Personal Data Protection Law (Saudi Arabia)
Requirement

Article 26: Processing health data

Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.

The Controller shall take the appropriate organizational, technical, and administrative measures to protect Health Data from any unauthorized use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners, and it shall, in particular, take the following controls and procedures:

  1. Adopt and implement the requirements and controls issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance, and other related entities involved in regulating Health Services and health insurance services, that specify the tasks and responsibilities of employees of health care providers, health insurance companies, health insurance claims management companies and those which are contracted by them carrying out the Processing of Health Data.
  2. Include the provisions of the Law and its Regulations into the internal policies of the Controller.
  3. Distribute tasks and responsibilities among employees or workers in a way that prevents overlapping specializations and diffusion of responsibility, and taking into account different levels of access to data among employees or workers in a manner that guarantees the highest degree of the privacy of the Data Subjects.
  4. Document all stages of Health Data Processing and provide the means to identify the person in charge for each stage.
  5. The agreement between the Controller and the Processors - to conduct work or tasks related to Health Data Processing - shall include provisions that oblige them to abide by the procedures and measures stated in this Article.
  6. Health Data Processing should be limited to the minimum necessary to provide healthcare services and products or health insurance programs.

Fulfill this requirement by completing the tasks below ->
Personal Data Protection Law (Saudi Arabia)
Article 26: Processing health data
This requirement is part of the framework:  
Personal Data Protection Law (Saudi Arabia)

Other requirements of the framework

49421
Article 27: Processing credit data
49420
Article 32.3: Responsibilities of the Data Protection Officer
49422
Article 26: Processing health data
49423
Article 28.1-2: Processing data for advertising or awareness purposes
49424
Article 29: Direct marketing
Best practices
How to implement:
Article 26: Processing health data
This policy on
Article 26: Processing health data
provides a set concrete tasks you can complete to secure this topic. Follow these best practices to ensure compliance and strengthen your overall security posture.

The Controller shall take the appropriate organizational, technical, and administrative measures to protect Health Data from any unauthorized use, misuse, use for purposes other than for which it was collected, or breach, and any procedures or means that guarantee the preservation of the privacy of its owners, and it shall, in particular, take the following controls and procedures:

  1. Adopt and implement the requirements and controls issued by the Ministry of Health, the Saudi Health Council, the Saudi Central Bank, the Council of Health Insurance, and other related entities involved in regulating Health Services and health insurance services, that specify the tasks and responsibilities of employees of health care providers, health insurance companies, health insurance claims management companies and those which are contracted by them carrying out the Processing of Health Data.
  2. Include the provisions of the Law and its Regulations into the internal policies of the Controller.
  3. Distribute tasks and responsibilities among employees or workers in a way that prevents overlapping specializations and diffusion of responsibility, and taking into account different levels of access to data among employees or workers in a manner that guarantees the highest degree of the privacy of the Data Subjects.
  4. Document all stages of Health Data Processing and provide the means to identify the person in charge for each stage.
  5. The agreement between the Controller and the Processors - to conduct work or tasks related to Health Data Processing - shall include provisions that oblige them to abide by the procedures and measures stated in this Article.
  6. Health Data Processing should be limited to the minimum necessary to provide healthcare services and products or health insurance programs.

Read below what concrete actions you can take to improve this ->
Article 26: Processing health data
Frameworks that include requirements for this topic:
No items found.

How to improve security around this topic

In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.

Here's a list of tasks that help you improve your information and cyber security related to
Article 26: Processing health data
Task name
Priority
Task completes
Complete these tasks to increase your compliance in this policy.
Critical
31 requirements
No other tasks found.
Complete these tasks in Cyberday ISMS ->

How to comply with this requirement

In Cyberday, requirements and controls are mapped to universal tasks. Each requirement is fulfilled with one or multiple tasks.

Here's a list of tasks that help you comply with the requirement
Article 26: Processing health data
of the framework  
Personal Data Protection Law (Saudi Arabia)
Task name
Priority
Task completes
Complete these tasks to increase your compliance in this policy.
Critical
31 requirements
Documentation of health data processing stages and responsibilities
Critical
High
Normal
Low
1
requirements
Privacy
Processing principles and accountability

Documentation of health data processing stages and responsibilities

This task helps you comply with the following requirements

Article 26: Processing health dataPDPL
Management of Changes to Privacy Policies and Procedures
Critical
High
Normal
Low
2
requirements
Privacy
Security and responsibilities

Management of Changes to Privacy Policies and Procedures

This task helps you comply with the following requirements

Article 26: Processing health dataPDPL
Safeguards to protect PHI
Critical
High
Normal
Low
5
requirements
Risk management and leadership
Cyber security management

Safeguards to protect PHI

This task helps you comply with the following requirements

5.12: Classificatie van informatieNEN 7510
8.13: Back-up van informatieNEN 7510
5.39: HLT – Unieke identificatie van zorgontvangersNEN 7510
Article 26: Processing health dataPDPL
Access to electronic protected health information
Critical
High
Normal
Low
9
requirements
System management
Access control and authentication

Access to electronic protected health information

This task helps you comply with the following requirements

5.12: Classificatie van informatieNEN 7510
5.41: HLT – Openbaar beschikbare gezondheidsinformatieNEN 7510
5.15: ToegangsbeveiligingNEN 7510
8.5: Veilige authenticatieNEN 7510
5.39: HLT – Unieke identificatie van zorgontvangersNEN 7510
Security management process for ePHI
Critical
High
Normal
Low
2
requirements
Risk management and leadership
Risk management

Security management process for ePHI

This task helps you comply with the following requirements

Article 26: Processing health dataPDPL
Personnel security policies for accessing ePHI
Critical
High
Normal
Low
3
requirements
Personnel security
Cyber security in contracts

Personnel security policies for accessing ePHI

This task helps you comply with the following requirements

5.15: ToegangsbeveiligingNEN 7510
Article 26: Processing health dataPDPL
Establishing and maintaining the comprehensive ePHI security program
Critical
High
Normal
Low
3
requirements
Risk management and leadership
Cyber security management

Establishing and maintaining the comprehensive ePHI security program

This task helps you comply with the following requirements

5.12: Classificatie van informatieNEN 7510
Article 26: Processing health dataPDPL
Inventory and documentation of data processing agreements
Critical
High
Normal
Low
21
requirements
Privacy
Data transfer and disclosure

Inventory and documentation of data processing agreements

This task helps you comply with the following requirements

28. Data processorGDPR
13.2.2: Agreements on information transferISO 27001
15.1.2: Addressing security within supplier agreementsISO 27001
A.8.2.4: Infringing instructionISO 27701
5.14: Information transferISO 27001
Access rights are managed by the principle of the least privilege
Critical
High
Normal
Low
19
requirements
System management
Access control and authentication

Access rights are managed by the principle of the least privilege

This task helps you comply with the following requirements

PR.AC-4: Access permissions and authorizationsNIST
I-06: THE PRINCIPLE OF LEAST PRIVILEGE – MANAGEMENT OF ACCESS RIGHTSKatakri 2020
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.CyberFundamentals
2.6.1: Create guidelines for access controlNSM ICT-SP
2.6.4: Minimise privileges for end users and special usersNSM ICT-SP
Reviewing the execution of data minimisation
Critical
High
Normal
Low
8
requirements
Privacy
Privacy by design and default

Reviewing the execution of data minimisation

This task helps you comply with the following requirements

A.7.4.1: Limit collectionISO 27701
TSU-10: Tietojen minimointiJulkri
P7.1: Collection and maintainment of accurate and relevant personal informationSOC 2
Article 13.1(.2.g): Data processingCRA
Article 41: Collection and usage of personal informationCSL (China)
Complete these tasks in Cyberday ISMS ->

The ISMS component hierachy

When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.

Framework

Sets the overall compliance standard or regulation your organization needs to follow.

Requirements

Break down the framework into specific obligations that must be met.

Tasks

Concrete actions and activities your team carries out to satisfy each requirement.

Policies

Documented rules and practices that are created and maintained as a result of completing tasks.

Never duplicate effort. Do it once - improve compliance across frameworks.

Reach multi-framework compliance in the simplest possible way
Security frameworks tend to share the same core requirements - like risk management, backup, malware, personnel awareness or access management.
Cyberday maps all frameworks’ requirements into shared tasks - one single plan that improves all frameworks’ compliance.
Do it once - we automatically apply it to all current and future frameworks.
Start free trial
Effortless compliance improvement
Widest framework library in EU
Extensive support

Start your compliance journey

Use in MS Teams or use your browser with Slack integration.
Risk free trial. No credit card required. Stop at any time.

Start free trial
Book a meeting
How it works?
SummarySecurity tasks and assuranceDocumentation workflowsEmployee guidelinesReporting templatesTrust center
Use cases
By frameworkAll frameworksISO 27001NIS2 directiveNIST CSFCSA CCMISO 27701GDPRISO 27017ISO 27018
By methodCyber risk managementEmployee awarenessCompliance reportingControl managementAsset managementPrivacy managementVendor assessmentsInternal audits
Resources
AcademyWebinarsBlogHelp articlesVideo coursesContent libraryGuidesNewsletterLeave a reviewPartner programTeamTerms of usePrivacy policy
Contact us
+358 10 231 6010
team@cyberday.ai
App works in:
Known in Finland as Digiturvamalli
© Cyberday Inc. Kalevantie 2 33100 Tampere, Finland
Cyberday.ai - Improve and certify your cyber security