Regulation on Processing and Ensuring the Privacy of Personal Data Relating to Health (Official Journal 29863, dated 26 October 2016) has been amended by a new regulation that has been issued in Official Journal 30250, dated 24 November.2017.
As is known provisions of “Law on The Protection of Personal Data, No. 6698” entered into force; and since then some Regulations regarding implementation of the Law are issued.
In this article we will provide you with the main points of amended “Regulation on Processing and Ensuring the Privacy of Personal Data Relating to Health” that arranges the procedures, duties and responsibilities of collecting, processing, recording, safeguarding and transferring of health related personal data by healthcare service providers.
THE PROCESSING OF SPECIAL CATEGORIES OF DATA (Sensitive Data)
The data related to persons' racial or ethnic origin, political opinions, religious, sect or other beliefs or philosophical beliefs, trade-union membership, and health or sex life, criminal conviction records and biometric and genetic information are deemed as Special Categories of Data.
As a rule, the sensitive data cannot be processed without the explicit consent of the data subject, except it is clearly specified by laws, or it is required for medical purposes. Also, the measures that will be determined by the Board should be taken into consideration.
PROCESSING OF PERSONAL DATA RELATED TO HEALTH
Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction are considered as processing of data related to health.
- In processing of data subject’s health information, persons engaged in healthcare services must confine themselves with the necessity of healthcare service provided.
- Data processers in healthcare services cannot copy, record or store personal health data out of the healthcare service providers’ fully or partially automatic or non-automatic systems or the systems established by Ministry’s to serve countrywide or central health data system.
- Healthcare service providers are responsible for establishing secure electronic recording system in compliance with the principles and procedures determined by Law, Data protection Board and the Ministry.
- Healthcare service providers should transfer the personal health information to central health data system in line with the principles and procedures determined by Law, Data protection Board and the Ministry.
RESPONSIBILITY OF DATA PROCESSER
Data Processor, who processes personal data related to health by authorization of and on behalf of and the controller, under the obligation of,
- Prevent unlawful process of personal data
- Prevent unlawful access to personal data
- Take every necessary technical and administrative precaution for safeguarding the personal data.
- The data controller and data processor cannot pass the personal data to third parties unlawfully, and cannot use them out of their purpose. This obligation continues even after they have retired from their duty.
- Data controller must immediately inform the Board and the data subject in case of any unlawful breach.
RIGHTS OF DATA SUBJECT
Everyone is entitled to apply to the data controller to;
- learn whether personal health data concerning him has been processed
- request information personal data is processed
- learn the purpose of processing
- learn the third parties in-country or abroad if the data transferred
- demand the rectification of the data content if there is incompleteness or inaccuracy in their processing
- demand deletion or destruction of data.
For detailed information on “Law on The Protection of Personal Data, No. 6698" please click here.