Overview
Saudi Personal Data Protection Law (KSA PDPL) Article 23 establishes special rules and heightened safeguards for Processing Health Data because it is classified as Sensitive Personal Data under the PDPL. The Article requires strict access controls, limits Processing to only what is needed for providing Health Services or health insurance, and mandates that only the minimum number of staff may access such data.
These restrictions reinforce the PDPL principles of data minimization, confidentiality, and proportionality, ensuring that Health Data is handled with maximum protection and tightly controlled access.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 23
Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Health Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law. Such additional controls and procedures shall include the following:
- Restricting the right to access Health Data, including medical files, to the minimum number of employees or workers and only to the extent necessary to provide the required Health Services.
- Restricting Health Data Processing procedures and operations to the minimum extent possible of employees and workers as necessary to provide Health Services or offer health insurance programs.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
Article 23 (1)
Restricted Health Access
This provision limits the right to access Health Data, including medical files, to the smallest number of employees or workers who genuinely need such access to deliver Health Services. The wording requires that access is strictly tied to necessity, meaning that no staff member may view or handle Health Data unless it is essential for providing the required service.
This ensures that exposure to medical information remains controlled and that confidentiality protections for Data Subjects are preserved.
Article 23 (2)
Minimal Necessary Processing
This clause requires that all Processing operations relating to Health Data be reduced to the minimum level needed to provide Health Services or operate health insurance programs. The emphasis is on limiting both the number of individuals involved and the scope of Processing activities.
The provision ensures that Processing aligns directly with a clear service need and that no additional or unnecessary Processing occurs beyond what is essential for fulfilling healthcare or insurance obligations.
