Health November 5, 2019
New data laws are changing privacy for patients

By Andrea Tithecott, Scarlett Windmill-Last - World Healthcare Journal

Across the globe, we have seen greater emphasis on safeguarding of privacy and tighter controls and restrictions on the use of data over the last few years. Nowhere are the laws, regulations and guidance documents that govern data collection, processing, storage and usage more critical than in the implementation of digital health solutions. As governments across the Middle East start to implement new data privacy and security requirements, the UAE is one country that has taken action with the implementation of Federal Law No.2 of 2019 concerning the use of information and communications technology in healthcare (the ‘ICT Health Data Law’).

What is the ICT Health Data Law?

This new healthcare data law protects the confidentiality of patient health data and regulates the use, storage and processing of patient information. It also imposes restrictions on data moving outside the country. Executive regulation is expected to be published soon and will provide additional detail regarding how the ICT Health Data Law will operate, and will likely be followed by the issuance of standards and detailed procedures in the form of resolutions to be issued by local Emirate health authorities.

The ICT Health Data Law will regulate patient data at a federal level by focusing on two substantive issues. Firstly, the establishment of a centralised system for capturing patient data, and secondly by mandating data localisation by prohibiting data being sent out of jurisdiction without specific approval.

At a local level, the health authorities of Dubai and Abu Dhabi that had already sought to regulate data privacy will be required to issue new resolutions to be consistent with the ICT Health Data Law. This is expected to include outlining the procedure for obtaining approval for data movements outside the country.

What does the introduction of this regulation mean for companies operating in the UAE?

Regulated entities will be required to comply with the requirement to centralise data as well as maintaining their own patient data files. This will require the interface of information technology systems with those established by the government.

Regulated entities will also need to apply for permission to move data outside the country as soon as the procedures for making such applications are operational. In the meantime, those regulated entities who are still engaging in data transfers are technically operating illegally.

Are there concerns around the limitations of sending data internationally?

The main concern lies within data localisation. We are of the opinion that the regulator intends to prohibit not only identified data, but also encrypted and deidentified data from being sent outside of the UAE. Therefore, organisations that either host all of their data in servers outside the country, or who send data (even if de-identified) offshore in order for example to have scans reviewed, or to request a second opinion are breaching the ICT Health Data law.

Going forwards, all international data transfers will require permission by the Ministry of Health and Prevention or the local health authority through delegated powers issued to them through new resolutions.

The mechanisms for seeking such permission are not currently in place. Thus, it has been difficult for companies to adapt. We expect the executive regulations to provide clarity.

How is the ICT Health Data Law likely to affect healthcare companies who are not currently engaged on UAE projects delivering services in the UAE?

The healthcare sector remains one of the fastest growing sectors in the UAE and there are great opportunities for new entrants, with a very attractive project pipeline over the next three to five years. Going forwards, projects will need to be structured carefully from the outset, with particular attention as to how patient data will be managed.

The ultimate decision as to whether or not to go ahead with a particular project should not be affected negatively. It simply means that additional factors have to be put the due diligence report and risk assessment processes, whilst factoring in any additional costs of putting in place arrangements in order to comply with the new data law.

In conclusion

Organisations, whether they are local or international, will need to examine how they will comply with localisation of data and the limitations of international data sharing.

The UAE is committed to expanding the use of technology to drive the delivery of new healthcare services, improve quality and deliver better patient outcomes. Thus, the ICT Health Data Law and the regulations governing telemedicine will need to be examined holistically and be fully integrated in order to achieve this vision. This will have to be explored once again upon the introduction of the anticipated executive regulations that are expected later this year.


Al Tamimi & Company’s Healthcare team regularly advises on all matters pertaining to healthcare and life sciences matters.

For further information please contact: Andrea Tithecott (a.tithecott@tamimi.com).


#whjnews #whjscarlettlast #whjregulation #whjdubai #whjdigitalhealth #whjpharmaceuticals