Our first edition of 2022 focuses on Healthcare and Life Sciences. It is a sector that will once again have the spotlight on it this year as we continue to tackle COVID-19 and its subsequent variants. While the pandemic continues to challenge the sector, governments across the region forge ahead with their plans to expand and upgrade healthcare systems and develop robust world-class healthcare infrastructure.
For the region, healthcare is a vital pillar in diversifying its economies, both locally and as medical tourism hubs. To underpin this, healthcare authorities across the region continue to implement frameworks and regulations that provide structure and accountability.
In this edition, you have unique access to great insights and expert commentary on a number of pertinent healthcare regulatory developments. You will find a topical mix of articles; for example, our lawyers discuss vaccines and returning to work during the pandemic. They take you through several other areas, including stem cell research in Bahrain, clinical research laws in Egypt, and Saudi medical device and pharmaceutical laws.Take a read of the edition
Kuwait’s Communication and Information Technology Regulatory Authority (“CITRA”) has issued Resolution No. 42 of 2021, Concerning Data Privacy Protection Regulation (“Data Privacy Protection Regulations” or the “Regulations”). The Regulations are effective as of their publication date, which was on 4 April 2021, and affect both public and private sectors.
The Regulations apply to all Service Providers who provide Communication and Information Technology Service (“CIT Service”) in the State of Kuwait. CIT Service can include the establishment of any kind of public telecommunications network, operation of a website, smart application, or cloud computing services, by any natural or legal person. Specifically, the Regulations govern the collection and processing of personal data.
The Data Privacy Protection Regulations follow the increased use of advanced technologies such as IoT, Blockchain, and cloud computing technologies in Kuwait, and demonstrate CITRA’s willingness to protect fundamental rights and freedoms of transfer relating to the privacy of personal data collected.
Whilst they are less comprehensive than other data protection regimes, such as the GDPR, and is directed at Service Providers only, the Regulations are nevertheless a step towards global alignment with international best practice in data protection, and introduce some key data protection concepts into a critical commercial sector in Kuwait.
Territorial Scope: The Regulations apply to any Service Provider who provides CIT Services in the State of Kuwait and who collects, processes or stores Personal Data by any means, whether wholly or partially, permanently or temporarily, regardless of whether the processing is carried out inside or outside the State of Kuwait. The Regulations therefore apply to all Service Providers.
Data Classification: The Regulations require all natural or legal persons contracting with a Service Provider to classify their data for information security procedures. This can be either in line with Data Classification policy approved by the CITRA, or international best practices.
Conditions for Data Collection and Processing: The Regulations require Service Providers to be completely transparent regarding any data processing activities prior to collection or processing user data, and prior to engaging in CIT Services with the user (i.e. from the outset). This means Service Providers must inform all their end-users regarding how their (the user’s) Personal Data is collected and used, as well as the specific purpose behind collection or processing. Moreover, the Service Provider must provide users with their Terms of Service, and provide clear instructions on how users can change their data or request the cancellation of the data collection or processing. The Service Provider must also obtain a written confirmation (or tick box) from the user that they have full knowledge and acceptance of all conditions, obligations, and data collection and processing provisions.
Lawful basis for processing: Data Collection and Processing is only lawful where either one of these conditions is met:
Conditions for processing: While conducting CIT Services, the Service Provider must comply with certain conditions such as a) providing users with clear, easy access to their data practices and policies, and b) maintaining a clear purpose for data collection (purpose limitation) and c) maintaining appropriate technical and organisational measures to ensure that personal data is protected against unauthorised or illegal processing, accidental loss, destruction or damage, among other conditions.
Exemptions: The Regulations do not apply to a natural person who collects and processes personal or family data. They also do not apply to security agencies who process Personal Data for the purposes of preventing, investigating or detecting crimes, or for prosecuting criminals, enforcement, or preventing threats against public security.