Introduction

On January 8 2016 the Social Security Institution announced details of the application form required to request access to the personal data that it holds. The application form was prepared by the Data Sharing Commission, established as part of the Social Security Institution pursuant to the Guidelines on the Procedures and Principles Relating to the Use, Sharing and Protection of Social Security Institution Data. The Social Security Institution's announcement referenced the guidelines and the relevant provisions that allow it to share healthcare data with third parties for research, planning and statistical purposes.

The publication of the new application form has addressed some of the concerns raised regarding the sharing of personal data by the Social Security Institution. However, in light of previous administrative and legislative challenges to state institutions sharing personal data, a number of important questions remain unanswered.

Facts

The possibility of the Social Security Institution sharing the personal data that it holds is not a new issue, given the nature of its involvement in the supervision and administration of health services and reimbursement.

In 2012 the Ministry of Employment and Social Security published a regulation relating to the protection of and access to general health insurance data held by the Social Security Institution and contracted healthcare service providers. The regulation laid the groundwork for the institution to evaluate and approve requests for data that it holds. The regulation also allowed the institution to enter into contracts with applicants regarding the provision of data. However, the regulation specified that personal data under the scope of general social security was not to be shared. The regulation was drafted and published by the ministry based on a provision in the Social Security Law that allowed such matters to be decided through regulations.

However, a December 25 2014 decision of the Constitutional Court declared that the provisions of the Social Security Law which provided the regulation's legislative grounds were unconstitutional. The decision referenced the fact that under the Constitution, measures relating to personal data must be made in legislation, thereby requiring the consensus of the legislature rather than the executive branch. The decision was published in the Official Gazette on May 23 2015. As the regulation's main legislative grounds had been removed, the ministry officially revoked it soon after.

Before the Constitutional Court decision came into effect, an amendment was made to the Social Security Institution Law that introduced a new statutory ground for the Social Security Institution to share personal data. Unlike the previous regulation, the amendment explicitly stated that the data owner's notarised consent was required before personal data could be shared. The new data sharing guidelines were based on the changes to the Social Security Institution Law.

During the legal and administrative process concerns were raised regarding the Social Security Institution's potential misuse of data. In particular, a Court of Accounts report stated that instances in which the Social Security Institution had sold healthcare data to third parties pursuant to the regulation had gone beyond the scope of the legislation, even if such information had been generalised and anonymised.

Scope of guidelines and new application form

The data sharing guidelines published following the conclusion of the legal and administrative challenges detailed the conditions under which the Social Security Institution can accept requests for data that it holds, including:

  • providing data to other state institutions to ensure the performance of their statutory obligations;
  • providing data to real persons regarding the processing and gathering of their own data by the Social Security Institution; and
  • providing data belonging to legal persons to third parties.

With regard to sharing information with other state institutions and sharing the information of legal persons, the guidelines state that under no circumstances should the Social Security Institution provide personal health data.

The guidelines allow for the sale of data to third parties. However, the data must:

  • be related to legal persons;
  • be provided pursuant to the notarised consent of said legal persons;
  • include no personal health data; and
  • allow for no direct or indirect identification of any healthcare service provider.

The data sharing guidelines also allow the Social Security Institution to share data for research, planning and statistics purposes for free. The guidelines state that such requests can be made only by:

  • public officials conducting scientific research;
  • scientific associations;
  • industry and trade associations; and
  • universities.

The recently published application form addresses this specific category of data sharing. Accordingly, the following information must be included on the form:

  • the name and purpose of the proposed research, planning or statistics project;
  • the reason behind the data request;
  • details of the project's contribution to Turkey and the Social Security Institution; and
  • the legal grounds or consent relating to the data request.

By making explicit reference to this information, the Social Security Institution has clarified that data requests will be evaluated by considering the aim of the project under review and whether the procedures relating to approval and consent have been followed and documented correctly. The fact that the Social Security Institution has provided a form that clarifies the application process could be regarded as a sign of its willingness to address previous complaints and concerns regarding the potential for arbitrary approval of requests and the misuse of data.

Despite these developments, questions remain regarding the Social Security Institution's system for selling data. Arguably, the criticism from the Court of Accounts that the sale of data goes beyond the Social Security Institution's statutory purview has not been fully addressed, even though the amendment to the Social Security Institution Law provides legal grounds for such a sale. Further, the fact that Turkey has no separate legislation for data protection, nor an independent data protection institution, has caused concern regarding the auditing and supervision of data sharing procedures. However, the second issue may soon be addressed, as Parliament is debating a draft data protection law. The draft law includes provisions regarding the use of data for research and statistical purposes, so the Social Security Institution may have to review its existing data sharing practices when it comes into force.

For further information on this topic please contact Selin Sinem Yalincakli Erciyas or Bentley James Yaffe by telephone (+90 212 354 00 00) or email (selin.yalincakli@gun.av.tr or james.yaffe@gun.av.tr). The Gün + Partners website can be accessed at www.gun.av.tr.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.