Out-Law Analysis | 16 Nov 2016 | 11:18 am | 3 min. read
The Personal Data Privacy Protection Law is due to be published in the state's legal gazette shortly and is expected to take effect six months after publication, with a period allowed for implementation of the requirements.
By setting rules on how personal data can be collected, used and shared, Qatar has become a leading jurisdiction in the GCC in the area of data protection. The new law also represents a further step towards the implementation of Qatar's 2030 Vision.
Outside the Qatar Financial Centre, Qatar does not currently have a specific data protection law and has no specific laws or regulations relating to the protection, processing and sharing of health data. This new law will provide for the first time a comprehensive set of safeguards that defines the rights of individuals to decide what can be done with, and who may access their, data that has been collected.
The new law will be vital to the implementation of Qatar's National E-Health and Data Management Strategy issued and approved last year following work done by the Supreme Council of Health, now the Ministry of Public Health (MOPH). The strategy includes a recommended legislative and regulatory framework for laws, policies and regulations in e-health and was prepared in anticipation of the new Personal Data Privacy Protection Law.
There will need to be alignment between the new law and MOPH's proposed framework for e-health and planned implementing policies, standards and requirements for protecting the rights of individuals in respect of their health data. This will include compliance with the Ministry's requirements to secure informed patient consent to the use of data in areas including medical research and observance with the Patient's Bill of Rights.
As medical devices and e-health technologies and apps become more connected to one another and enable the collection and monitoring of health conditions, biometric data, results and mental health information, data privacy issues must be addressed. The provisions should therefore help address what is arguably a significant barrier to the adoption of digital health apps and services in the Middle East and beyond – a lack of consumer trust.
Within the legislation, specific reference is given to personal data of special nature, which includes data relating to someone's physical or mental health.
To comply with the new law, organisations will need to obtain a permit from an administrative unit within the Ministry of Transport and Communications to process health data. The law provides for the Qatari minister for transport and communications to outline the "measures and rules" to define the permit process.
Processing health data without a permit could lead to a fine of up to QR5 million ($1.37m).
In addition, the law also provides for the Qatari minister for transport and communications to "impose further safeguards in relation to the protection of personal data of a special nature" in a future resolution. We can therefore expect future subsidiary legislation to outline more defined parameters on the handling and processing of health data.
Absent such additional rules, the handling of health data will be governed by the broad rules within the new legislation that apply to all types of personal data.
Obligations include keeping the information secure, explaining to consumers what they intend to do with their data, enabling data subjects' access to their data, and correcting inaccuracies. Breaching the data security obligations when handling health data could trigger a fine of up to QR5m ($1.37m).
Organisations must also carry out privacy reviews before commencing new data processing activities, and establish complaints-handling procedures and processes for managing data breaches.
In addition, to process personal data in line with the new law, organisations will generally require individuals' consent, unless such processing is necessary to achieve a legitimate purpose for the data controller or a third party to whom the data is sent.
It is not clear from the legislation what intended uses for health data would be considered a 'legitimate purpose' that would override the requirements for consent.
Breaches of the consent requirements or other rules relevant to health data processing could result in fines of up to QR1m ($275,000).
Specifically protecting sensitive information together with significant penalties for a breach will facilitate trust, confidence, investment, collaboration and development in the healthcare sector and ultimately do what is needed: protect the personal information and privacy of individuals like never before in Qatar.
The Personal Data Privacy Protection Law is a significant step from Qatar in establishing a data protection regime aligned with other jurisdictions.
Countries such as the UK and other EU countries, and Australia, already have in place detailed rules on the handling of sensitive personal data such as health data. So the logical next step for Qatar would be to pass a new resolution that details more specific to the use of health data and other personal data of special nature.