In 2019, UAE healthcare providers and other businesses involved in the industry were prevented from transferring outside the country data related to medical procedures in the UAE, by Article 13 of Federal Law No 2 of 2019 (“Healthcare IT Law”). The restriction extended to any storage or processing of such data, making the use of overseas cloud platforms or shared services within international groups problematic.
The UAE Ministry of Health and Community Prevention (“MOHAP”) has recently issued a Ministerial Decision (51 / 2021) which relaxes the restriction for certain categories of information and purposes of processing in ways which will be significant for online providers, research organisations and insurers, amongst others.
What data can be processed outside the UAE?
MOHAP’s decision confirms that certain exceptions to the data transfer restriction are now available. There are conditions attached to the exceptions, which are summarised further in the table below, including patient consent and encryption (which both apply in the majority of cases). For some of the categories of data, even though processing outside the UAE is permitted, a copy of the data still needs to be retained within the UAE.
In summary, the exceptions are:
- For further treatment and research
- For online health services
Conditions
Basis of exception | Emirate health authority approval needed | Patient consent needed | Coding requirement (we understand this to mean the data must be encrypted) | Anonymise | Retain copy in UAE | Further conditions |
Treatment outside the UAE | No | Yes | Yes | No | No | Limit disclosure to concerned persons Limit disclosure to necessary information only |
Examination of samples | No | Yes | Yes | No | No | Limit disclosure to concerned persons Limit disclosure to necessary information only |
Scientific research | Yes | No | Yes | Yes | No | The research must be governed by standards which meet the requirements for research in the UAE Limit disclosure to concerned persons and for research purposes only Heightened security standards apply |
Insurance | No | Yes | Yes | Yes | No | The decision seems to suggest that the recipient must be part of the same group of companies as the insurer / claims administrator operating in the UAE The insurance policy number can only be disclosed outside the UAE if part of the claims processing system is outside the UAE The highest security standards must be implemented |
Cooperation with the UAE state | No | Yes | Yes | Yes | Yes | Limit disclosure to concerned persons Heightened security standards apply |
Simple devices / tools | No | No | No | No | No | |
Pharmacovigilance | No | Yes | Yes | No | Yes | Limit disclosure to concerned persons Limit disclosure to necessary information only |
Online health | No | Yes | No | No | Yes | Treating physician can only access the patient data held on the relevant system for a defined period Where any medical report or image is to be sent via the online service, only the treating physician shall be given access to the report Although no “coding” requirement is specified there are duties under other laws to keep secret information protected, particularly where disclosing to third parties, and there is a general duty under the Healthcare IT Law to protect patient data; therefore, online health providers should still ensure a high level of cybersecurity. |
On patient request | No | Yes | Yes | No | Yes | Limit disclosure to concerned persons Limit disclosure to necessary information only |
Further exceptions
The decision also allows health authorities (i.e. at the Emirate level) to approve additional transfers of data provided that such transfers are confidential and do not prejudice public security, national interests or public health and provided that no medical secrets of any person can be disclosed without the written consent of the patient. A copy of any such data will also need to be retained in the UAE.
What should businesses do next?
The Ministerial Decision will provide welcome clarification for a number of businesses, however the decision clearly imposes certain obligations to those looking to rely on it. Any business which may want to rely on one of the exceptions provided for should assess the conditions attached to the exception and implement processes for creating a compliance audit trail (for example, a consent capturing mechanism, if applicable) and assessing that the transfer will be conducted in a technically compliant manner (such as through the use of encryption techniques). Although these exceptions apply in relation to Article 13, the business in question will still to ensure compliance with the remaining provisions of the IT Healthcare Law in connection with the transfer and processing, including under Article 4, which requires that health data and information must be kept confidential, only disclosed where authorised and must be protected against destruction or unauthorised amendment, alteration, deletion or addition. Article 16 imposes purpose limitation on the use of the data by the recipient party. Any transfer to a third party overseas should be governed by appropriate contractual protections to ensure the transferring party in the UAE is discharging its duties and the transferring party should have some mechanism to assess the capability of the recipient party to comply (such as an initial due diligence assessment and ongoing audit rights).
If data is flowing from, or via, a business in a free zone with its own data protection law or regulation (DIFC, ADGM, Dubai Healthcare City) then all disclosures also need to remain compliant with those laws so any disclosures or data flows should be considered against that backdrop, if relevant.
Businesses should also note that the new UAE Consumer Protection Law is pending detailed Implementing Regulations which are due to be released imminently and these may also impose new data protection obligations on healthcare providers.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.