8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The Personal Data Protection Law, Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data, constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of individuals in the UAE. It provides proper governance for data management and protection and defines the rights and duties of all parties concerned.

Brief summary of the provisions of the law:

1. The provisions of the law apply to the processing of personal data, whether in full or part through electronic systems, inside or outside the country.
2. The law defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or to carry out any of the legal procedures and rights.
3. The law gives the owner of the data the right to request for corrections of inaccurate personal data and to restrict or stop the processing of his personal data.
4. It sets out the requirements for the cross-border transfer and sharing of personal data for processing purposes.

The Personal Data Protection Law (“PDPL”) is the first federal law to be drafted in partnership with major technology companies in the private sector. It comes into force on January 2nd, 2022.

The PDPL looks to align UAE’s Federal law with global “best practice” (such as GDPR) data protection principles. For those familiar with such principles, much of the PDPL will be familiar with key transparency and accountability concepts included. The PDPL introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements, and notification and record-keeping requirements.

In tandem with the PDPL, UAE Federal Decree-Law No.44 of 2021 - Creation of the UAE Data Office - was also issued on 20 September 2021. The UAE Data Office (“Data Office”) will act as the data protection regulatory authority, operationalizing the Law’s requirements.

Other laws related to data protection and privacy include:

Protection of health data and information

• Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology (ICT) in Health Fields regulates the use of information and communication technology (ICT) in the healthcare sector in the UAE, including its free zones. 
• Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data - (PDF, 350 KB-available in Arabic only).

Abu Dhabi Department of Health: 

• Standard on Patient Healthcare Data Privacy (Sept 2020)
• Guidelines for the Implementation of the Abu Dhabi Healthcare Information and Cyber Security Standards (Dec 2019)

8.2 What are the data locality rules within each jurisdiction?

The data locality rules for the UAE are described in Section 8.1 above.

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Articles 22 and 23 of the PDPL provide an indication on cross-border data transfer:

“Art. 22- Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available: 

1) Personal Data may be transferred outside of the State in the following cases approved by the Bureau: The State or Province to which the Personal Data is transferred shall have legislations addressing Personal Data Protection. This includes most significant provisions, measures, controls, stipulations, and rules related to the protection of the privacy and confidentiality of the Date Subject's Personal Data, and his/her ability to exercise their legal rights. The State or the Province shall also have a judicial or regulatory authority imposing appropriate measures against the Controller or the Processor.

2) If the State joins a bilateral or multilateral agreement related to the protection of Personal Data concluded with countries to which the Personal Data is transferred.

Article (23)- Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available:

1) Notwithstanding Article (22) of this Decree by Law, Personal Data may be transferred outside the State in the following cases:

a. Companies, operating in countries where there are no laws for Data Protection, may transfer data under a contract or agreement obligating the companies in such countries to adopt measures, controls, and requirements set out in this Decree by Law, in addition to provisions forcing the Controller or the Processor to adopt appropriate measures which are imposed by a judicial or regulatory authority in such countries as set out in the contract. 

b. If there is explicit consent granted by the Data Subject to transfer his/her Personal Data outside the State, provided that such transfer shall not contradict the public or security interest of the State. 

c. If the transfer is necessary to fulfill obligations and establish rights before judicial entities, exercise or defend the same. 

d. If the transfer is necessary to sign or implement a contract made between the Controller and the Data Subject, or between the Controller and third parties to serve the interest of the Data Subject. 

e. If the transfer is necessary to implement an action related to international judicial cooperation. 

f. If the transfer is necessary to protect the public interest. 

2) The Executive Regulations of this Decree by Law set forth the controls and stipulations referred to in Paragraphs (1) of this Article, which should be observed during the transfer of data outside the State."

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

Data Controller as well as Data Processor.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The provisions of the Personal Data Protection Law apply, as discussed in Section 8.1 above.

• Does data need to be collected in the country? Do the servers need to be in the country?

The DOH Guideline for the implementation of the Abu Dhabi Healthcare Information and Cyber Security Standard (Dec 2019”) indicates the following:

“CM 4.2 Restriction on Cloud Environment 

The healthcare entity should not use cloud services or infrastructure to store, process, or share information that contains health information. 

All major Cloud service providers are now operating in the UAE. However, their services are partially or wholly provided out of data centers outside the UAE. This breaks the basic regulation that it is not permitted to transfer, store or process healthcare data outside the UAE. This is an evolving scenario as national cloud solutions may achieve the required levels of confidentiality, integrity and availability. At the same time, global cloud service providers are setting up in-country cloud services to meet regulatory demands. 

Contact the Department of Health for guidance on specific use cases. 

The healthcare entity should: 

1. Ensure that healthcare information is not transmitted outside the UAE 
2. Identify and disconnect integration of systems that process, store or utilize health information with any of the entity’s systems that connect or utilize cloud services.”

 It is advisable that the use of servers or cloud services be discussed with the DOH prior to study submission.

• Are there data storage and transmission requirements (for data transfer out of the country)?

The DOH’s “Standard on Patient Healthcare and Data Privacy” states the following on data transfer: 

“6- Data Transfer and Data Security 

6.1. Entities shall observe patients' legal right to seek information and shall document patients’ verbal or written requests for information with the signature of the requestor. 

6.2. Entities shall ensure to update the electronic EMR systems when accommodating these requests as and when needed. 

6.3. Entities shall retain communications and documentations associated with these requests for a minimum period of 25 years as mandated by “the use of information technology and telecommunication in healthcare field” (Federal Law no. 2, 2019). 

6.4. Entities shall exchange information on Abu Dhabi Health Information Exchange, Malaffi, in accordance with DOH’s Chairman Resolution no. 90, 2018, the rules, circulars, policies and agreements in implementation thereof. 

6.5. Protected Health Information Disclosure-Related Incident Response & Mitigation 

6.5.1. Entities must mitigate, to the extent practicable, any harmful effect they learn was caused by the use or disclosure of protected health information (PHI) by their staff, trainees, vendors, third party contractors or business associates in violation of their privacy policies and procedures and communicate with relevant health authorities within 24hrs of initial knowledge of the breach. 

6.5.2. Entities shall establish incident response management plans that comprise of identification of the incident, containing the incident, eradicating/ eliminating the incident, recovery and recover/repair and documenting the lessons learnt. 

6.5.3. Entities must thoroughly investigate the incidents starting from the point of discovery until closure: 

6.5.3.1. Determine if the incident is related to a violation of PHI. 

6.5.3.2. Determine if further investigation is warranted, and if not, then document the incident and retain. 

6.5.3.3. List and perform mitigation, remediation and sanctions. 

6.5.3.4. The investigation and documentation shall be systematic / organized and can be reported to respective authorities as needed. 

6.5.3.5. Maintain all records of the incident as per local legal / regulations. 

6.5.3.6. Use appropriate investigative procedures and preserve the chain of custody. 

6.5.3.7. Involve resources trained in incident handling when needed. 

6.5.3.8. Educate and document why and how to prevent recurrence of the incident. 

6.5.4. Entities’ incident management plan shall have the provisions to timely communicate to the relevant authorities the incident response and mitigation. 

6.6. Data Safeguards 

6.6.1. Entities must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in line with Abu Dhabi Health Information Cyber Security Standard (ADHICS) as well as the applicable laws and regulations. Such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, having a secured application, segregation of duties, least privilege, and limiting access on a ”need to know” basis.

6.7. Data retention and monitoring 

6.7.1. Entities shall maintain health data and information as per the data retention period of 25 years mandated by “the use of information technology and telecommunication in healthcare field” (Federal Law no. 2, 2019). 

6.7.2. Entities resolution of complaints, and other actions, activities, and designations shall also be documented and retained. “

6.7.3. Entities are required to undergo periodic internal and external audits and independent reviews to monitor compliance with the data privacy requirements as specific in this standard. 

6.7.4. Entities shall retain and furnish the outcomes of the audit/compliance to DOH on a need basis.”

It is important to highlight that the current standard mentioned above was released before the UAE issued the “Federal Decree-Law No.45 of 2021, on the Protection of Personal Data (PDPL)”. Under the PDPL, data transfer is permitted (please see the first bullet point in Section 8.2 above). Therefore, it is advisable that this issue be discussed with the DOH and the Data Protection Officers at the site level to align on expectations and requirements.

• Are there any exceptions made for research to the local privacy regulations?

Yes, exceptions to the laws and regulations exist as contained in the Personal Data Protection Law, discussed in Section 8.1 above.

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The investigator, the authorized study staff, and regulatory bodies.

The Patient Information Sheet must indicate who will have access to the patient’s data.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

In June 2023, the Department of Health published the “Guidelines on Real-world Data/real-world Evidence-based Clinical Research”. This guideline contains provisions on digital health technologies. 

Section 3.1.4 - Digital Health Technologies - indicates the following:

“Digital health technologies are used to gather health-related data. These include applications, sensors, wearables, and other technologies, such as ingestible devices and implants, which might be used to collect RWD as part of routine clinical care for patient-reported outcomes or home-based measurements. Other sources of RWD might utilize devices that capture indicators of function. These might be used as supportive evidence of the safety or efficacy of a treatment. Both the device and any tool (such as a questionnaire) used in data capturing have to be suitability validated for the measurements required. The relevance, objectivity, and practicality of measurements should be considered, considering the user's disease, age, and potential functional abilities. The devices may be regulated as medical devices, and applicable laws and regulations on the territory of Abu Dhabi are to be applied.”

Additionally, if telemedicine services are intended to be used, please refer to the “Annex to the Cabinet Resolution No. (40) of 2019 concerning The Implementing Regulations of Federal Decree-Law No. (4) of 2016 on Medical Liability - Controls and Conditions for the Provision of Telehealth (Telemedicine) Services”, which provides the expected controls and conditions for the provision of telehealth services.

It is advisable to discuss with the DOH the intention of using any DHT within a clinical trial and any specific requirements.