Personal Health Data in Turkish Law and the Obligation of the Administration to Protect Personal Health Data

Abstract

Personal health data contained in the category of sensitive personal data can be defined as “any health data related to an identified or identifiable natural person.” The scope of this definition includes “all kinds of data in regard to physical and mental health of a person related to his/her past, present and future, as well as data in regard to the healthcare service provided to such person.” This study firstly discusses the concept of personal health data in the light of international regulations, to which Turkey is a party and the rules and principles related to the processing of these data. The cases in which personal health data can be processed in Turkish law will also be discussed. In this context, an assessment about conformity to the principle of minimum, which indicates the necessity to collect data in such a way that such data are only limited to the amount that is necessary to perform the objective/objectives that data collection and processing are affiliated to and the principle of sensitivity, which means processing of sensitive data is subjected to a much more audit compared to other data in data protection law. Then, the obligations of the administration regarding the protection of personal health data will be explained. The meaning and the scope of the obligations of the administration for clarification about personal health data, ensuring data safety, performing regulations and audits will be explained. In the light of the resolutions of the European Court of Human Rights and the Council of State, how the failure of the administration to fulfill such obligations might occur and the type and scope of responsibility based on the form of failure, will be evaluated according to possibilities.