There may be a debate over who should be given credit for the original metaphor ‘data is the new oil’, but there seems little argument over its veracity.
In the modern world of information technology, personalised services, and our lives being managed with a smart device that we carry in our pockets, data, which is very often ‘personal data’, is one of the most valuable commodities to enable industries and businesses to operate successfully. Company valuations of google, facebook and the like illustrate just how much our data is worth. Consequently, it does not come as a surprise that businesses collect, store, use and even sell our data whenever there is an opportunity to do so.
With the new UAE Federal Law No. 2 of 2019 Concerning the Use of the Information and Communication Technology in the Areas of Health (the “Law”), the UAE’s federal government makes another step towards protecting personal data and restricting the processing of the same using telecommunication technology.
The new law comes at a time when many businesses in the UAE are still trying to understand and become compliant with the giant piece of legislation that the European Union implemented in respect to data protection effective in May 2018 – the GDPR. It might therefore be seen as a relief that the new UAE law does not constitute a general data protection regime, but, as the name indicates, the subject matter is more specific and ‘only’ businesses, authorities and professionals dealing with health data and information are addressed by the new legislation.
Industry insiders might even ask what the purpose of the new law is, as they are aware that patient data is already protected by UAE legislation. UAE Federal Law No. 4 of 2016 concerning Medical Liability ensures confidentiality of patients’ data, and UAE Federal Decree by Law No. 5 of 2012 on Combating Cyber Crimes specifically includes a provision to criminalise the unauthorised usage of medical data by use of modern telecommunication technology, just to give a few examples.
However, the Law is the first of its kind for data protection in the UAE.
As a federal law, it covers all Emirates of the UAE and even the free zones are explicitly included. There is no restriction on the industry sectors for which the Law applies either. Considering what businesses are typically handling health data and information, we envisage at least healthcare facilities and providers, pharmacies, medical insurance providers and intermediaries, service providers assisting with medical claims management, as well as technology service providers servicing the healthcare industry will be impacted by the new legislation, in addition to the concerned authorities in the UAE.
The Law’s objectives include inter alia ensuring safety and security of the health data and information, and also ensuring the optimal use of the IT in the areas of health. Key obligations, as per Article 4 of the Law, in connection with any use of information and communication technology when processing health data and information include ensuring confidentiality, accuracy and validity of data, as well as the availability of the same when needed.
The Law provides for the UAE Health Authorities to set up a central data system and set the bases, standards and controls required to ensure the safe processing of the relevant health data. All concerned parties shall be committed to join this system in accordance with proceedings to be outlined in executive regulations that are to be issued and published within the next six months.
Other noteworthy aspects of the Law include a data retention period of not less than 25 years. In addition, training courses to ensure security and safety of the health data and information for individuals involved in the IT usage are going to be provided by the Health Authorities. Whether it will be mandatory for concerned entities to have their staff complete specific training courses remains to be specified.
Furthermore, while details about the terms and controls of storing the health data and information inside the UAE still need to be specified by a resolution from the Minister of Health and Prevention, it is important to note that the Law, in its Article 13, already includes a prohibition on storing, processing, generating or transforming health data and information outside the UAE, where the health data and information is related to the health services provided inside the UAE. The only exception is where a resolution is issued from the Health Authority in coordination with the Ministry. The penalty for breach of this prohibition will be severe - Article 24 of the Law provides for fines of no less than AED 500,000 and no more than AED 700,000.
Other disciplinary sanctions for non-compliance with the Law include notices and warnings, and also the suspension or cancellation of an establishment’s license.
The Law obliges all concerned parties to regularise their status according to the Law within a time frame that is yet to be specified in the executive regulations to the Law. Taking this into account, there may still be some time to make appropriate arrangements to be compliant with the Law.
In summary, the healthcare industry and related service providers should expect the legislation to have broad consequences. Additional circulars and resolutions will be needed to understand the implications of the Law in detail. Businesses in the healthcare sector should however, monitor the legislative developments closely and obtain legal advice to be well positioned and prepared for the changes to come.