Following the long-awaited enactment of Data Protection Law on April 7, 2016 ("Law"), now, the Ministry of Health enacted the Regulation on Protection of Personal Heath Data ("Regulation") on October 20, 2016. By requiring health service providers to adopt certain mechanisms and implementing new systems for data processing, the new Regulation aims to ensure the safety and confidentiality of the personal health records.

The new Regulation provides the general principles for processing personal health records which entails obligations on both the health service providers and the individuals assigned with the data processing role under the health service providers. Accordingly, individuals processing the personal health data can only access and process the data to the extent required by the health service rendered to the data subject (veri sahibi) (e.g. patient) and must keep this data confidential. Personal health data must not be copied or recorded anywhere other than the databases of the heath service provider and the systems of the Ministry. Health service providers, on the other hand, are required to develop the necessary electronic databases and ensure the safety and confidentiality of the stored personal data. As a general principle, in order to store and process the data, the informed written consent of the data subject must be obtained.

Protecting, Processing and Transferring Personal Health Data

Health service providers must take all necessary measures to ensure the confidentiality of the personal data as required by the Ministry. If there is a suspicion of a possible violation of the personal health data, the Ministry must be notified by using the complaint form prepared by the General Directorate of Personal Health Data ("General Directorate") or through online sources. Officials receiving the complaints will report the details of the violation to the superior managers, and the data controller (veri sorumlusu) and the data processing managers of the violating entity will be informed of the complaint. General Directorate will evaluate the complaint and report the outcome of the evaluation to Commission of Personal Health Data ("Commission"). Based on the outcome of this administrative investigation, the Commission, will then, inform the individuals whose personal data is found to be violated.

In order to process the personal health data, the data subject must be informed in detail as to the purposes for processing the personal data, the written consent of the data subject must be obtained and maintained in the records of the data processor. Personal health data can be processed without obtaining the consent of the data subject only if the purpose of processing concerns the protection of public health, procurement of medical diagnosis and treatment, planning the management and financing of health services. Data subject can withdraw his consent anytime unless there is a judicial decision or law to the contrary.

As for the transfer of personal data, it can be transferred by keeping the identity of the data subject anonymous or if the purpose of the transfer concerns the protection of public health, procurement of medical diagnosis and treatment, planning the management and financing of health services.

Even if the personal health data is processed in accordance with the law, it must be erased or made anonymous upon the request of the data subject when the purposes for processing no longer exist. However, Ministry will still maintain these records at least for ten years under a central database to fulfill the possible requests of judicial bodies while also preventing any other access to these records.

Rights of the Data Subject

The data subject has the following rights;

  • To request information on whether the personal health data is processed;
  • To request information on the processing of the personal health data
  • To access and request the personal health data;
  • To request information on the purposes of processing the health data and if the data is used in line with these purposes;
  • To request information on the third parties to whom his/her personal data is transferred;
  • To request correction of the health data if data is processed inaccurately;
  • To request the health data to be erased if the legitimate purposes for processing no longer exist.
  • To object to the negative consequences about him or her that are concluded as a result of analysis of the processed personal data by solely automatic means.
  • To request compensation if the data subject incurs loss due to unlawful processing of the personal health data;

Obligations of the Data Controller

Data controller must inform the data subject of its abovementioned rights, the identity of the data controller and its representative, the purpose of data processing, the identity of the third parties of which the data will be transferred and its reasons, the procedure for data processing and its legal justification.

Furthermore, the data controller must take all necessary measures to preserve, ensure the unlawful processing of and access to the personal health data and prevent the potential data losses within the systems in which the data controller is responsible with. Regulation also provides that the data controller must run the necessary audits to ensure its compliance with the Regulation and Law. If the third parties unlawfully gain access to the personal health data, data controller must inform the Commission as soon as possible.

Functions of the Commission and the Directorate, Personal Health Record System

Regulation foresees the establishment of a new public body under the Ministry, namely, Commission of Personal Health Data, that will help the Ministry to set policy, provide opinion, evaluate the application for data transfer, review the complaints and run investigations.

On the other hand, as another new entity, the General Directorate, will have functions such as establishing the central database for personal health data where the personal health data will be restored and procuring the transfer of personal health data from service providers to the central data base. Health service providers are required to save the personal health data in their database and also transfer these data to the central database in line with the standards to be determined by the Ministry.

Furthermore, all citizens can voluntarily create an account on the personal health record system where they can access and review the health services provided to them and manage their health data.

Notification Requirement

Regulation requires all health service providers to inform the Ministry on their employees as well as any employee changes within fifteen days.

Conclusion

While the data protection legislation gains significance in Turkey, Regulation sets forth specific rules and standards for the health services industry that requires adoption of new mechanisms and measures to ensure the safety of the personal health data. Health service providers must review their internal procedures in light of the Regulation and develop the required systems to fully comply with these requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.