UAE law protecting personal health data and information

Reed Smith | Nov 03, 2020

Enactment of the ICT Law

On 6 February 2019, His Highness Sheikh Khalifa bin Zayed Al Nahyan, President of the UAE and Ruler of Abu Dhabi signed the UAE Federal Law No. 2 of 2019, “On the Use of Information and Communications Technology in the Health Fields” (the ICT Law) which came into effect three months later. The ICT Law provides a robust framework for the protection of personal health information and data, under the auspices of the UAE Ministry of Health and Prevention (MOHAP). The ICT Law further raises some issues of consideration, particularly under COVID-19. The ICT Law applies to all methods and uses of health information within the UAE, including those pertaining to the various free zones within the UAE.

Objectives of the ICT Law

Among the stated objectives of the ICT Law are to ensure the use, security and safety of such information in the various health fields; and to permit MOHAP to collect, analyse, and keep health information at UAE-level (Article 3 of the ICT Law). The ICT Law further calls for the creation of a centralised system for the collecting and exchange of information between MOHAP, other various federal and Emirate-level health authorities, and other relevant governmental entities (Article 5).

While these Articles are broad-reaching in their wording, they indicate that MOHAP and other concerned governmental entities have the right to review and examine any health-related information which is collected and stored throughout the UAE. This has some interesting implications in the current pandemic, as it seems to support the theory that MOHAP is empowered by the ICT Law to review health data and information to better manage COVID.

A perspective based on current considerations

This view is further bolstered by Article 16(3); which says personal health information could be accessed if it is done to take preventative or curative measures directed at public health or to preserve the health and safety of a patient and any person in contact with him.


Use of the ICT law under COVID-19


This would include the power to coordinate with other governmental authorities regarding the collection of health information on citizens, residents, and tourists, and the authority to issue directives, rules, or orders relating to the frequency of testing, quarantining, and the monitoring of movements of persons or group congregation throughout the UAE. All of the measures that the UAE has undertaken to combat COVID-19 have been done with the support of the ICT Law (in addition to other laws, regulations, and orders).

As a result of the powers granted the authorities under the ICT Law and other legislation, the response of the UAE to the COVID-19 pandemic has been recognised globally. It has been ranked as one of 11 countries with the best responses to COVID-19, with a low death count resulting from its proactive measures.

Protection of personal health information


Article 13 codifies the long-standing (but largely informal) healthcare practices in the UAE. Article 13 states that health information relating to health services provided inside the UAE cannot be stored, processed, generated, or transferred outside of the UAE. An exception is made where the relevant health authority has issued a decree in coordination with MOHAP.

Virtually all the electronically generated, stored, or archived health records across the UAE are password protected.  It is quite difficult—if not impossible—to transfer health information recorded on CD-ROM or other formats to a recipient via electronic mail.

Potential ramifications and solutions

However, Article 13 raises some potential questions and concerns. For example, cloud-based healthcare solutions that are hosted outside of the UAE, outsourcing of IT or network solution abroad may be implicated by Article 13—as well as healthcare apps or medical devices which monitor a variety of healthcare information of patients in the UAE (e.g., heart rate, blood pressure, arousals in sleep) and transmit such information to servers overseas. While much of this technology is readily available in the UAE, device manufacturers and app creators are likely to request greater clarity and detail—which may come in the form of future executive regulations (as contemplated by Article 29 of the ICT Law).

Furthermore, it is unclear if Article 13 is intended to affect the provision of telemedicine services. These would include acts such as a videoconference between a specialist doctor abroad and a patient in the UAE discussing a diagnosis or a protocol to treat an existing disease—or the review of a medical report generated in the UAE by a non-resident doctor for purposes of providing a second opinion. In the past few years, telemedicine services have been introduced into Abu Dhabi and Dubai—and have been limited, suspended, and modified since then (with the current trend being the licensing of a full spectrum of telemedicine services) As a nascent area of medicine (and law), all of the issues surrounding the provision of telemedicine services are still unclear.

Accordingly, there have been Emirate-level telemedicine laws and regulations issued by various health authorities (e.g., Dubai Healthcare City, and the Health Authority of Abu Dhabi).

Saladin Aljurf, Senior Legal Consultant in the Global Commercial Disputes Group

The various legislation enacted by the authorities has emphasised personal consent in the transmission of personal health information and data to specialist clinics and doctors outside of the UAE. However, the ICT Law is federal legislation and would supersede any telemedicine laws of the various Emirates in case of a conflict (assuming there is one).

A holistic approach to treating COVID-19 and other diseases

In the current climate, it seems more likely that the ICT Law will not interfere with the diagnosis or treatment of patients by competent and qualified doctors who practice overseas—and this may likely be bolstered by executive regulations to this law. The UAE’s continuous and progressive focus on smart technology and applications will likely see Emirate-level telemedicine laws and regulations as ratified or incorporated into a future legislative framework under the direction of the UAE federal government. Currently, this may help give COVID-19 patients here in the UAE access to cutting-edge drug therapies or protocols from doctors around the world (assuming, additionally, no effective or safe vaccine will be created in the near future). These patients can then work with their doctors in the UAE on effective treatment strategies.

About Arab Health

Arab Health is the largest healthcare event in the Middle East and is organised by Informa Markets. Established in 1974, Arab Health provides a platform for the world’s leading manufacturers, wholesalers and distributors to meet the medical and scientific community in the Middle East and subcontinent.

The upcoming edition of the event is expected to welcome the healthcare industry to view the latest healthcare innovations, products and services, and experience the highest quality Continuing Medical Education (CME) conferences for medical professionals in the region.

Interested in participating in Arab Health?

If you have any other queries, email us on [email protected]