With Europe leading the charge on data privacy and protection in the form of the General Data Protection Regulation (GDPR) and the latest draft of the EU e-Privacy Regulation, the feeling in the Middle East in recent times is that it would be a positive move for Gulf nations to introduce specific local data protection and privacy regulations. The UAE Free Zones, such as the Dubai International Financial Centre, Abu Dhabi General Market and Dubai Healthcare City, do have specific data protection regimes in place that are largely modelled on, and inspired by, the privacy and data protection principles and guidelines contained in the 1995 Data Protection Directive and 1980 OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. What has been noticeably absent in the UAE to date however, has been a specific federal data protection law – until now.
In February 2019, the President of the UAE issued Federal Law No 2 of 2019 (Health Data Law) which regulates the use of information technology and communications (ITC) in the healthcare sector. This is the first piece of federal legislation in the UAE that directly addresses data protection principles. The law introduces familiar data protection concepts such as purpose limitation, accuracy, security measures and consent to disclosure, similar to the GDPR.
The law is also timely in that it comes on the heels of a recent Opinion of the European Data Protection Board on the interplay between the GDPR and the EU regulation relating to clinical trials and a Recommendation from the Council of Europe on the protection of health-related data by EU Member States.
The Health Data Law applies to all entities operating in the UAE and the Free Zones that provide healthcare, health insurance, healthcare IT and other direct or indirect services related to the healthcare sector, or engaged in activities that involve handling of electronic health data (Health Service Providers).
The Health Data Law regulates the processing of electronic health data originating in the UAE, including patient names, consultation, diagnosis and treatment data, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and lab results (Health Data).
The law also introduces familiar data privacy and protection concepts:
Entities operating in the healthcare sector should begin looking at how they will comply with the Health Data Law. As the law relates to the processing of Health Data, a practical first step would be for entities to conduct a data discovery exercise to create an inventory of all data in scope for the law. In order to comply with the law, entities will also need to make changes to their policies, procedures, controls and systems. To do this, entities should first conduct a gap assessment against the Health Data Law to build up an implementation roadmap.
Below is PwC’s suggested approach to compliance with the Health Data Law.
As the Health Data Law was only published in February 2019, the full extent of its requirements remain to be seen. The law came into force in May 2019 but amounts to only a basic framework to set initial rules and establish the central IT system. Further implementing regulations detailing its application will follow later in 2019, which will provide important clarity in areas such as the rules and process for registering to access the centralised Health Data management system and any exceptions to the data localisation requirements.
It is expected that Health Service Providers will be provided a grace period in which to achieve compliance with the new law.