DLA Piper Intelligence

Data Protection
Laws of the World

Law

UAE - Dubai Health Care City Free Zone
UAE - Dubai Health Care City Free Zone
Note: Please also see UAE – General, UAE – DIFC, UAE – ADGM.

The Dubai Healthcare City (DHCC), a healthcare free zone in Dubai, implemented DHCC Health Data Protection Regulation No 7 of 2013 (which repealed and replaced the DHCC Data Protection regulation No. 7 of 2008) (HDPR).

The HDPR regulates the protection of Patient Health Information, as opposed personal data. The HDPR applies to healthcare professionals working in the DHCC with access to Patient Health Information (Licensees), including any of the following:

  • Licensed Healthcare Professional
  • Licensed Complementary and Alternative Medicine Professional
  • Licensed Healthcare Operator
  • Approved Education Operator
  • Approved Research Operator
  • Licensed Commercial Company
  • Non-Clinical Operating Permit Holder
Last modified 4 Feb 2019
Law
UAE - Dubai Health Care City Free Zone
Note: Please also see UAE – General, UAE – DIFC, UAE – ADGM.

The Dubai Healthcare City (DHCC), a healthcare free zone in Dubai, implemented DHCC Health Data Protection Regulation No 7 of 2013 (which repealed and replaced the DHCC Data Protection regulation No. 7 of 2008) (HDPR).

The HDPR regulates the protection of Patient Health Information, as opposed personal data. The HDPR applies to healthcare professionals working in the DHCC with access to Patient Health Information (Licensees), including any of the following:

  • Licensed Healthcare Professional
  • Licensed Complementary and Alternative Medicine Professional
  • Licensed Healthcare Operator
  • Approved Education Operator
  • Approved Research Operator
  • Licensed Commercial Company
  • Non-Clinical Operating Permit Holder
Last modified 4 Feb 2019
Definitions

Definition of personal data

The relevant defined term is 'Patient Health Information' which is defined as information about a patient — whether spoken, written, or contained in an electronic record — that is created or received by any Licensee, that relates to the physical or mental health or condition of the patient, including the reports from any diagnostic procedures and information related to the payment for services.

Definition of process, processed, processes and processing

Any operation or set of operations that is performed on Patient Health Information, whether or not by automatic means, such as:

  • Collection
  • Recording
  • Organization
  • Storage
  • Adaptation or alteration
  • Retrieval
  • Consultation
  • Use
  • Disclosure by transmission
  • Dissemination or otherwise making available
  • Alignment
  • Erasure
  • Destruction
Last modified 4 Feb 2019
Authority

The DHCC Board of Directors and the Executive Body of the Dubai Healthcare City Authority (DHCA) are responsible for ensuring proper administration of the HDPR and any rules, standards and policies made under the HDPR.

The Centre for Healthcare Planning and Quality is responsible for the compliance and enforcement of the HDPR (CPQ).

Dubai Healthcare City Authority - Regulatory
Tel: +971-4-3838300
Fax: +971-4-3838300
info@dhcr.gov.ae

Last modified 4 Feb 2019
Registration

Not applicable.

Last modified 4 Feb 2019
Data Protection Officers

There is a requirement for each Licensee to have at least one Data Protection Officer.

Data Protection Officer responsibilities include:

  • Encouraging the Licensee’s compliance with the HDPR
  • Dealing with requests made to the Licensee under the HDPR
  • Otherwise ensuring compliance by the Licensee with the provisions of the HDPR (section 40 HDPR)
Last modified 4 Feb 2019
Collection & Processing

Patient Health Information is not permitted to be collected by any Licensee unless it is for a lawful purpose and the collection is necessary for that purpose (article 27 HDPR). However, the meaning of lawful purpose is not defined in the HDPR.

Patient Health Information should be collected from the patient directly unless the Licensee has reasonable grounds to believe any of the following things to be true:

  • That the patient concerned authorizes collection of the information from someone else having been made aware of the matters set out in section 29(1)
  • That the patient is unable to give his or her authority, and the Licensee—having made the patient’s representative aware of the matters set out in section 29(1)—collects the Patient Health Information from the representative (or the representative authorizes collection from someone else)
  • That compliance would prejudice the:
    • Interests of the patient
    • Purposes of collection, or
    • Safety of any individual
  • That compliance is not reasonably practicable in the circumstances of the particular case
  • That the collection is for the purpose of assembling a family or genetic history of a patient and is collected directly from that patient and / or the patient’s representative
  • That the Patient Health Information is publicly available information
  • That the Patient Health Information:
    • Will not be used in a form in which the patient is identified
    • Will be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the patient, or
    • Will be used for research purposes (for which approval by an ethics committee, if required, has been given) and will not be published in a form that could reasonably be expected to identify the patient
  • That non-compliance is necessary:
    • To avoid prejudice to the maintenance of the law including the prevention, detection, investigation, prosecution and punishment of offenses
    • For the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation) (section 28 HDPR)
Last modified 4 Feb 2019
Transfer

Patient Health Information may only be transferred to a third party located in a jurisdiction outside DHCC if all of the following conditions are satisfied:

  • An adequate level of protection for that Patient Health Information is ensured by the laws and regulations that are applicable to the third party
  • The transfer is either:
    • Authorized by the patient
    • Necessary for the ongoing provision of Healthcare Services to the patient

A jurisdiction shall be considered to have an adequate level of protection if that jurisdiction is listed as an acceptable jurisdiction under the Dubai International Financial Center Data Protection Law No. 1 of 2007, or has the written approval of the Central Governance Board.

The DHCC Healthcare Data Protection Regulation of 2008 contained a provision which permitted the transfer of Patient Heath Information to a jurisdiction without adequate protection, if a permit was sought.

However, this was removed under the HDPL and the Central Government Board does not have the power to issue permits for the transfer to jurisdictions without an adequate level of protection.

Last modified 4 Feb 2019
Security

A Licensee is responsible for the security of its information systems and networks and should act in a timely and cooperative manner to prevent, detect and respond to security incidents. A Licensee is further required review and assess the security of information systems and networks and make appropriate modifications to security policies, practices, measures and procedures on a regular basis. Any security incidents must be disclosed to the CPU on a periodic basis.

A Licensee that holds Patient Health Information must maintain the security of the Patient Health Information, ensuring that it is stored in a way that can be readily retrieved and easily removed or shared, while also protecting the accuracy of the information.

A Licensee is further responsible for ensuring that reasonable safeguards are put in place to protect the Patient Health Information from:

  • Loss
  • Destruction
  • Potential fire / water damage
  • Tampering
  • Theft
  • Unauthorized access, use, modification or disclosure

Footnotes

(section 31, HDPR)

Last modified 4 Feb 2019
Breach Notification

There is no specific requirement set out in the DPL obliging a Licensee to inform the CPQ in the event of a breach. Licensees are required to inform the Customer Protection Unit (within CPQ) on a periodic basis of any security incidents.

Last modified 4 Feb 2019
Enforcement

The CPQ is responsible for the compliance and enforcement of the HDPR and may delegate its powers and duties to any appropriate committee(s) constituted by it, or to appropriate person(s) appointed by it (section 42 HDPR).

The powers, duties and functions of CPQ include:

  • Conducting an audit of Patient Health Information when requested by a Licensee for the purpose of ascertaining whether or not the information is maintained in accordance with the HDPR
  • Monitoring the use of Personal Identifiers, and reporting to the Executive Body from time to time on the results of that monitoring, including any recommendations relating to the need for, or desirability of taking regulatory, administrative, or other action to give protection, or better protection, to the patient or the Licensee
  • Monitoring compliance with the HDPR

CPQ may require a Licensee to produce specified information or documents when requested in writing in relation to the Processing of Patient Health Information of a complaint about an interference with Patient Health Information. If the Licensee does not comply with the request, the CPQ may impose a penalty as set out in a list to be published by the DHCA from time to time (section 42).

It does not appear that the DHCA have produced any further information on the penalties that apply in relation to a breach of HDPR. It is unclear how any breaches of the HDPR will be dealt with in the DHCC.

Last modified 4 Feb 2019
Electronic Marketing

The HDPR does not contain specific provisions relating to electronic or direct marketing.

Last modified 4 Feb 2019
Online Privacy

The HDPR does not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to apply. In addition, as UAE criminal law applies in the DHCC, the privacy principles laid out therein may apply (see UAE – General).

Last modified 4 Feb 2019
Contacts
Paul Allen
Paul Allen
Head of Intellectual Property & Technology – Middle East
T +971 4 438 6295
Eamon Holley
Eamon Holley
Legal Director
T +971 4 438 6293
Jamie Ryder
Jamie Ryder
Senior Legal Consultant
T +971 4 438 6297
Last modified 4 Feb 2019