Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

The biggest step regarding the digitisation of healthcare services is taken by the Ministry of Health (MoH). In 2015, the MoH introduced the E-Nabız (e-Pulse), which is a personal health record system. E-Nabız stores encrypted personal health records and helps patients to access and review their records such as laboratory tests, prescriptions, previous diagnosis and X-ray results. The system also allows patients to:

  • switch doctors and determine which doctors will be authorised to access such information;
  • manage their own data; and
  • request amendments to, or the deletion of, the data.

 

The data is encrypted and patients are able to access their data only by entering their e-government password.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

Personal Health Data Regulation No. 30,808, published in the Official Gazette on 21 June 2019 and Circular No. 2016/6 on the E-Nabız Personal Health System, is the legal basis governing E-Nabız. The Circular mentions that the fundamental aim of E-Nabız is to ensure a citizen’s right to access and manage their personal health records pursuant to article 20 of the Constitution on the personal data. The system is accessible 24 hours a day, seven days a week and free of charge through computers, mobile phones and wearable technology. According to MoH Health Information Systems Department statistics, as of December 2019, 10 million citizens were using E-Nabız.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

On 7 April 2016, Data Protection Law No. 6,698 (Data Protection Law) came into force. The Data Protection Law regulates the protection of personal data and created new obligations that persons or entities dealing with personal data must comply with.

The Data Protection Law has been prepared in line with EU Directive 95/46/EC on data protection (EU Data Protection Directive), rendering it similar to the EU Data Protection Directive. However, the Data Protection Law is not idential to the EU Directive.

The Turkish Data Protection Authority (DPA) was granted the power to implement the Data Protection Law. Accordingly, the Turkish DPA may investigative powers to ascertain whether data controllers and data processors are in compliance with the provisions of the Data Protection Law and, if deemed necessary, it may implement temporary preventative measures.

Pursuant to article 6 of the Data Protection Law, personal data relating to health, sexual life, biometric and genetic data are deemed sensitive personal data. While sensitive personal data other than data relating to health and sexual life may be processed without seeking explicit consent of the data subject in the cases provided for by other laws, personal data relating to health and sexual life may only be processed without seeking explicit consent of the data subject, by persons or authorised public institutions and organisations that have a confidentiality obligation explicitly for the purposes of:

  • protecting public health;
  • the facilitation of preventive medicine;
  • medical diagnosis;
  • treatment and nursing services; and
  • the planning and management of healthcare services, including their financing.

 

Restrictions brought under the Data Protection Law leave limited room for processing health data without explicit consent. Unfortunatly, to date, the DPA has issued no specific guidiance or rules focusing on data protection in the healthcare sector.

On the other hand, the MoH has issued Personal Health Data Regulation No. 30,808, published in the Official Gazette on 21 June 2019, which aims to regulate the procedures and principles to be followed in the processes and practices carried out by the central and provincial organisational units of the MoH and the health service providers operating in conjunction with them.

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

On 30 December 2017, the DPA issued the Regulation on Data Controllers’ Registry that provides details of the obligations that data controllers must comply with. Data controllers must appoint either a contact person or an authorised representative depending on whether the data controller is based inside or outside Turkey. This person’s name and contact details shall be published online and they shall be responsible for establishing the communication between the data subjects and the data controllers. However, this person is not a data protection officer as defined by Regulation (EU) 2016/679 (General Data Protection Regulations).

Even though the MoH published a personal health data regulation aiming to regulate the procedures and principles to be followed in the processes and practices carried out by the central and provincial organisation units of the MoH and the health service providers operating in connection with them, the rules mentioned in this regulation are merely a replica of the rules set by the Data Protection Law.

Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

The DPA investigates and issue decisions on matters brought to the authority’s attention and on matters examined ex officio.

In practice, both patients and companies notice that healthcare providers do not convey information to their patients according to the obligations set by the Communiqué on the Obligation of Information. Even if they do, this information lacks important provisions and fails to inform data subjects in a transparent manner. In addition, despite the Data Protection Law being in force for several years, it is deemed that healthcare providers took no measures to protect patients’ personal data.