Pursuant to Article 16 of the Code No. 6698 on the Protection of Personal Data, real persons or legal entities processing personal data shall register with the Data Controller’s Registry before processing.More
| Reading Time: 5 Minute(s)
Examination of The Personal Health Data Regulation Entered into Force
Among the personal data, the Regulation on Personal Health Data (“Regulation”) that has a special place in the Personal Data Protection Code and entered into force on 21 June 2019 by the Ministry of Health has taken its place in legislation as an important subsidiary regulation.
On the other hand, the Regulation on Implementing Personal Health Data and Ensuring Privacy which used to perform the duty of the Regulation before, has been abolished with article 23 of the Regulation.
When the differences between abolished Regulation and the Regulation entered into force, much as the new Regulation involves a greater number of articles (while the previous Regulation involved 20 articles, the new one involves 25), the texts of the articles are handled more simply and clearly.
If we assess the articles, we can see in article 1 entitled purpose that a more comprehensive and general expression is used with the expression of “…regulating the conducted methods and principles to be followed in the processes and practices.”
While the same situation is valid for article no 2 with title scope, when we assess the definitions article, we can see that while new definitions have been added in the legislation, some definitions in the previous legislation were deducted.
“Open data, open health data, e-Pulse, related user, KamuNET, disidentification, personal data, abolishment of personal data, deletion of personal data, abolishment of personal data and masking” are among the newly added definitions. Among the deducted definitions, “personal health recording system and data processor” occur.
In the second part of the Regulation, principles and rudiments aiming at implementation were revealed for the units of Health Ministry and health service servers operating connectedly by getting out of the principles and rudiments that fell in a kind of repetition of the law in the previous legislation and fitting the purpose.
One of the most important differences of the new legislation is the matter of “Access to Personal Health Data” that was brought in with the third party. With the third part of the legislation;
- Access to data by health personnel,
- Access to data by Ministry personnel,
- Access to health data of children,
- Access to health data by the relatives of patients,
- Access to health data by lawyers,
- Access to health data of death,
Issues are regulated. In general, the policy followed with this part aims to limit access to data. For example, parents may not get unlimited access to the health data of their children; according to that, the children who can distinguish may subject their parents to permission for access to their health past through e-Pulse.
Limitation to access data brought in with the third part comprises of pointed regulations in general terms; however, article no. 10 with the title’ access to health data by lawyers’, involving the enforcement of exclusive authority for the lawyers to access their clients’ health data, is highly argumentative. When the role of lawyers in law order is considered, it may be seen that this situation could cause a disproportional inconvenience.
The fourth part regulated under the title of concealment, correction, abolishment and transfer of personal health data was regulated in the former Regulation under the title of protection, processing, transfer and deletion. New Regulation revealed a more detailed regulation when compared to the former Regulation, by handling the concealment, correction and abolishment situations under separate provisions.
Important roles have been given to Provincial Health Directorates regarding the new Regulation’s concealment and correction of personal health data. While concealment of health data shall be effectuated in the direction of a warrant to be sent by judicial offices, correction of health data shall be effectuated if the application to be made by the related person to Provincial Health Directorate is approved. While the subjects of abolishment and transfer of the health data are subjected to related provisions of law, transfer of health data involves special arrangements privately.
In this direction, transfers shall be conducted by KamuNET. KamuNET (Public Virtual Network); is a system created within the body of T.R. Ministry of Transportation, Maritime Affairs and Communications for the reasons of minimizing cyber security risks by enabling data communication whose content security is provided by state institutions and organizations to be done through a more secure virtual network, providing a standard for existing and future secure closed-circuit solutions, constructing and creating the appropriate background for common practices and incorporating the planned common data centre/centres.
Article 16, titled “processing with scientific purposes,” and article 17, titled “open health data,” included in the fifth part of Personal Health Data Regulation, draw attention as the two most important legislations of the Regulation.
These two articles reflect the perspective of law regulators on the big data concept before the law of protecting personal data despite being specific to Regulation will confront us with legislation amendments. While the data anonymized by data supervisor may be used for scientific studies, the open data concept aims at the development of the sector by entering the data involved in the systems of official health institutions to the public domain through an internet site to be established by grounding on the legislation regarding data privacy and data security.
The “Data security” issue has been regulated under three articles with the sixth section of the legislation. While an obligation to abide by the legislations brought up with the 12th article by law with the legislations article regarding data security has been brought up, at the same time, the reliance of Personal Data Security Guide prepared by the Institution regarding technical and administrative cautions has been obliged. The article titled information security has adjudicated that the information security process shall be determined with the Information Security Policies Directive submitted by Health Information Systems General Management.
The article which presents a particularity in section 7 titled “varied and final provisions” is article no 21, titled “sanction.” If fault and offences occur employing acting in defiance of the matters regulated in legislation, according to articles 17 and 18 of the law, there shall be transacted.
There have also been regulations regarding the public officers who may have importance in health data and health service servers. According to the second paragraph of article 21, notice regarding the public officers who act in defiance of legislation shall be sent to the directorships they are related to, and their authorization shall be cancelled if they have.
According to the third paragraph of the same article, if health service servers defy legislation, transactions shall be done in terms of Health Services Fundamental Law, Additional Clause No 11. According to related Law article text, health service servers shall be warned twice. Those who do not comply with the warning shall be imposed an administrative fine of one per cent of the gross service income of the previous month.
As a result, according to Personal Data Protection Code, health data belonging to real persons who have a special quality is a kind of frequently processed data. Legislation Regarding the Personal Health Data, which was in force before, in substitution for Legislation Regarding Processing and Ensuring Privacy of Personal Health Data, considerably had the characteristics of law in terms of its provisions.
Legislation that could not meet the requirements of health issues has gained more detailed regulations regarding Personal Health Data and substantially determined movement areas for the subjects of data protection law.