UAE: Abu Dhabi Department of Health requires licensed entities to comply with strict data localization requirements

In brief

On 30 June 2022, the Government of Abu Dhabi Department of Health (DoH) issued Circular No. 147 of 2022 ("Circular") requiring health and pharmaceutical facilities licensed by the DoH ("Licensed Entities") to obtain a "secure" or “safe” certificate that certifies they operate in full compliance with the requirements of the Abu Dhabi Standard for Health Information Security and Cyber Security Standards ("Standards"). Licensed Entities have until the end of this year (i.e., by 31 December 2022) to complete an audit process to verify their self-certification with the Standards.

The Circular also states that Licensed Entities are urged to apply stricter cybersecurity controls, including to ensure health data is not transmitted outside of the UAE and to discontinue the use of any cloud-based services that store or utilize health data, irrespective of whether that solution is hosted within or outside the UAE.


Contents

The development is likely to pose an operational challenge to participants in the health tech sector in the UAE, including pharmaceutical and medtech companies that require patient data to power their services, such as providers of precision medicine and robotic surgery tools as well as those who operate patient support programs. Yet, more importantly, in the absence of any exceptions this development also prima facie operates to prevent mandatory safety reporting and associated activities such as pharmacovigilance and materiovigilance.

Key takeaways

  • The Circular applies exclusively to all Licensed Entities (i.e., entities licensed to operate by the DoH in Abu Dhabi). 
  • Licensed Entities are required to certify compliance with the Standards by 31 December 2022 to avoid sanctions.
  • In the event a Licensed Entity fails to obtain a certificate confirming it is compliant with the Standards, it is at risk of sanctions, including licence suspension.
  • The Standards prohibit Licensed Entities from:
    • exporting health data outside of the UAE and oblige Licensed Entities to identify and disconnect any cloud services that process health data; and
    • sharing health data (even if de-identified) with third parties without the authorization of the DoH.

In more detail

The Standards were initially published in 2019, shortly after the publication of Federal Law No. 2 of 2019 on the Use of the Information and Communication Technology (ICT) in Health Fields ("Health Data Law"), which contains a similar default prohibition on the cross-border transfer and processing of health data. However, the Ministerial Resolution No. 51 of 2021 on the Cases of Allowing the Storage and Transfer of Medical Data and Information out of the State ("Health Data Export Resolution"), published by the Ministry of Health and Prevention following that date, introduced certain exceptions to the default data residency requirement.

As a result, it was understood that the exceptions in the Health Data Export Resolution could be relied upon by Licensed Facilities to make cross-border transfers of health information. The publication of the Circular, which does not reference the Health Data Export Resolution, indicates that the DoH expects the Licensed Entities to adhere strictly to the Standards. 

Key requirements of the Standards include the obligation to:

  1. ensure that health data is not transmitted outside the UAE;
  2. identify and disconnect integrated systems that process, store or utilize health data with any of the entity's systems that connect or utilize cloud services; and
  3. not share identified or de-identified health data with third parties, including counterparts and partners, unless authorized by the DoH.

In addition, the Standards expressly prohibit the use of cloud services and infrastructure. Based on a plain interpretation of this language, it would appear to prohibit the use of even single-tenanted, on-premise cloud solutions although it remains to be seen whether this will be clarified by the DoH.

In light of the significant impact this development will have on Licensed Entities, in addition to providers of health tech services, we eagerly await further guidance from the DoH on how Licensed Entities may comply with the Standards while still leveraging the latest healthcare technologies in the interests of providing the highest standard of patient care.

Download alert

* * * * *

To speak to us in relation to any data and technology related matters, please reach out to the Baker McKenzie contacts above.

For future updates, you can visit and subscribe to our Middle East Insights blog.

LOGO B&M

© 2022 Habib Al Mulla & Partners, a member firm of Baker & McKenzie International. All rights reserved. Habib Al Mulla & Partners, a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.


Copyright © 2024 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.