Healthcare data protection in the UAE

A new federal law

With Europe leading the charge on data privacy and protection in the form of the General Data Protection Regulation (GDPR) and the latest draft of the EU e-Privacy Regulation, the feeling in the Middle East in recent times is that it would be a positive move for Gulf nations to introduce specific local data protection and privacy regulations. The UAE Free Zones, such as the Dubai International Financial Centre, Abu Dhabi General Market and Dubai Healthcare City, do have specific data protection regimes in place that are largely modelled on, and inspired by, the privacy and data protection principles and guidelines contained in the 1995 Data Protection Directive and 1980 OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. What has been noticeably absent in the UAE to date however, has been a specific federal data protection law – until now.

In February 2019, the President of the UAE issued Federal Law No 2 of 2019 (Health Data Law) which regulates the use of information technology and communications (ITC) in the healthcare sector. This is the first piece of federal legislation in the UAE that directly addresses data protection principles. The law introduces familiar data protection concepts such as purpose limitation, accuracy, security measures and consent to disclosure, similar to the GDPR.

The law is also timely in that it comes on the heels of a recent Opinion of the European Data Protection Board on the interplay between the GDPR and the EU regulation relating to clinical trials and a Recommendation from the Council of Europe on the protection of health-related data by EU Member States.

Who does it affect?

The Health Data Law applies to all entities operating in the UAE and the Free Zones that provide healthcare, health insurance, healthcare IT and other direct or indirect services related to the healthcare sector, or engaged in activities that involve handling of electronic health data (Health Service Providers).

What are the key components of the law?

Data processing

The Health Data Law regulates the processing of electronic health data originating in the UAE, including patient names, consultation, diagnosis and treatment data, alpha-numerical patient identifiers, common procedural technology codes, medical scan images and lab results (Health Data).

The law also introduces familiar data privacy and protection concepts:

  • Accuracy – Healthcare Service Providers must ensure that the Health Data they process is accurate and reliable;
  • Purpose limitation – Health Data must not be used other than for the purpose of the provision of health services, except with the prior consent of the patient;
  • Consent to disclosure – Health Service Providers cannot disclose patient data to any third party without the prior consent of the patient or as permitted by law; and
  • Security measures – Health Data must be kept safe from unauthorised damage, amendment, alteration, deletion or addition using appropriate security measures.

What do you need to do?

Entities operating in the healthcare sector should begin looking at how they will comply with the Health Data Law. As the law relates to the processing of Health Data, a practical first step would be for entities to conduct a data discovery exercise to create an inventory of all data in scope for the law. In order to comply with the law, entities will also need to make changes to their policies, procedures, controls and systems. To do this, entities should first conduct a gap assessment against the Health Data Law to build up an implementation roadmap.

Below is PwC’s suggested approach to compliance with the Health Data Law.

 

Risk analysis and data discovery

How we can help

  • Stakeholder engagement and communications plan
  • Personal data inventory
  • Data flow maps showing the movement of personal data from collection through to disposal

Gap assessment

How we can help

  • Control gap analysis
  • Risk assessment based on current and planned future uses of personal data

 

Target operating model and programme design

How we can help

  • Detailed remediation project plan with identified organisational impact
  • Cross-functional working group established

Programme implementation

How we can help

  • Strategy and governance
  • Policy management
  • Cross-border data strategy
  • Data life-cycle management
  • Individual rights processing
  • Privacy by design
  • Information security
  • Privacy incident management
  • Data processor accountability
  • Training and awareness

Ongoing operations and monitoring

How we can help

  • Defined ongoing monitoring programme
  • Tracking and retesting of non-compliance
  • Protocols for changes to policies and procedures

Conclusion

As the Health Data Law was only published in February 2019, the full extent of its requirements remain to be seen. The law came into force in May 2019 but amounts to only a basic framework to set initial rules and establish the central IT system. Further implementing regulations detailing its application will follow later in 2019, which will provide important clarity in areas such as the rules and process for registering to access the centralised Health Data management system and any exceptions to the data localisation requirements.

It is expected that Health Service Providers will be provided a grace period in which to achieve compliance with the new law.

Contact us

Phil Mennie

Phil Mennie

Partner, Digital Trust, PwC Middle East

Tel: +971 56 369 7736

Follow us