The Regulation on Protection and Processing of Personal Data by the Social Security Institution
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of the Social Security Institution (“SSI”), entered into force through its publication in the Official Gazette dated 19.02.2022 and numbered 31755.
In addition to the SSI, the Regulation also covers the personnel of the SSI, natural persons whose personal data is processed, natural and legal persons who provide services such as information technology systems software and hardware for the processing and filing of personal data, public institutions and organizations that process personal data within the scope of the activities of the SSI, institutions and private law real and legal persons, real or legal persons who process personal data on behalf of the SSI, public institutions and organizations to which data transfer is made, and private law real and legal persons. Due to the comprehensive nature of the regulation, it is important to examine the Regulation in detail and to determine the rights, responsibilities, and obligations of the actors within its scope.
This article aims to sketch the framework of the Regulation and to examine its requirements.
Data Processing and Access to Data
The Regulation regulates the procedures and principles regarding processing all kinds of information and documents produced, processed, or archived by the SSI, access to this information and documents, and requests made for them. Accordingly, the scope of the data before the SSI is basically (i) personal data, (ii) personal health data which includes all kinds of information regarding the physical and mental health of the person concerned, and information about the health service provided to the person, and (iii) commercially important trade secret data which may cause harm if disclosed to third parties.
Pursuant to article 5 of the Regulation, the SSI shall consider the following principles during processing the personal data, health data, and trade secret data for the purpose of performing its duties: “being in conformity with the laws and good faith”; “providing data to be accurate and up to date, where necessary”; “providing data to be processed for specific, explicit and legitimate purposes”; “processing data limited to and proportionate to the purposes for which they are processed”; “providing data to be retained for the period of time stipulated by relevant legislation or the purpose for which they are processed”.
The same article specifies a duty of confidentiality for health service providers and authorized persons who process personal data on behalf of the SSI in accordance with a contract. Accordingly, health service providers are obliged to transfer the personal health data they process on behalf of the SSI to the data recording system of SSI, and cannot copy or transfer this data to any place other than this system. Anyone who processes or accesses personal data, personal health data, and trade secret data on behalf of SSI is under the duty of confidentiality and is obliged to comply with the measures determined by SSI and the Personal Data Protection Board. In order to grant access to the SSI data recording system which contains personal data, personal health data, and trade secret data, a user must be authorized and all transactions regarding identification and authorization are recorded.
The Regulation states that access to personal data of SSI personnel, whose user identification and authorization is made in order for the SSI to fulfill its duties, will not be considered as data transfer provided that it is not given or disclosed to third parties and that the obligations set by the SSI and Personal Data Protection Board regarding data security are complied with. In addition, queries made from data recording systems by data processors as a requirement of the service will not be considered as data transfer.
The regulation further requires that personal data covered by the Regulation can only be accessed by the SSI personnel who are assigned for certain purposes and who are defined and authorized as users. These purposes are the examination and payment of the invoice costs related to health services, the follow-up and collection of SSI receivables, audit, inspection and control, data processing, transferring the control parameters related to health and social insurance services in the SSI legislation to the SSI data recording system, monitoring, and evaluation of health and social services, producing statistics and making risk analysis, determining health and social insurance policies, developing software at the Directorate General for Service Delivery, system operation and data preparation.
SSI personnel who are defined and authorized as users can access personal data, personal health data, and trade secret data by granting direct access with a password. On the other hand, without user identification and authorization, the SSI personnel can only access personal data, personal health data, and data in the nature of trade secrets, upon the approval of the relevant legislation unit. Data access authorizations are limited to the duration and scope of an employee’s duty, and, in the event of a situation requiring the termination of the access authorization, the necessary actions regarding the removal of the authorization are carried out immediately by the unit in which the employee works.
The SSI may transfer the personal data and personal health data of a person;
- to the person himself or to other real or legal persons with the authorization given through notary or with a consent given through confirmation of data subject’s identity via the e-Government application,
- to persons authorized by a court decision to access the person's health data, and
- to their lawyer, provided that the special power of attorney given by the client states that the lawyer can request such data.
In addition, one-time personal data and trade secret data requests by public institutions or organizations in written or electronic form are met by the provincial directorate of the requesting public institutions or organizations. The provincial directorate provides the data that they cannot obtain from the SSI data recording system within their authority, in accordance with the provisions of this Regulation, and delivers it to the relevant authority. In order to transfer personal data and data in the nature of trade secrets permanently, it is obligatory to sign a protocol that determines the transfer method and other necessary issues between the data requesters and the SSI under the coordination of the relevant legislation unit.
SSI also shares personal health data with the Ministry of Health, upon request, for the purpose of protecting public health, performing preventive medicine, making medical diagnoses, providing treatment, and care services, monitoring the suitability of the health services provided, and planning financing.
Finally, personal data and personal health data requests from judicial authorities are made to the provincial units. Likewise, the provincial unit obtains the data that they cannot obtain from the SSI data recording system within their authority from the Directorate General for Service Delivery and delivers them to the relevant authority.
Data transfer requests are made in writing to the relevant legislative unit. In order to transfer personal data, anonymous data, and trade secret data other than the personal health data requested by public institutions and organizations, the legal basis for the request must be stated in the written request to the SSI. If the data requests are accepted, the protocol containing the necessary conditions regarding data access and confidentiality is signed by the data requesters under the coordination of the relevant legislation unit. Data requesters cannot use, reproduce, give, sell or transfer the data to third parties for any purpose other than the purpose stated in their request.
Obligations of the Data Controller and Those Who Access the Data
In parallel with the Law on the Protection of Personal Data, the Regulation imposes an obligation on the data controller to take all necessary technical and administrative measures to ensure the appropriate level of security required to prevent the illegal processing of the data, the illegal access to this data, and to ensure the preservation of these data. Likewise, data processors are jointly responsible with the data controller for taking these measures. The data controller is also obliged to ensure that the necessary inspections are carried out in order to ensure the implementation of the regulations determined by the Personal Data Protection Board.
Persons who process personal data, personal health data, and trade secret data, persons accessing these data, and data controllers cannot disclose the data they have learned to others in violation of the legislation and cannot use it for purposes other than processing. This obligation continues even after the resignation. If it is determined that data processed within the scope of this Regulation has been obtained by others illegally, the data controller shall report to the Personal Data Protection Board without delay and within 72 hours at the latest, and to the relevant persons as soon as possible following the determination of the persons affected by the data breach.
In addition, natural and legal persons, (including SSI personnel accessing data and personnel of public institutions and organizations accessing data or transferring data, as well as the natural and legal persons who provide the software and hardware of information processing systems belonging to health service providers), must ensure that personal data processing is carried out in a way that does not allow the disclosure of personal data, and take all measures necessary for ensuring that the data is not used and shared for other than the intended purpose. The data that is displayed and transferred by SSI must be used in accordance with the relevant legislation, international agreements, and obligations required by the public service, provided that the confidentiality of personal data is adhered to. All necessary measures must be taken to ensure that the transferred data is not in the hands of unauthorized persons, institutions, and organizations.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...