Telehealth: Unravelling Health Data Legislation in Kuwait
Healthcare & Life Sciences Focus
Telehealth: Unravelling Health Data Legislation
As more medical companies and organisations embrace a space where technology meets health care and “telehealth” the more opportunities there are to run afoul of data protection legislation and the proper data handling. In recent years, Kuwait has issued a number of regulations and decrees applicable to this telehealth space. Specifically, these include Kuwait Law No. 70 of 2020 on the Practice of the Medical Profession and Allied Health Professions and Patients’ Rights and Health Facilities (“Medical Profession Law”), CITRA data protections legislation, CITRA Cloud Computing Rules, and Decree No. 37 of 2022 (“Cybersecurity Decree”), amongst others including Law No. 20 of 2014 Regarding Electronic Transactions (“Electronic Transactions Law”).
A unifying theme in all such legislation includes the need for consent from the data subject. However, there is the additional burden of keeping certain health data at a higher standard of protection than personal data. The Data Classification Policy and Cloud First Policy identifies the need to identify the sensitivity level of the data. According to CITRA Resolution No. 95 of 2021 on the Data Classification Policy Amendment (“Data Classification Policy”), there are four levels of data, and level three includes “private sensitive data” which includes medical records. These data classification levels have been developed based upon the best regional and global practices and standards. The Cloud regulations include guidelines and recommendations for government entities and the private sector in Kuwait to plan and implement strategies to migrate to the cloud. As “telehealth” related applications evolve ever further, including an evolution of telehealth activities in the cloud, such regulations should be reviewed more thoroughly.
“Personal Data” is defined in the Data Classification Policy as information or a set of information, if gathered, by which the identity of an individual can be clearly and directly recognised.
“Personal Data” is defined in the Data Classification Policy as information or a set of information, if gathered, by which the identity of an individual can be clearly and directly recognised. It also includes any information that is directly or indirectly linked to a website data for a specific person, regardless of whether or the identity of such individual is clear or not from that information or from a set of that information and any other information.
According to the Cloud Computing Regulatory Framework V2.4, special categories of personal data includes private data related to race, origin, religion, sect, philosophical beliefs, political opinions, membership (trade unions or associations of public interest) or data related to health, genetics, and vital data. Article 4.1.4 of the Cloud Computing Regulatory Framework states that cloud service providers and their subscribers, whether from the government or private sector, are obligated to refrain from using personal data to infer the identity of subscribers without obtaining clear and explicit written permission from the individuals, including those in the special categories of personal data.
In line with the local and global spread of telehealth services, a new article in the Medical Profession Law permits the provision of medical services, home and remote health care. Further, it permits the use of artificial intelligence and developed technologies according to the controls, which are specified by the Ministry of Health. The Electronic Transactions Law requires that personal data or information entered in the electronic processing records or systems relating to health condition must be retained privately and employees may not unlawfully inspect, disclose, or publish any such personal data or information. Any disclosure of such information requires the consent of the data subject or a court order. These laws would apply to telehealth service providers in the ever-expanding “telehealth” space.
Since telehealth is dealing with particularly sensitive information, it is important that organisations leveraging such technology be prepared for a data breach or cyber-attacks. Organisations should be aware of the local data protection and cyber landscape, have appropriate policies and practices in place to address vulnerabilities, and regularly access comprehensive advice to comply with local laws and regulations. In Kuwait, the local laws and regulations are evolving and a newly enacted National Center for Cybersecurity was established by the Cybersecurity Decree. The Cybersecurity Decree established an authority named the “National Center for Cybersecurity,” which is under the supervision of a Cabinet appointed minister. It applies to civil, military and security, as well as private sector establishments inside the State of Kuwait. The Cybersecurity Decree defines cybersecurity to secure and protect online information, communications, and operations using electronic means. The Cybersecurity Decree hopes to build an effective system of cybersecurity on the national level. Cybersecurity on a national level should protect local establishments, include the health sector. Health facilities in Kuwait and online telehealth services and applications are vulnerable to cyber-attacks that can lead to operations being shut down and loss of records.
Company policies must be clearly aligned and integrated with Kuwait strategy and priorities. It is important to be proactive and nimble with the response to mitigate the risk and consequences of a data breach by having internal systems in place as well as liaising with the relevant authorities in Kuwait. In addition to the abovementioned resolutions and decrees, we anticipate additional decrees and resolutions to address the gaps in these regulations, including the transfer and further protections of health data.