Our first edition of 2022 focuses on Healthcare and Life Sciences. It is a sector that will once again have the spotlight on it this year as we continue to tackle COVID-19 and its subsequent variants. While the pandemic continues to challenge the sector, governments across the region forge ahead with their plans to expand and upgrade healthcare systems and develop robust world-class healthcare infrastructure.
For the region, healthcare is a vital pillar in diversifying its economies, both locally and as medical tourism hubs. To underpin this, healthcare authorities across the region continue to implement frameworks and regulations that provide structure and accountability.
In this edition, you have unique access to great insights and expert commentary on a number of pertinent healthcare regulatory developments. You will find a topical mix of articles; for example, our lawyers discuss vaccines and returning to work during the pandemic. They take you through several other areas, including stem cell research in Bahrain, clinical research laws in Egypt, and Saudi medical device and pharmaceutical laws.Take a read of the edition
On 21 September 2021, the Kuwait Communication and Information Technology Authority (“CITRA”) issued a comprehensive cloud regulatory framework. Cloud service provider models include infrastructure-as-a-service (“IaaS”), Platform-as-a-Service (“Paas”), or Software-as-a-service (“Saas”), and their commitments and responsibilities vary depending on the model. In this article, we discuss the cloud computing guidelines as well as the related new CITRA Resolution No. 95 of 2021, Data Classification Policy Amendment (“Data Classification Policy”).
With regard to cloud computing, the new framework utilises the Data Classification Policy tier system and has specific guidelines regarding handling cloud data in relation to the classifications. Certain obligations arise depending on the type of data and how it is processed. Below we lay out a few notable points in the cloud computing guidelines and Data Classification Policy in the State of Kuwait.
Initially, the Data Classification Policy only listed three levels of data classification. In the subsequent amended policy, four levels were listed and additional categories were considered. In summary, the classifications include the following:
Level One: Is any non-classified data that is available to the public or that is not protected from public disclosure or subject to withholding under any law, regulation, or contract, and may not entail any encryption, as it does not relate to the Data Owner or government or private sector. Some examples include, but are not limited to, the following:
Level Two: Is private insensitive data, it is any data owned by public or private sectors or by persons indicating the identity of the Data Owner. Unauthorised disclosure of such data will not lead to infringing privacy of the Data Owner. Examples of such data include, but are not limited to, the following:
Level Three: Is private sensitive data. It means any data owned by public or private sectors or by persons. Data that indicate the identity of the Data Owner and is related to the content of the Data Owner. It may include a part of the non-sensitive data. Unauthorised disclosure of such data will infringe the privacy of the Data Owner. Examples of such data include, but are not limited to, the following:
Level Four: Is highly sensitive data – it means any private data of a high sensitive nature. Unauthorised disclosure of such data may cause serious infringement on the privacy of the Data Owner or data owned by government, private sector, individuals or at the national level. Therefore, such data may be only circulated to a very specific category of individuals who require authorisation to such data. Such data contains high encryption requirements and needs the highest level of protection and security. Examples of such data include, but are not limited to, the following:
1- Encryption key;
2- Political documents, international negotiations or international relations;
3- Sensitive information of a military nature or related to State security;
Ultimately, level three and level four of the Data Classification Policy provide extra protections and considerations for individuals and service providers. CITRA grants licenses to cloud computing service providers who host the third and fourth data levels, and who have data centres within the State of Kuwait. If the data is classified above level three under the Data Classification Policy, the data owner must encrypt the data. The service provider may only disclose the subscriber’s content or data only in the following cases:
Entities that utilize Paas and SaaS cloud models from cloud service providers and that host data from first and second level of data classification will direct the cloud service providers to register and obtain permission from CITRA. Service providers are prohibited from signing any contracts to provide cloud services in the public sector in Kuwait until they have registered and obtained permission or a license from CITRA.
Service providers must notify their subscribers “without delay” if their information security has been compromised or reviewed without authorisation. If such data falls under the third or fourth levels, the service provider must alert the relevant authorities as well.
Generally, cloud service providers should review their operations and ensure they are following the guidelines as appropriate. For instance, cloud computing service providers are obligated to inform their subscribers in advance and obtain their prior consent before transferring or processing their content permanently or temporarily outside the state of Kuwait. Further, cloud service providers are responsible for the security of their cloud environment and their available security controls, the level of security required by subscribers, not responsible for monitoring the subscriber’s content and data or determining their level of confidentiality, and not responsible for the damage caused by the negligence of subscribers resulting from not using the information security controls provided by the service provider. The security measures to protect subscribers’ data becomes stricter as the tier of classification of such data increases. Data that falls under the fourth tier of classification requires special handling. CITRA has the right to adjust the tiers of classification and their security requirements.
CITRA and relevant authorities are constantly updating their policies and resolutions. These new regulations appear to provide more data protection regulatory clarity on cloud computing in the State of Kuwait. According to the Data Classification Policy, the regulatorisation of government entities shall be subject to the Data Classification Policy within a period that shall not exceed two years. Entities should consult with their legal counsel on the nuances of these new regulations to develop appropriate policies and practices in line with the State of Kuwait’s evolving data protection regulatory landscape.