Data protection and management
Definition of “health data”
What is “health data”? Is there a definition of “anonymized” health data?
Article 16 of Law no. 13/2016 considers personal information related to an ethnic group; children; physical and mental health or condition; processing; health security; cause of death; socio-economic parameters relating to health and well-being; historical medical history such as diseases or any related information; personal information collected to provide healthcare services; opinion; and health services provided as special private data.
Anonymized health data is not defined. However, it can be defined as data from which the patient cannot be identified by the recipient of the information. Name, address and full postcode should be deleted along with any other information which, in conjunction with other data held by or disclosed to the recipient, could identify the patient. Unique numbers can only be included if the recipients of the data do not have access to trace the patient’s identity.
Data Protection Law
What legal protection is given to health data in your jurisdiction? Is the level of protection higher than that granted to other personal data?
Qatar was the first country in the Gulf Cooperation Council to publish a comprehensive personal data privacy protection law in 2017 by issuing the Data Protection Law No. 13/2016. This law draws on and incorporates concepts familiar from other international privacy frameworks and obliges any party that processes personal data to adhere to the principles of transparency, fairness and respect for human dignity. The Ministry of Transport and Communications is responsible for the implementation and enforcement of data protection law.
Data protection law applies to personal data when that data is processed electronically; obtained, collected or otherwise extracted for electronic processing; or processed by combining electronic processing and traditional processing. It does not apply to personal data processed by individuals in a private capacity or in a family context, nor to personal data collected for the purposes of surveys and official statistics.
Under this law, businesses are prohibited from sending direct marketing messages electronically without first obtaining an individual’s consent and organizations must adhere to basic data protection responsibilities (i.e. i.e. ensuring that data handlers are properly trained and that necessary precautions are taken to “protect personal data against loss, damage, alteration, disclosure or unlawful access”). It also includes sections that require consent from individuals before their personal information can be used by an organization. The owner or operator of any child-related website must have a policy in place about how it handles minors’ information. These website operators must also obtain the consent of the child’s parent when processing their information.
Other legal provisions relating to privacy and personal data can be found in the Telecommunications Act (Law No. 34 of 2006), Telecommunications Statutes (Law No. 1 of 2009), Regulation No. 6 on Qatar Financial Center Data Protection. /2005 and the Data Protection Rules 2005.
Anonymized health data
Is anonymized health data subject to specific regulations or guidelines?
With coded clinical data, supported by standardized terminology, it is possible to create advanced data analytics services for clinical and operational health data that require patient consent. It is the right of the individual to grant or withhold consent for the sharing and use of data beyond the original purpose for which the data was collected. Under the principle of express and informed consent, individuals must first be informed of the required use of their health data for health services and also be informed if this information can be used for other purposes at the health service level. future (for example, in research) in the future. . Express consent must be obtained or confirmed before personal health information can be collected and processed.
How are the data protection laws in your jurisdiction enforced with respect to health data? Have there been any notable regulatory or private actions regarding digital health technologies?
In accordance with the provisions of the Data Protection Act, officials of the Ministry of Transport and Communications have the power to investigate and establish crimes and violations of the law, in addition to a series of fines for violation of its terms up to a maximum amount of 5 million Qatari riyals. Complaints may also be filed by individuals regarding alleged violations to the Department, which may issue instructions to controllers or contractors and seize materials and otherwise document any established violations.
What cybersecurity laws and best practices are relevant to digital health offerings?
Qatar took an early interest in preventing cybercrime and improving cybersecurity, especially after numerous sophisticated and high-profile cyberattacks on its media and government websites, as well as industry networks. energy sector, and given that companies operating in the health sector holding high volumes of sensitive data and valuable health data are at a higher risk of being targeted by cybercriminals.
Law no. 14/2014 contains provisions to combat the most common forms of online crime; provides for severe penalties for each category of acts reprimanded; and combating offenses committed via the Internet, computer networks and computers and other related crimes.
Good practices and practical tips
What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of raw and anonymized user data, as well as the output of digital health solutions?
The answer is to properly obtain clear consent from data subjects before using their data, to comply with basic data protection standards, to ensure that data managers are properly trained and that the necessary precautions are taken to “protect personal data against loss, damage, alteration, disclosure or unlawful access”, and ensure adequate protection against unauthorized access and cybercrime.
Law No. 13/2016 on the protection of privacy of personal data codified key principles reflecting standard organizational best practices: the entity that is ultimately in charge of collecting the data (and any service provider that it engages) is obliged to take the necessary measures to protect personal data against loss, damage, alteration and disclosure of any accidental or illegal access or use; organizations are required to adopt measures that are appropriate and consistent with the nature and importance of the personal data to be protected, and sensitive personal health data cannot be processed without specific authorization and controls; and the Ministry of Public Health (MOPH) must work closely with the Ministry of Transport and Communications to ensure that appropriate safeguards and precautions are used for health data.
MOPH’s National Health, eHealth and Data Management Strategy has adopted a comprehensive vision and plan for future eHealth developments to improve healthcare delivery in Qatar, encompassing a framework legal and regulatory uncompromising for digitization and standards for eHealth data.