We explore the UAE's impending Healthcare IT Law – the first federal law to address privacy issues within the context of data processing in the UAE (albeit limited to the healthcare sector) – which will introduce new obligations and restrictions for entities in the healthcare sector, including: a prohibition on storing, processing, generating or transferring any health data outside of the state without permission; and, the creation of a set of "data protection" style rules in relation to confidentiality, access requests, transfers, storage and data retention.

UAE Federal Law No. 2 of 2019 regarding the use of information and communication technology in the healthcare sector (the "Healthcare IT Law") is expected to come into force in May of this year. The Healthcare IT Law regulates the use of healthcare data throughout the UAE, including the various free zones, and it will be the first federal law to address privacy issues within the context of data processing in the UAE (albeit limited to the healthcare sector).

Key features

The Healthcare IT Law introduces new legal requirements for entities in the healthcare sector. The key features include:

- Creating a new central system to collect, exchange and store health related data across the country, the use of which will be mandatory for all government related entities in the healthcare sector as well as the relevant authorities.

- Introduced the need for interoperability standards and a governance framework for emirate and federal level health authorities (to be implemented at a later stage).

- Prohibition on storing, processing, generating or transferring any health data outside of the state without permission (i.e. a decision issued by a government authority or entity in coordination with the Ministry).

- Creating a set of "data protection" obligations and restrictions, in particular in relation to confidentiality, access requests, transfers, storage and data retention.

- Listing a number of exceptions to the confidentiality obligations, including for the purpose of scientific and clinical research (provided the data is anonymised).

Conclusion

The data residency requirement echoes recent regional trends and it will no doubt be a topical issue over the coming months as industry stakeholders evaluate options and explore the extent to which international transfers will be permitted.

Although sources suggest that a federal data protection regime is being drafted, the Healthcare IT Law does suggest that the UAE may opt for a sectorial (rather than comprehensive) approach to data privacy and the regime may therefore ultimately be more aligned with the American legal framework rather than the European equivalent.

Although the Healthcare IT Law places new restrictions on the processing and storage of healthcare related data, it is interesting to see that many of the provisions appear equally concerned with the proactive management and optimal use of such data. The inclusion of such provisions is perhaps suggestive of a dual-purpose and the Healthcare IT Law may well be intended as an enabler to facilitate growth in smart solutions and data driven research, as well as to provide a data privacy framework for the industry.

As many of the provisions are contingent on implementing regulations, the real impact of the new law is yet to be fully assessed. Nevertheless, it is an interesting step in the development of the UAE's approach to both data protection and proactive management of information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.