Saudi Arabia: Health data under the Personal Data Protection Law

Saudi Vision 2030 identifies healthcare as a key pillar for reform of the economic structure of Saudi Arabia. The Personal Data Protection Law, the main law in the Kingdom regulating the use of personal data, provides for additional requirements for processing ‘health data’. As different types of data require different levels of protection, there are a number of additional conditions that should be addressed in the internal policies of the data controller. In this note we look at these specific requirements in more detail. 

Appropriate measures

The data controller must take the appropriate organisational, technical and administrative measures to protect health data from unauthorised use, misuse or use for purposes other than for which it was collected. While the PDPL does not define the relevant measures required, it is likely to include a level of security appropriate to the risks presented in the processing activity. By way of comparison, under the GDPR, the considerations involve the state of the art and costs of implementation, as well as the nature, scope, context and purpose of processing. This reflects both the risk-based approach, and no ‘one size fits all’ solution to information security. It remains to be seen whether SDAIA (the competent authority) takes a similar approach in any guidance it may issue. 

Implications for personnel

It is important for data controllers to ensure that the full potential of the workforce is realised in respect of information security and management of applicable privacy controls. Accordingly, data controllers need to distribute tasks among employees in a way that prevents overlapping of their expertise. A related consideration is access level management for employees. Data controllers need to carefully consider different access levels depending on the seniority, level of expertise and role in the organisation. This means access to health data should be restricted on a strict need-to-know basis to guarantee highest standards of privacy. This principle is a fundamental security concept designed to limit access to sensitive data. In practice, it means an individual should only have access to the information that the job function requires which means conducting regular auditing of data access rights within an organisation.

Data mapping

The data controller must document the processing of health data to ensure identification of the relevant contact for each part of the data lifecycle process. The data mapping exercise means carrying out regular information audit exercises to find out what personal data is held and to understand how the information flows through the organisation. A useful tip is to maintain the data map in an electronic form so that additions, deletions and amendments can easily take place. 

Data minimisation 

The processing of health data should be limited to the minimum necessary to provide appropriate healthcare services. This means the data should be: (a) adequate – sufficient to properly fulfil stated purpose; (b) relevant – has a rational link to that purpose; and (c) limited to what is necessary – not hold more than needed for that purpose.

Next steps

The rules around the processing of health data impact a wide range of businesses, from health care providers and health insurance services to health care professionals. A key implication for data controllers is to ensure that their processing agreements reflect the additional considerations, applicable to the processing of health data in particular, pursuant to the PDPL.

While we await further regulatory guidance from SDAIA, the healthcare industry should be aware that any health data (and other sensitive personal data) is subject to higher standards of data protection than was previously the case in Saudi Arabia.  Additionally, it will also be necessary to consider and implement (where applicable) the health data related requirements of other relevant authorities, such as the Ministry of Health, Saudi Health Council and Council of Health Insurance.

For any further information on the requirements relating to health data under the Saudi data protection regime, please contact Nick O’Connell nick.oconnell@twobirds.com or Nona Keyhani nootash.keyhani@twobirds.com.