PDPL Article 23 says that the processing of health data (classified as sensitive personal data under the PDPL) requires additional safeguards beyond those applied to regular personal data.
The Regulations define the specific controls and procedures, but Article 23 already introduces two key obligations:
Access to health data must be limited to only those who need it to provide health services.
Processing activities (e.g., viewing, editing, transferring) must also be restricted to the minimum necessary staff.
These rules are designed to protect the privacy of patients and prevent misuse of medical records or insurance-related health data.
Without prejudice to this Law, the Regulations shall set out additional controls and procedures for the Processing of Health Data in a manner that ensures the privacy of the Data Subject and protects their rights under this Law. Such additional controls and procedures shall include the following:
Saudi PDPL Article 23 (1)
Limit Access Rights
Restricting the right to access Health Data, including medical files, to the minimum number of employees or workers and only to the extent necessary to provide the required Health Services.
Saudi PDPL Article 23 (2)
Restrict Processing Operations
Restricting Health Data Processing procedures and operations to the minimum extent possible of employees and workers as necessary to provide Health Services or offer health insurance programs.
Explanation of Saudi PDPL Article 23
Only essential staff may access health data
Saudi PDPL Article 23 (1) says that, access to health data, including medical files, must be limited to the smallest number of people required to deliver health services.
Disclosure is barred if it damages Saudi Arabia’s relations with other countries
Saudi PDPL Article 23 (2) says that, Health data must only be processed to the minimum extent necessary, and only by staff involved in healthcare or health insurance services.
