency: governance failures in health data sharing have direct consequences for human life. GDEF's Regulation & Policy Working Group will incorporate health data governance into its programme on Cross-Border Data Governance Frameworks, with particular attention to the mechanism design challenges of the WHO PABS negotiations.

References & Sources

  1. WHO, Global Health Data Governance: Principles and Framework, 2024. World Health Organization. who.int/data
  2. OECD, Health at a Glance 2025. OECD Publishing. oecd.org/health-at-a-glance
  3. Lancet Digital Health Commission, Digital Health for All: Governance and Equity, 2024. thelancet.com/landig
  4. Global Alliance for Genomics and Health (GA4GH), Framework for Responsible Sharing of Genomic and Health-Related Data. ga4gh.org
  5. Wellcome Trust, Public Attitudes to Health Data Sharing: 2025 Global Survey. wellcome.org/reports
  6. African Union, Continental Health Data Governance Framework, 2024. au.int/documents
  7. Ostrom, E. (1990). Governing the Commons. Cambridge University Press. doi.org/10.1017/CBO9780511807763
  8. WHO, Pandemic Prevention, Preparedness and Response Treaty: Draft Negotiating Text, 2025. who.int/pandemic-treaty
  9. Grand View Research, Genomics Market Size Report 2025. grandviewresearch.com/genomics

This policy brief reflects the analysis of the GDEF Regulation & Policy Working Group. All data cited are from publicly available sources including the WHO, OECD, and the Lancet Digital Health Commission. The views expressed are those of the authors and do not necessarily represent the positions of GDEF member organisations.

← Back to all insights