Implementing Regulation of PDPL Article 26 lays out strict safeguards for the processing of Health Data, due to its sensitive nature. It obligates Controllers to adopt technical, administrative, and organizational measures that comply with both PDPL and sector-specific health regulations in Saudi Arabia. The article emphasizes accountability, internal role separation, contractual controls with processors, data minimization, and full documentation throughout all stages of processing.
Health Data processing must follow sector-specific regulations, be minimal, tightly controlled, documented, and protected with clear accountability.
The Controller shall take the appropriate organizational, technical, and administrative measures to protect Health Data from any unauthorized use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners, and it shall, in particular, take the following controls and procedures:
Implementing Regulation of PDPL Article 26 (1)
Comply with Regulators
Adopt and implement the requirements and controls issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance, and other related entities involved in regulating Health Services and health insurance services, that specify the tasks and responsibilities of employees of health care providers, health insurance companies, health insurance claimsmanagement companies and those which are contracted by them carrying out the Processing of Health Data.
Implementing Regulation of PDPL Article 26 (2)
Update Internal Policies
Include the provisions of the Law and its Regulations into the internal policies of the Controller.
Implementing Regulation of PDPL Article 26 (3)
Assign Roles Clearly
Distribute tasks and responsibilities among employees or workers in a way that prevents overlapping specializations and diffusion of responsibility, and taking into account different level of access to data among employees or workers in a manner that guarantees the highest degree of the privacy of the Data Subjects.
Implementing Regulation of PDPL Article 26 (4)
Document Every Stage
Document all stages of Health Data Processing and provide the means to identify the person in charge for each stage.
Implementing Regulation of PDPL Article 26 (5)
Contractual Controls
The agreement between the Controller and the Processors – to conduct work or tasks related to Health Data Processing – shall include provisions that oblige them to abide by the procedures and measures stated in this Article.
Implementing Regulation of PDPL Article 26 (6)
Minimize Data Processed
Health Data Processing should be limited to the minimum necessary to provide healthcare services and products or health insurance programs.
Explanation of Implementing Regulation of PDPL Article 26
Adopt health-specific rules from relevant authorities:
Implementing Regulation of PDPL Article 26 (1) says, follow controls from bodies like the Ministry of Health, Saudi Health Council, SAMA, and the Council of Health Insurance.
Embed PDPL requirements into your own rules:
Implementing Regulation of PDPL Article 26 (2) says, internal policies must reflect PDPL and Implementing Regulation requirements regarding Health Data.
Define duties and limit access appropriately:
Implementing Regulation of PDPL Article 26 (3) says, prevent overlap and give workers only the access needed, ensuring stronger privacy protection.
Traceable processing with clear responsibilities:
Implementing Regulation of PDPL Article 26 (4) says, maintain a full audit trail of Health Data processing, identifying who is responsible at each stage.
Processor contracts must reflect health safeguards:
Implementing Regulation of PDPL Article 26 (5) says, ensure any third party working with Health Data abides by the same rules through enforceable contractual terms.
Only process what is strictly necessary:
Implementing Regulation of PDPL Article 26 (6) says, Health Data processing must be limited to what is needed to deliver healthcare or insurance services.
