UAE Health Data – new data transfer permissions

UAE

In 2019, UAE healthcare providers and other businesses involved in the industry were prevented from transferring outside the country data related to medical procedures in the UAE, by Article 13 of Federal Law No 2 of 2019 (“Healthcare IT Law”). The restriction extended to any storage or processing of such data, making the use of overseas cloud platforms or shared services within international groups problematic.

The UAE Ministry of Health and Community Prevention (“MOHAP”) has recently issued a Ministerial Decision (51 / 2021) which relaxes the restriction for certain categories of information and purposes of processing in ways which will be significant for online providers, research organisations and insurers, amongst others.

What data can be processed outside the UAE?

MOHAP’s decision confirms that certain exceptions to the data transfer restriction are now available. There are conditions attached to the exceptions, which are summarised further in the table below, including patient consent and encryption (which both apply in the majority of cases). For some of the categories of data, even though processing outside the UAE is permitted, a copy of the data still needs to be retained within the UAE.

In summary, the exceptions are:

  • For further treatment and research
  • Pharmacovigilance
  • For online health services
  • For insurance purposes
  • In national interests
  • Personal health devices
  • Patient request

Conditions

Basis of exception

Emirate health authority approval needed

Patient consent needed

Coding requirement (we understand this to mean the data must be encrypted)

Anonymise

Retain copy in UAE

Further conditions

Treatment outside the UAE

No

Yes

Yes

No

No

Limit disclosure to concerned persons

Limit disclosure to necessary information only

Examination of samples

No

Yes

Yes

No

No

Limit disclosure to concerned persons

Limit disclosure to necessary information only

Scientific research

Yes

No

Yes

Yes

No

The research must be governed by standards which meet the requirements for research in the UAE

Limit disclosure to concerned persons and for research purposes only

Heightened security standards apply

Insurance

No

Yes

Yes

Yes

No

The decision seems to suggest that the recipient must be part of the same group of companies as the insurer / claims administrator operating in the UAE

The insurance policy number can only be disclosed outside the UAE if part of the claims processing system is outside the UAE

The highest security standards must be implemented

Cooperation with the UAE state

No

Yes

Yes

Yes

Yes

Limit disclosure to concerned persons

Heightened security standards apply

Simple devices / tools

No

No

No

No

No

Pharmacovigilance

No

Yes

Yes

No

Yes

Limit disclosure to concerned persons

Limit disclosure to necessary information only

Online health

No

Yes

No

No

Yes

Treating physician can only access the patient data held on the relevant system for a defined period

Where any medical report or image is to be sent via the online service, only the treating physician shall be given access to the report

Although no “coding” requirement is specified there are duties under other laws to keep secret information protected, particularly where disclosing to third parties, and there is a general duty under the Healthcare IT Law to protect patient data; therefore, online health providers should still ensure a high level of cybersecurity.

On patient request

No

Yes

Yes

No

Yes

Limit disclosure to concerned persons

Limit disclosure to necessary information only

Further exceptions

The decision also allows health authorities (i.e. at the Emirate level) to approve additional transfers of data provided that such transfers are confidential and do not prejudice public security, national interests or public health and provided that no medical secrets of any person can be disclosed without the written consent of the patient. A copy of any such data will also need to be retained in the UAE.

What should businesses do next?

The Ministerial Decision will provide welcome clarification for a number of businesses, however the decision clearly imposes certain obligations to those looking to rely on it. Any business which may want to rely on one of the exceptions provided for should assess the conditions attached to the exception and implement processes for creating a compliance audit trail (for example, a consent capturing mechanism, if applicable) and assessing that the transfer will be conducted in a technically compliant manner (such as through the use of encryption techniques). Although these exceptions apply in relation to Article 13, the business in question will still to ensure compliance with the remaining provisions of the IT Healthcare Law in connection with the transfer and processing, including under Article 4, which requires that health data and information must be kept confidential, only disclosed where authorised and must be protected against destruction or unauthorised amendment, alteration, deletion or addition. Article 16 imposes purpose limitation on the use of the data by the recipient party. Any transfer to a third party overseas should be governed by appropriate contractual protections to ensure the transferring party in the UAE is discharging its duties and the transferring party should have some mechanism to assess the capability of the recipient party to comply (such as an initial due diligence assessment and ongoing audit rights).

If data is flowing from, or via, a business in a free zone with its own data protection law or regulation (DIFC, ADGM, Dubai Healthcare City) then all disclosures also need to remain compliant with those laws so any disclosures or data flows should be considered against that backdrop, if relevant.

Businesses should also note that the new UAE Consumer Protection Law is pending detailed Implementing Regulations which are due to be released imminently and these may also impose new data protection obligations on healthcare providers.