The Personal Health Data Regulation (the "Regulation") was published in the Turkish Official Gazette dated 21 June 2019 and numbered 30808, repealing the previous Regulation on Processing and Ensuring the Privacy of Personal Health Data published in the Turkish Official Gazette dated 20 October 2016 and numbered 29863. The new regulation sets forth the personal health data processing regime that public institutions and private legal entities must comply with.
Developments introduced by the Regulation
The Regulation follows the trend of increasing personal data protection measures. For instance, according to Article 5/3 of the Regulation, individual data subjects cannot be forced to disclose their former personal health data, except for the provision of healthcare services. Further, the Regulation requires the implementation of anonymisation, masking measures and identification restrictions which will prevent revealing the relevant data subject in case of any unauthorised acquisition of personal health data.
The Regulation also introduces rigorous provisions concerning access to personal health data by healthcare organisations. Article 6 of the Regulations explicitly restricts the access of healthcare staff to personal health data unless such access is necessary for the provision of the healthcare service in question. In that respect, the Regulation also regulates the access to the State's online healthcare platform "e-Pulse" (e-Nabız) and states that the health data of individuals in their e-Pulse (e-Nabız) accounts is only accessible depending on their preferred privacy settings. Accordingly, data subjects can limit the general access of healthcare institutions to their data by changing their privacy preferences.
Concerning the access to the personal health data of data subjects without e-Pulse accounts, however, healthcare professionals must comply with specific provisions. Accordingly, health data of individuals without an e-Pulse account is only accessible by (i) such individual's general practitioner registered in the family doctor system, without any time limitation; (ii) the doctor contacted by the patient, until the health services or related processes in question are completed; (iii) practitioners working at the relevant health service provider, for a period of 24 hours starting from the registration of the patient; and (iv) practitioners working at the healthcare service provider where the patient is hospitalised, until the release of the patient.
Further, the Regulation allows the Turkish Ministry of Health to restrict access to confidential data that can negatively affect the subject's social life and mental health in case such data is accessed without authorisation by third parties. The Regulation introduces personal health data provisions for deceased individuals. Accordingly, the personal health data of the deceased will be stored for a minimum period of 20 years and legal heirs of such deceased person will separately be authorised to access such data provided that they present the relevant certificate of inheritance.
Further to restrictions introduced by the Regulation, lawyers can no longer access their client's personal health data with a general power of attorney. According to Article 10 of the Regulation, a special power of attorney that includes the client's explicit consent regarding the processing and transfer of their personal health data is necessary for a lawyer to access such personal health data.
It is unequivocal that regulating the fundamentals of personal health data is crucial as it involves different actors and varying levels of protection. Turkish legislation developments appear to be in line with the EU data security rules that have significantly evolved since the implementation of the EU's General Data Protection Regulation. European guidelines are, therefore, being viewed as a reference to set up international standards in processing personal health data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.