Examination of the Personal Health Data Regulation Entered into Force
Among the personal data, the Regulation on Personal Health Data (“Regulation”) that has a special place in Personal Data Protection Code and entered into force on 21 June 2019 by the Ministry of Health, has taken its place in legislation as an important subsidiary regulation. On the other hand, the Regulation on Implementing Personal Health Data and Ensuring Privacy which used to perform the duty of the Regulation before, has been abolished with the article 23 of the Regulation.
When the differences between abolished Regulation and the Regulation entered into force, much as the new Regulation involves a greater number of articles (while the previous Regulation involved 20 articles, the new one involves 25), the articles texts are handled more simply and clearly. If we assess the articles, we can see in the article 1 entitled purpose that, a more comprehensive and general expression is used with the expression of “…regulating the conducted methods and principles to be followed in the processes and practices”. While the same situation is valid for the article no 2 with title scope, when we assess the definitions article, we can see that while new definitions have been added in the legislation, some definitions in the previous legislation were deducted. “Open data, open health data, e-Pulse, related user, KamuNET, disidentification, personal data, abolishment of personal data, deletion of personal data, abolishment of personal data and masking” are among the newly added definitions. Among the deducted definitions, “personal heath recording system and data processor” take place. In the second part of the regulation, principles and rudiments aiming at implementation were revealed for the units of Health Ministry and health service servers operating connectedly by getting out of the principles and rudiments that fell in a kind of repetition of the Law in the previous legislation and fitting the purpose.
One of the most important differences of the new legislation is the matter of “Access to Personal Health Data” that was brought in with the third part. With the third part of the legislation;
- Access to data by health personnel,
- Access to data by Ministry personnel,
- Access to health data of children,
- Access to health data by the relatives of patients,
- Access to health data by lawyers,
- Access to health data of death,
issues are regulated. In general, the policy followed with this part is aimed at the limitation of access to data. For example, parents may not get unlimited access to health data of their children; according to that, the children who have the ability to distinguish may subject their parents to permission for access to their health past through e-Pulse.
Limitation to access data brought in with the third part comprises of pointed regulations in general terms; however, the article no. 10 with the title ‘access to health data by lawyers’, involving the enforcement of exclusive authority for the lawyers to access to their clients’ health data, is highly argumentative. When the role of lawyers in law order is considered, it may be seen that this situation could cause a disproportional inconvenience.
The fourth part regulated under the title of concealment, correction, abolishment and transfer of personal health data was regulated in the former regulation under the title of protection, processing, transfer and deletion. New Regulation revealed a more detailed regulation when compared to the former Regulation, by handling the concealment, correction and abolishment situations under separate provisions.
Important roles have been given to Provincial Health Directorates regarding the concealment and correction of personal health data with the new Regulation. While concealment of health data shall be effectuated in the direction of warrant to be sent by judicial offices, correction of health data shall be effectuated if the application to be made by the related person to Provincial Health Directorate is approved. While the subjects of abolishment and transfer of the health data is subjected to related provisions of Law, transfer of health data involves special arrangements privately.
In this direction, transfers shall be conducted by KamuNET. KamuNET (Public Virtual Network); is a system created within the body of T.R. Ministry of Transportation, Maritime Affairs and Communications for the reasons of minimizing cyber security risks by enabling data communication whose content security is provided by state institutions and organizations to be done through a more secure virtual network, providing a standard for existing and future secure closed circuit solutions, constructing and creating the appropriate background for common practices and incorporating the planned common data center/centers1.
Article 16 titled “processing with scientific purposes” and article 17 titled “open health data” included in the fifth part of Personal Health Data Regulation draw attention as the two most important legislations of the Regulation. These two articles reflecting the perspective of law regulators to the big data concept before the law of protection of personal data despite being specific to Regulation, will confront us with legislation amendments. While the data anonymized by data supervisor may be used for scientific studies, open data concept aims at the development of the sector by entering the data involved in the systems of official health institutions to the public domain through an internet site to be established by grounding on the legislations regarding data privacy and data security.
“Data security” issue has been regulated under three articles with the sixth section of legislation. While an obligation to abide by the legislations brought up with the 12th article by Law with the legislations article regarding data security has been brought up, at the same time, reliance of Personal Data Security Guide prepared by the Institution regarding technical and administrative cautions has been obliged. With the article titled information security, it has been adjudicated that information security process shall be determined with Information Security Policies Directive to be submitted by Health Information Systems General Management.
The article which present a particularity in section 7 titled “varied and final provisions” is the article no 21 titled “sanction”. If fault, and offenses occur by means of acting in defiance of the matters regulated in legislation, there shall be transacted according to article 17 and 18 of the Law. There have been made regulations also regarding the public officers who may have importance in health data and health service servers. According to second paragraph of article 21, notice regarding the public officers who act in defiance of Legislation shall be sent to the directorships they are related, and their authorization shall be cancelled if they have. According to the third paragraph of the same article, in case that health service servers act in defiance of Legislation, transactions shall be done in terms of Health Services Fundamental Law, Additional Clause No 11. According to related Law article text, health service servers shall be warned twice, those who do not comply with the warning shall be imposed administrative fine of one percent of the gross service income of the previous month.
As a result, according to Personal Data Protection Code, health data that belongs to real persons who have special quality, is a kind of data which is frequently processed. Legislation Regarding the Personal Health Data, which was in force before, in substitution for Legislation Regarding Processing and Ensuring Privacy of Personal Health Data, considerably had the characteristics of Law in terms of its provisions. Legislation which could not meet the requirements of health issue, has gained more detailed regulations with Legislation Regarding Personal Health Data and substantially determined movement areas for the subjects of data protection law.
#personal data #personal health data #personal data protection code