Legal Implications of Collecting Health Data from International Hospitals

Author: LegalEase Solutions

SUMMARY OF RESEARCH

It is unlikely that any of the countries’ various general privacy regulations stand in the way of ANA collecting the type of data involved (aggregated and de-identified health care data) if the type of data contemplated is not identifiable data and better yet, if it cannot be re-identified. If the contemplated health care data falls within the general definition of “personal data”, the respective privacy acts would be applicable and they would trigger certain legal prerequisites that have to be met, some more burdensome than others depending on the jurisdiction. Various jurisdictions go further and set forth separate provisions or regulations specific to more sensitive data, such as healthcare data, that are typically narrower and more restrictive than their respective general privacy acts.

A few countries of interest have very little data privacy regulation in general including with respect to healthcare data. These include Saudi Arabia, Lebanon, and Pakistan. See the next section for a more detailed look at these countries’ relevant regulations.

The UAE has a stricter regulatory regime with regards to data privacy and its laws in this regard closely align with those of the EU. The UAE requires that to transfer and process “personal data” outside the country, that the following be obtained: data protection authority/government authorization, contractual safeguards and/or opt-in consent. However, the act defines “personal data” as “any information relating to an Identifiable Natural Person”. Identifiable Natural Person is further defined as, “is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his biological, physical, biometric, physiological, mental, economic, cultural or social identity.” Based on the definitions, just like with the similarly aligned EU directive, whether the sourcing of ANA’s contemplated data would be subject to these acts depends on whether any of the data can be used to identify the individual it relates to.

With respect to the EU directive, this is applicable to all member states and each country was given the liberty to set up the legislative mechanisms to implement the directive. As a result, the same general privacy act analysis applicable to the UAE applies in great part to EU member countries (France, Germany, and UK).

Like the EU member countries, Australia permits organizations to transfer personal information to a recipient in a foreign country only if it is subject to a “substantially similar” privacy regime. Personal information is defined in section 6 of the Australian Privacy Act 1988 means information that identifies you or could identify you. Examples of personal information can be one’s name or address. Personal information can also include medical records, bank account details, photos, videos, etc… Pursuant to Australia’s Office of the Federal Privacy Commissioner’s Guidelines to the National Privacy Principles, “the test for whether information is identifiable is whether the identity of the individual is apparent, or may reasonably be ascertained, from the information using the definition of ‘personal information’ in section 6 of the Privacy Act. A de-identification procedure would not be complete if, from the resulting information, the identity of an individual may be reasonably ascertained. Reasonable steps to de-identify information could include:

  • considering the capacity of the organization to re-identify the information;
  • careful consideration of the identifying nature of every aspect of the information; and
  • setting up safeguards that ensure that future collection or uses will not re-identify the information.

An organization may need to include in contractual arrangements with a receiving organization that it will not re-identify the information.

To conclude, there are no key hurdles in undertaking and executing ANA’s mission in EU inclusive of France, Germany, England and Australia.  Provisions pertaining to specific transfer of health care/ de identified data seem to be unavailable in the subjective countries.  The terminology “personal data” used in the EU’s Directive Policy and in data privacy acts of each of the countries specified is generally inclusive of the medical and health care data. So it can be deemed that personal data is inclusive of health care data where it is not specifically mentioned. However personal data is referred to as personal information from which an individual can be identified. Since ANA intends to collect de identified data, it is to be presumed that the strict rules governing identifiable personal data is not applicable to its business.