This is the fourth bulletin published by Clyde & Co's Commercial Group relating to data protection and privacy in the Middle East
Data protection and privacy are important considerations for all businesses. Failing to treat personal information in accordance with legislative requirements and best practice can have an adverse effect on a company's reputation and its relationship with its employees and customers.
Specific data protection regimes are now common in more developed juridictions. The laws of countries in the region, however, contain more limited provisions which deal with protecting family and personal secrets. In addition, comprehensive data protection regimes apply in regional free zones such as the Dubai International Financial Centre (DIFC), Dubai Healthcare City (DHCC) and the Qatar Financial Centre, where, among other things, ombudsmen and authorities are empowered to oversee the application and interpretation of applicable data protection legislation. Awareness of the importance of data protection and privacy issues is increasing, including in the Middle East, where there have been a number of developments in recent months.
This article provides a brief overview of data protection and privacy in the DHCC.
DHCC was established in 2002 as a centre for the provision of high quality, patient centred healthcare. The DHCC Authority, which is responsible for the regulation of DHCC, recognises that the protection of personal information and, in particular, medical information which relates to a patient's physical or mental health (Patient Health Information) is an essential aspect of a modern healthcare environment.
DHCC Regulation No. 7 of 2008 (2008 Regulation) regulates the protection of Patient Healthcare Information in the DHCC.
Objects of the 2008 Regulation
The 2008 Regulations sets out to, among other things:
- establish certain principles with respect to the collection, use and disclosure of Patient Healthcare Information by individuals and companies which have been issued with a licence by the DHCC Licensing Board (Licensee);
- establish principles in relation to a patient's right to access his or her Patient Health Information;
- create a safe environment to support the delivery of quality healthcare services;
- promote a flexible approach to the protection Patient Health Information; and
- establish a complaints mechanism for the investigation of complaints relating to Patient Health Information.
Application of the 2008 Regulation
The 2008 Regulation applies to all Licensees in their management of Patient Health Information regardless of where that Patient Health Information might be held. The 2008 Regulation can, therefore, apply to Patient Health Information that is located outside the DHCC.
The 2008 Regulation applies specifically to Patient Health Information which relates to:
- the health of a patient, including his or her medical history;
- any disabilities that a patient has, or has had;
- any healthcare services that are being provided, or have been provided, to that patient;
- the donation, by a patient, of any body part or any bodily substance; or
- information derived from the testing or examination of any body part, or any bodily substance.
Health Data Protection Principles
The largest section of the 2008 Regulation sets out a number of health data protection principles. These principles include, among other things, a requirement that Patient Health Information may only be collected by a Licensee where it is necessary to collect that information for a lawful purpose connected with the activities or functions of the relevant Licensee. The 2008 Regulation also places restrictions on when a personal identifier, which links information to an identifiable individual, may be attached to Personal Health Information.
The health data protection principles also:
- set out requirements for the collection, storage and security of Patient Health Information;
- regulate access to and the correction of incorrect Patient Health Information; and
- regulate the disclosure, use and retention of Patient Health information by Licensees.
Data Protection Ombudsman
The 2008 Regulation contains provisions relating to the appointment of a Health Data Protection Ombudsman in the DHCC. The Data Protection Onbudsman is intended to be responsible for administering the 2008 Regulation and promoting good practises in the DHCC in relation to Patient Health Information. Among other things, the Data Protection Ombudsman may:
- investigate complaints relating to interference with Patient Health Information;
- monitor compliance with the data protection principles (some of which are set out above);
- carry out research in relation to the protection of Patient Health Information; and
- organise educational programmes in an effort to promote the protection of Patient Health Information.
To date, no Data Protection Ombudsman has been appointed by the DHCC Authority in accordance with 2008 Regulation.
Access to and correcting Patient Health Information
In accordance with the 2008 Regulation, patients may request access to their Patient Health Information and may, in certain circumstances, request the amendment or deletion of Patient Health Information. The 2008 Regulation sets out those circumstances in which such amendments and deletions may be made, and also sets out certain circumstances when a Licensee may refuse a Patient access to his Patient Health Information.
Transfer of Patient Health Information
In a previous bulletin in this series, we discussed the transfer of data out of the DIFC (see here). The DIFC's Data Protection Law 2007 (DIFC Data Protection Law) and the 2008 Regulation are linked to the extent that they relate to the transfer of personal information. The 2008 Regulation states that Personal Health Information may only be transferred to a third party located outside the DHCC in certain circumstances, including where the jurisdiction to which the Patient Health Information will be transferred is considered to have an 'adequate level of protection' under the DIFC Data Protection Law. Significantly, neither the United Arab Emirates nor the United States is considered to be a jurisdiction with an adequate level of protection under the DIFC Data Protection Law.
The 2008 Regulation contains comprehensive data protection regulations. It is important that Licensees are aware of, and comply with, their obligations under the 2008 Regulations and that they have adequate policies and procedures in place to protect themselves and the Patient Health Information that they collect, store and process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.