Health data in light of the Personal Data Protection Law
In light of the new personal data law in Saudi Arabia, the implementing regulations shared with the public, and the controls and procedures for handling medical and health data in general, it is important to shed more light on the controls that must be implemented and applied when dealing with such sensitive data.
The implementing regulations oblige the entities controlling the data to apply sufficient organizational, technological, technical, and administrative means and measures to protect health data from any unauthorized use, misuse, or use for any purpose other than that for which the data has been collected. Also, such data controllers shall apply any means and measures that ensure the confidentiality of health data.
To elaborate more on such measures, the entities dealing with and handling health data must adopt and implement the requirements and controls issued by the Ministry of Health, the Saudi Central Bank and the Saudi Health Council. This comes in coordination with the Council of Health Insurance and related entities, which identify the tasks and responsibilities of the employees of healthcare providers, health insurance companies, health insurance claims management companies and the associated parties with which they enter into contracts if engaging in processing health data.
These controlling entities must also prevent access by any entity or individual to such data, other than the medical team assigned to the case and the employee tasked with entering and processing such data, and only to the extent needed.
Furthermore, entities have to limit the processing of the health data, to the extent possible, to the minimum number of employees who shall be honest and responsible while identifying their roles and the limits of their duties. Employees must sign an agreement to maintain the confidentiality of, and not disclose, such data.
In addition, entities must prevent any overlap of roles or indefinite distribution of the responsibility for protecting health data, and ensure gradual access to data among employees to ensure the highest level of data protection.
As for documentation, entities must document all stages of the processing of health data and clearly include the proper legal clauses to follow the foregoing measures in the contracts entered into between the controller (these entities) and data processors, for carrying out all the tasks related to the processing of health data.
• Dimah Talal Alsharif is a Saudi lawyer and legal consultant. Twitter: @dimah_alsharif