The Ministry of Health issued the Regulation on the Processing and Privacy of Personal Health Data ("Regulation"), which elucidates certain restrictions and rules on the processing of personal health data. The Regulation was published in the Official Gazette on October 20, 2016, and entered into force on the same date.
The health sector has been one of the sectors in which personal data protection has been intensely debated. Up until today, many laws and regulations included certain rules regarding the processing and protection of health data, yet many of those were partially or wholly repealed by the courts on the ground of unconstitutionality.
The Law on the Protection of Personal Data ("Law") which entered into force on April 7, 2016, introduced significant provisions on personal data processing and the protection of health data, as well as changes to the overall health legislation in order to achieve consistency with the Law. The Law also authorized the Ministry of Health to issue regulations regarding the processing and safety of personal health data, as well as the application of the relevant changes made in the health legislation.
What does the Regulation say?
The Regulation's scope covers health service providers, persons who process health data, persons who provide data processing systems in health services, and "state institutions and organizations and real and legal persons of private law who process personal health data based on legislation." As the Regulation only applies to those "who process personal health data based on a legislation," it does not include all health data processors.
The Regulation provides many provisions parallel to that of the Law, such as principles of data processing, rights of the data subject, and obligation to inform. In addition, the Regulation includes additional regulations on issues which are stipulated under the Law, such as data security, obtaining explicit consent, and transferring data. Finally, the Regulation includes rules on areas that are not regulated under the Law, such as the establishment of the Personal Health Data Commission, and the introduction of the Personal Health Record System and the Central Health Data System.
In areas that the Regulation does not conflict with the Law but provides additional obligations, the Regulation will be applicable; however, how the Law and the Regulation will be jointly applied will be shaped over time by legislation and court decisions.
The Regulation elaborated on the principles provided by the Law and responded to many questions regarding the processing of health data. Unresolved issues are expected to be addressed in the future by the new regulations or communiqués.