Overview
PDPL Implementing Regulation Article 26 establishes the organizational, technical, and administrative controls required to protect Health Data from unauthorized use, misuse, collection, or breach. It mandates compliance with sector-specific regulatory requirements issued by health and financial authorities, prescribes documentation and task distribution standards, and requires Controllers and Processors to embed Health Data protections into their agreements and internal policies.
Health Data Processing must always be minimized and limited to what is necessary for healthcare services or insurance programs, ensuring privacy preservation and strong accountability across all entities involved in Health Data Processing.
SDAIA's Official Text
The text below reproduces official PDPL law, regulation, or guideline issued by the Saudi Data & AI Authority, verified against the original SDAIA source. No changes or reinterpretation applied.
Article 26: Processing Health Data
The Controller shall take the appropriate organizational, technical, and administrative measures to protect Health Data from any unauthorized use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners, and it shall, in particular, take the following controls and procedures:
- Adopt and implement the requirements and controls issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance, and other related entities involved in regulating Health Services and health insurance services, that specify the tasks and responsibilities of employees of health care providers, health insurance companies, health insurance claims management companies and those which are contracted by them carrying out the Processing of Health Data.
- Include the provisions of the Law and its Regulations into the internal policies of the Controller.
- Distribute tasks and responsibilities among employees or workers in a way that prevents overlapping specializations and diffusion of responsibility, and taking into account different level of access to data among employees or workers in a manner that guarantees the highest degree of the privacy of the Data Subjects.
- Document all stages of Health Data Processing and provide the means to identify the person in charge for each stage.
- The agreement between the Controller and the Processors - to conduct work or tasks related to Health Data Processing - shall include provisions that oblige them to abide by the procedures and measures stated in this Article.
- Health Data Processing should be limited to the minimum necessary to provide healthcare services and products or health insurance programs.
Plain-Language Explanation
The explanation below is provided to help you understand the SDAIA’s legal text and does not replace or override the official PDPL law, regulation, or guideline.
