3. August 2021
In February 2019, the President of the United Arab Emirates issued Federal Law No. 2 of 2019 (Health Data Law). This law regulates the use of information and communications technology (ICT) in the healthcare sector for the entire UAE, including the free zones. It came into force in May 2019 and aims to allow the UAE Ministry of Health and Prevention (the Ministry) to collect, analyse, and maintain health information at state level in the UAE.
The Health Data Law also ensures that ICT standards and practices adopted in the UAE meet the level of standards used by counterparts internationally and guarantees the security and safety of health data. This has meant the introduction of similar core concepts to those found in the General Data Protection Regulation (GDPR) under EU law – for example, security measures and consent for data disclosure, purpose limitation for data processing, and data accuracy requirements.
Here, we provide a rundown of how the Health Data Law works, what information it protects, and whether there are any exemptions to its data localisation requirement.
The Health Data Law provides for the establishment of a centralised data exchange system under the Ministry's control, to manage the collection and exchange of health data by and between relevant authorities and other concerned parties. Users can access and exchange data in a controlled, secure, and uniform way, and the intention is for the system to eventually include all patient files in the UAE.
Cabinet Resolution No. 32 of 2020 concerning the Executive Regulation of the Health Data Law, which came into force in October 2020, includes additional details regarding how authorised users join the centralised system, what their duties and responsibilities are, and how they need to store health data. Important aspects of this legislation include:
In terms of time frames, the Health Data Law specifies a minimum data retention period of 25 years (possibly longer where appropriate) from the date that the last health procedure was performed on the patient. This is very different to the data storage requirements under GDPR.
Various outstanding matters regarding the central system and other aspects of health data protection still need to be addressed in greater detail. Even so, the Health Data Law makes it obligatory for businesses that deal with health data to introduce operational, organisational, and technical procedures to ensure the security and integrity of their health data – including the security of data accessibility for authorised users.
Like other international general data protection regimes and the data protection frameworks applicable in the financial free zones of the UAE (ie the DIFC and ADGM), the Health Data Law sets out several criteria that must be observed when processing health data. Businesses must:
The Health Data Law recognises limited exceptions to the disclosure restrictions concept. Businesses may use health data without the patient’s consent:
A major concern for many international operating service providers is the data localisation requirement included in the Health Data Law. It prevents businesses from storing, processing, generating, or transferring health data outside the UAE, unless the activity has been approved by a resolution of a concerned health authority or the Ministry. Breaching this requirement can result in a penalty between AED 500,000 and AED 700,000.
The scope of health data protected by the Health Data Law is very wide. It includes all electronic data related to health and originating in the UAE, regardless of its form or whether its related to health facilities, health authorities, insurance facilities, or beneficiaries of health services. Examples of health data protected by the Health Data Law are patient names, data collected in a consultation or connected to diagnosis and treatment, and alpha-numerical identifiers. As a result, the Health Data Law is not only relevant to healthcare services providers or health insurers, but also to businesses that provide healthcare IT and other indirect services related to the healthcare sector, or that handle electronic health data.
For a long time, there was no resolution or additional executive regulation to address potential exceptions. It wasn't until April 2021 – when Ministry Resolution No. 51 of 2021 concerning cases where health data and information may be stored or transferred outside the UAE was issued – that legislation was brought in to allow for some exceptions to the data localisation requirement (we understand this legislation came into effect on 16 May 2021).
Under Resolution No.51, you are permitted to undertake some international health data transfers in several scenarios, including when the health data:
Businesses that transfer health data under any of these exceptions are still subject to strict controls involving one or more of the following requirements:
Even where the transfer of the health data outside the UAE is permitted, a copy of the data must always be stored inside the UAE. What's more, for many business activities the Health Data Law continues to stipulate that health data must be stored on UAE-based servers (in-line with other existing laws) and control access and processing activities must be comply with the Health Data Law.
Businesses that need to transfer health data outside the UAE that can't take advantage of Resolution No.51's exemptions aren't entirely out of luck, however – they can still contact the relevant health authorities directly to request the necessary permissions.
Please reach out to a member of our team to discuss how we can support you with your discussions with the authorities, or if you'd like any other advice about the health data protection regime in the UAE.