Healthcare Data Protection In The UAE - PwC

Healthcare dataprotection inthe UAEA new federal law

With Europe leading the charge ondata privacy and protection in theform of the General Data ProtectionRegulation (GDPR) and the latestdraft of the EU e-Privacy Regulation,the feeling in the Middle East inrecent times is that it would be apositive move for Gulf nations tointroduce specific local dataprotection and privacy regulations.The UAE Free Zones, such as theDubai International Financial Centre,Abu Dhabi General Market and Dubai2Healthcare data protection in the UAEHealthcare City, do have specificdata protection regimes in place thatare largely modelled on, and inspiredby, the privacy and data protectionprinciples and guidelines containedin the 1995 Data Protection Directiveand 1980 OECD Guidelines on theProtection of Privacy and Transborder Flows of Personal Data.What has been noticeably absent inthe UAE to date however, has beena specific federal data protection law– until now.In February 2019, the President of theUAE issued Federal Law No 2 of 2019(Health Data Law) which regulatesthe use of information technology andcommunications (ITC) in thehealthcare sector. This is the first pieceof federal legislation in the UAE thatdirectly addresses data protectionprinciples. The law introduces familiardata protection concepts such aspurpose limitation, accuracy, securitymeasures and consent to disclosure,similar to the GDPR.

Contents2Who does it affect?3What are the keycomponents of the law?4What do you need to do?5Conclusion6Contact usThe law is also timely in that it comeson the heels of a recent Opinion of theEuropean Data Protection Board onthe interplay between the GDPR andthe EU regulation relating to clinicaltrials and a Recommendation fromthe Council of Europe on theprotection of health-related data byEU Member States.Healthcare data protection in the UAE1

Who does it affect?The Health Data Law applies to all entities operating in the UAE and the Free Zonesthat provide healthcare, health insurance, healthcare IT and other direct or indirectservices related to the healthcare sector, or engaged in activities that involvehandling of electronic health data (Health Service Providers).2Healthcare data protection in the UAE

What are the key components of the law?Data processingData localisationThe Health Data Law regulates theprocessing of electronic health dataoriginating in the UAE, including patientnames, consultation, diagnosis andtreatment data, alpha-numerical patientidentifiers, common procedural technologycodes, medical scan images and lab results(Health Data).One of the most impactful aspects of thisnew law will be the general prohibition ontransferring health data outside the UAEunless authorised by the relevant healthauthority in coordination with thegovernment ministry (Article 13). Thisprovision represents a codification of thelong-time informal regulatory policy thatHealth Data must be processed and storedinside the UAE.The law also introduces familiar data privacyand protection concepts: Accuracy – Healthcare Service Providersmust ensure that the Health Data theyprocess is accurate and reliable;Purpose limitation – Health Data mustnot be used other than for the purpose ofthe provision of health services, exceptwith the prior consent of the patient;Consent to disclosure – Health ServiceProviders cannot disclose patient data toany third party without the prior consentof the patient or as permitted by law; andSecurity measures – Health Data mustbe kept safe from unauthoriseddamage, amendment, alteration,deletion or addition using appropriatesecurity measures.Data securityArticle 4 of the Health Data Law mandatesthat all Health Service Providers that use ICTon Health Data ensure that such informationwill be kept confidential and will not be sharedwithout authorisation. In terms of security, thelaw is faithful to the principles of the GDPR,requiring the ‘validity and credibility’ of theHealth Data to be ensured by keeping it safefrom ‘non-authorised damage, amendment,alteration, deletion or addition.’The law also requires Health Service Providersto ensure the availability of Health Data andfacilitate the access to it by those authorised tohave such access. This includes allowingaccess only to those authorised personnel whounderstand the need for patient confidentiality.In keeping with international data protectionstandards and best practices, the HealthData Law requires entities to introducetechnical, operational and organisationalprocedures to ensure the integrity andsecurity of Health Data.From a practical perspective, the requirementwill have a significant impact on businessescurrently relying on data storage solutionsor data processors outside the UAE (e.g. viacloud or hosting services). Article 13 willequally impact those providers currentlyoffering such services into the UAE.Whilst some relief may be provided (as thelaw envisages certain exceptions to thisdata localisation requirements), this will onlycome down the line in subsequent ministerialresolutions or the implementing regulations.Data retentionUnder Article 20, Health Data must beretained for as long as it is required but in anyevent not less than 25 years from the date onwhich the last procedure on the patient wasconducted. The Health Data Law departsfrom the GDPR in this respect, with the latterrequiring personal data be kept for no longerthan is necessary for the purposes for whichthe personal data are processed. Thisrepresents a significant compliance burdenfor Health Service Providers who mustensure that they have the capabilities anddata storage systems to comply.Exceptions to disclosurerestrictionsUnder Article 16, Health Service Providersmay use or disclose Health Data without theconsent of the patient: to allow insurance companies and otherentities funding the medical services toverify financial entitlements; for scientific research (provided that theidentity of the patient is not disclosed andapplicable scientific research standardsand guidelines are complied with); for public health preventive andtreatment measures; to comply with a request from acompetent judicial authority; or to comply with a request from therelevant health authority for public healthpurposes including inspections.SanctionsThe law contains a regime of sanctions fornon-compliance including disciplinaryactions and monetary fines which may beimposed by a disciplinary committed withineach health authority. These sanctions maybe imposed, for example, for violating thedata localisation rules.Specifically, sanctions include: the potential suspension or withdrawal ofthe licence to use the central IT system; a formal notice or warning from therelevant health authority; and/or fines ranging from AED 1,000 toAED 1,000,000.Centrally controlledhealthcare IT systemA centralised Health Data managementsystem, controlled by the Ministry of Healthand Prevention, will be developed. Thesystem will house the Health Data collectedby Health Service Providers and will enablethem to access and exchange this data in auniform and secure way, subject to anycontrols determined by government.Healthcare data protection in the UAE3

What do you need to do?Entities operating in the healthcare sector should begin looking at how they will comply with theHealth Data Law. As the law relates to the processing of Health Data, a practical first step wouldbe for entities to conduct a data discovery exercise to create an inventory of all data in scope forthe law. In order to comply with the law, entities will also need to make changes to their policies,procedures, controls and systems. To do this, entities should first conduct a gap assessmentagainst the Health Data Law to build up an implementation roadmap.Assess currentcapabilitiesBelow is PwC’s suggested approach to compliance with the Health Data Law.Risk analysis anddata discoveryHow we can help Stakeholder engagement and communications plan Personal data inventory Data flow maps showing the movement of personal data fromcollection through to disposalGap assessmentHow we can help Control gap analysisDesign the future state Risk assessment based on current and planned future uses ofpersonal dataTarget operating model andprogramme designHow we can help Detailed remediation project plan with identified organisational impact Cross-functional working group establishedProgramme implementationHow we can help Strategy and governance Policy management Cross-border data strategy Data life-cycle management Individual rights processing Privacy by designOperate and sustain Information security4 Privacy incident management Data processor accountability Training and awarenessOngoing operations andmonitoringHealthcare data protection in the UAEHow we can help Defined ongoing monitoring programme Tracking and retesting of non-compliance Protocols for changes to policies and procedures

ConclusionAs the Health Data Law was only published in February 2019, the full extent of itsrequirements remain to be seen. The law will come into force in May 2019 but will amountto only a basic framework to set initial rules and establish the central IT system. Furtherimplementing regulations detailing its application will follow by August 2019, which willprovide important clarity in areas such as the rules and process for registering to accessthe centralised Health Data management system and any exceptions to the datalocalisation requirements.It is expected that Health Service Providers will be provided a grace period in which toachieve compliance with the new law.Healthcare data protection in the UAE5

Contact usFor more information on how this affects your organisation, please get in touch.Matthew WhitePartner, Digital Trust LeaderM: 971 (0)56 113 4205E: matthew.white@pwc.comHamish ClarkPartner, Health IndustriesConsulting LeaderM: 971 (0)50 634 6943E: hamish.clark@pwc.comRichard ChudzynskiSenior Manager, PwC LegalGordon WadeManager, PwC LegalM: 971 (0)56 417 6591E: richard.chudzynski@pwc.comM: 971 (0)50 143 5619E: gordon.wade@pwc.comPhil MennieDirector, Digital TrustM: 971 (0)56 369 7736E: phil.mennie@pwc.comThis content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. 2019 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.190403-101052-PB-OS

(Health Data Law) which regulates the use of information technology and communications ( ITC) in the healthcare sector. This is the first piece of federal legislation in the UAE that directly addresses data protection principles. The law introduces familiar data protectio