8. Data Management

8.1 What data privacy and/or technology regulations need to be complied with to run a trial in the countries of interest? 

The Personal Data Protection Law, Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data, constitutes an integrated framework to ensure the confidentiality of information and protect the privacy of individuals in the UAE. It provides proper governance for data management and protection and defines the rights and duties of all parties concerned.

Brief summary of the provisions of the law:

1. The provisions of the law apply to the processing of personal data, whether in full or part through electronic systems, inside or outside the country.
2. The law defines the controls for the processing of personal data and the general obligations of companies that have personal data to secure it and maintain its confidentiality and privacy. It prohibits the processing of personal data without the consent of its owner, except for some cases in which the processing is necessary to protect a public interest or to carry out any of the legal procedures and rights.
3. The law gives the owner of the data the right to request for corrections of inaccurate personal data and to restrict or stop the processing of his personal data.
4. It sets out the requirements for the cross-border transfer and sharing of personal data for processing purposes.

The Personal Data Protection Law (“PDPL”) is the first federal law to be drafted in partnership with major technology companies in the private sector. It comes into force on January 2nd, 2022.

The PDPL looks to align UAE’s Federal law with global “best practice” (such as GDPR) data protection principles. For those familiar with such principles, much of the PDPL will be familiar with key transparency and accountability concepts included. The PDPL introduces data subject rights, data breach requirements, data protection impact assessments, data transfer requirements, and notification and record-keeping requirements.

In tandem with the PDPL, UAE Federal Decree-Law No.44 of 2021 Creation of the UAE Data Office was also issued on 20 September 2021. The UAE Data Office (“Data Office”) will act as the data protection regulatory authority, operationalizing the Law’s requirements.

Other laws related to data protection and privacy include:

Consumer protection law

• The Federal Law No. 15 of 2020 on Consumer Protection protects all consumer rights, including the data of the consumers, and prohibits suppliers from using it for marketing.
• Data Protection Law, DIFC Law No. 5 of 2020 - Dubai International Financial Centre.

Protection of health data and information

• Federal Law No. 2 of 2019 Concerning the Use of Information and Communication Technology (ICT) in Health Fields regulates the use of information and communication technology (ICT) in the healthcare sector in the UAE, including its free zones. 
• Federal Decree Law No. 45 of 2021 regarding the Protection of Personal Data - (PDF, 350 KB-available in Arabic only).

Cyber laws - Concerning activities conducted online:

• Federal Law by Decree No. 3 of 2003 as amended Regarding the Organization of Telecommunications Sector
• Federal Decree Law No. 34 of 2021 on Combatting Rumors and Cybercrimes
• Federal Decree by Law No. 45 of 2021 Concerning the Protection of Personal Data
• Federal Decree by Law No. 46 of 2021 on Electronic Transactions and Trust Services
• Regulation of Using Social Media by the Employees of Federal Entities as Approved by the Cabinet Resolution No. 73/3/ & 1 of 2014 (PDF, 1 MB)
• Ministerial Resolution No. 1 of 2008 Regarding the issuance of Certification Service Provider Regulations (PDF, 1 MB)
• Law No. 26 of 2015 Regulating Data Dissemination and Exchange in the Emirate of Dubai (PDF, 1 MB)

The UAE's Minister of State for Artificial Intelligence, Digital Economy & Remote Work Application Office has released a page summarizing the Personal Data Protection Law.

8.2 What are the data locality rules within each jurisdiction?

The data locality rules for the UAE are described in Section 8.1 above.

• Does the data have to remain within the countries’ geographic boundaries or can it be transmitted for display on a web browser outside of the region?

Articles 22 and 23 of the PDPL provide an indication on cross-border data transfer:

“Art. 22- Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is Available: 

1) Personal Data may be transferred outside of the State in the following cases approved by the Bureau: The State or Province to which the Personal Data is transferred shall have legislations addressing Personal Data Protection. This includes most significant provisions, measures, controls, stipulations, and rules related to the protection of the privacy and confidentiality of the Date Subject's Personal Data, and his/her ability to exercise their legal rights. The State or the Province shall also have a judicial or regulatory authority imposing appropriate measures against the Controller or the Processor.

2) If the State joins a bilateral or multilateral agreement related to the protection of Personal Data concluded with countries to which the Personal Data is transferred.

Article (23)- Cross-Border Transfer and Sharing of Personal Data for Processing Purposes if a Proper Protection Level is not Available:

1) Notwithstanding Article (22) of this Decree by Law, Personal Data may be transferred outside the State in the following cases:

a. Companies, operating in countries where there are no laws for Data Protection, may transfer data under a contract or agreement obligating the companies in such countries to adopt measures, controls, and requirements set out in this Decree by Law, in addition to provisions forcing the Controller or the Processor to adopt appropriate measures which are imposed by a judicial or regulatory authority in such countries as set out in the contract. 

b. If there is explicit consent granted by the Data Subject to transfer his/her Personal Data outside the State, provided that such transfer shall not contradict the public or security interest of the State. 

c. If the transfer is necessary to fulfill obligations and establish rights before judicial entities, exercise or defend the same. 

d. If the transfer is necessary to sign or implement a contract made between the Controller and the Data Subject, or between the Controller and third parties to serve the interest of the Data Subject. 

e. If the transfer is necessary to implement an action related to international judicial cooperation. 

f. If the transfer is necessary to protect the public interest. 

2) The Executive Regulations of this Decree by Law set forth the controls and stipulations referred to in Paragraphs (1) of this Article, which should be observed during the transfer of data outside the State."

• Who is responsible for complying with international regulations if a participant travels between geographies (e.g. for vacation)? Does the CRO have to honor the destination country’s rules?

Data Controller as well as Data Processor.

• Are there any specific requirements for using the Cloud (including whether any routing must be excluded/avoided)? Is there a need to implement secure transfers?

The provisions of the Personal Data Protection Law apply, as discussed in Section 8.1 above.

In addition, Dubai Health Authority’s Health Regulation Sector issued a Health Information Policy on 26 December 2022 entitled “Policy for Health Information Assets Management”. Clause 4.5 sets out requirements for the use of cloud-based solutions.

• Does data need to be collected in the country? Do the servers need to be in the country?

No indication has been found that servers must be within Dubai. Cloud services providers must avail to the requirements set forth in Clause 4.5 “Policy for Health Information Assets Management”.

• Are there data storage and transmission requirements (for data transfer out of the country)?

Dubai Health Authority’s Health Regulation Sector issued a Health Information Policy on 26 December 2022 entitled “Policy for Health Information Assets Management”. Clause 4.6 of the Policy sets out the following storage requirements for the storage of data related to clinical trials:

“Advanced Clinical Trial master files of Investigational Medicinal/Clinical Devices Products; and Trial Subject’s Medical Files:

• Thirty (30) years after the conclusion of the trial.
• Documents can be retained for a longer period, however, if required by the applicable regulatory requirements or by agreement with the Clinical Trial Sponsor.
• There should be a flag or divider in health records for documents pertaining to research indicating that the Data Subject/Patient has been recruited to a clinical trial or other research.
• It is the responsibility of the Clinical Trial Sponsor and chief Investigator to ensure that documents are retained.

Research Ethics Committee Records and minutes of meetings relating to a clinical trial:

• Where the trial proceeds, at least five (5) years from the conclusion of the trial.
• Where the trial does not proceed, at least five (5) years from the date of the opinion.

Research Ethics Committee Records and minutes of meeting relating to a non-clinical investigation:

• Three (3) years from date of decision.”

For data transfer requirements, please refer to Section 8.2.

• Are there any exceptions made for research to the local privacy regulations?

Yes, an exception to the laws and regulations exists as contained in the Personal Data Protection Law, discussed in Section 8.1 above. As well as what is indicated under The Health Data Protection Law No. 2 of 2019 Regarding the Use of ICT [information and communication technology] in the Health Fields (Health Data Law), amended by Ministerial Resolution No. 51 of 2021 (“the Resolution”).

• Who is allowed to view data (including the PI) and have access to Personal Identifiable Information (PII)?

The Dubai Health Authority has a Health Information Exchange solution called the Network and Analysis Backbone for Integrated Dubai Health (“NABIDH”).

NABIDH allows doctors, nurses, pharmacists, other health care providers, and subjects of care to appropriately access and securely share a subject of care’s vital medical information electronically – improving the speed, quality, safety, and cost of a subject of care.

8.3 Detail the appropriate level of verification and validation of the CRO system (i.e., a software platform that runs clinical trials but is not considered a clinical device)

The Dubai Health Authority Telehealth Policy sets out Health Facility Registration and Licensure Requirements in clause 5, Standard One, which are the requirements for Telehealth Platforms for the provision of Telehealth Services. By extension, these may be considered applicable to software platforms that run clinical trials. The requirements are listed below:

“5.3.1. All existing telehealth platforms intended for internal or commercial use shall:

1. Be assessed and approved by DHA through health facility licensing prior to in-house implementation or go-to-market implementation.
2. Have legal representation in Dubai with relevant commercial/trade licenses issued by the concerned authority.
3. Have an assigned Business Technical Director.
4. Provide access to technical support with a defined escalation matrix (response and resolution) for platform users (physicians and patients).
5. Comply with the requirements and ensure all communication channels are approved by the TRA in the UAE.
6. Ensure all data stored complies with Federal Law No. (2) for the year 2019 on the Use of Information and Communications Technology (ICT) in Healthcare.
   1. All data centers shall be at least Tier 3 Certified.
   2. All data shall be stored in a server located at a Cloud Service Provider (CSP) certified by the Dubai Electronic Security Centre (DESC) in the UAE.
   3. All platforms shall have HIPAA compliance certification.
   4. All platforms shall have ISO 27001 compliance certification."

It is not permitted to store, develop, or transfer data and health information outside the country that is related to health services provided within the country, except in cases mentioned in Articles 22 and 23 of the PDLP.