Regulation on Processing and Protecting the Privacy of Personal Health Data

The Regulation on Processing and Protecting the
Privacy of Personal Health Data ("Health Data Regulation") has recently been
published on the Official Gazette, on October 20, 2016 and came into force on
the same date.

This regulation is not only applicable to the health
institutions and the data subjects whose personal data is processed, but also
covers real persons and legal entities who process health data within the scope
of a legislation. Therefore, all companies processing health data for reasons
such as employment procedures, periodic inspection or due to obligations
arising from social security legislation will be subject to the provisions of
the Health Data Regulation.

The purpose of the Health Data Regulation is to set
out the procedures and principles to protect personal health data and to ensure
its privacy, to regulate the provisions regarding the system which will be
established to collect, process, transfer the personal health data and to
access to such data and regarding the security and supervision of the systems
in which the personal health data are recorded, and regarding notifications to
the Ministry of Health ("Ministry") on the employee movements during the
provision of health services.

Most of these definitions are in line with the Turkish
DP Law, and certain additional definitions are introduced, which are
specifically defined for the Health Data Regulation, such as, the Ministry, the
information security administrator, the general management, personal health
record system, committee, central health data system, undersecretary, health
service provider, and intervention team of cyber incidents. Under the Health
Data Regulation, personal health data means any kind of health information
relating to an identified or identifiable real person.

Health Data Regulation sets out principles for the
protection, processing, transferring and erasure of personal health data. As
per Article 6 of the Health Data Regulation, the data processor is obliged to
protect the privacy of personal health data and obey the rules and standards of
data protection and processing which will be determined by the Ministry. In
case of a data breach, health service providers should notify the Ministry in
the form prescribed under the same provision. Health service providers should take
all the necessary measures which will be determined by the Ministry in order to
protect the privacy of the personal health data. If there is a suspicion of a
possible data breach a notification should be made to the Ministry and a
pre-drafted form should be used to make this notification. The notification may
also be submitted to the Ministry by electronic means. After an investigation
regarding the personal health data breach, following the investigation carried
out on the relevant breach, data subjects will be informed by the Commission of
Personal Health Data which is established under the Ministry.

Personal health data can be processed without the data
subject's explicit consent; (i) to protect public health, (ii) to perform
preventive medicine, medical diagnosis, treatment and nursing services and
(iii) to manage and plan health services and financing; by the persons who are
under confidentiality obligation (e.g. doctors) and by the authorized
institutions and organizations.

Transfer of personal health data is regulated under
Article 8 of the Health Data Regulation. The personal health data may be
transferred; for preserving public health, performing preventive medicine,
medical diagnosis, treatment and nursing services; managing and planning health
services and financing by way of taking precautions which will be determined by
the Data Protection Board, to the relevant institutions and organizations, if
it is clearly regulated by laws. Additionally, data transfer in between the
institutions and organizations which are requesting the data within the scope
of their duties and responsibilities that are regulated by law and the Ministry
along with the institutions and organizations under the Ministry would be
regulated by a protocol prescribing the relevant measures for transfer of
personal health data and other requirements. Moreover the requests for (i)
transfer of personal health data abroad and (ii) any other transfer apart from
the ones stated above will be governed by the Turkish DP Law and the Health Data
Commission established under the Ministry shall evaluate these transfer
requests. Therefore, it appears at this early stage that both the Board and the
Health Data Commission will be in charge for personal health data.

Provisions for erasure of personal health data are
also in line with the Turkish DP Law. In the event that the reasons for which
the personal health data are processed are no longer valid, personal health
data should be erased or anonymized by the data controller ex officio or upon
the demand of the data subject, regardless of whether the personal data has
been processed in accordance with the relevant legislation. In cases where
there is an erasure request for a personal health data and if processing the
data may be necessary for the establishment, exercise or defense of a legal
claim, or if it is possible to use the data by law enforcement authorities,
personal health data will be archived under a registry which will be
established by the Ministry.

Finally, the Health Data Regulation fills the legal
gap of how to protect personal health data, by regulating the abovementioned
provision, along with other rules such as rights of the data subjects. Even
though it refers to the Turkish DP Law in many of its provisions, the Health
Data Regulation introduces a new regime on personal health data, in a more
strict way.

Authors: Gönenç Gürkaynak, Esq.,
İlay Yılmaz, Nazlı Taşkıran ELIG, Attorneys-at-Law.

First published in Mondaq on
December 14, 2016.