Chapter 7 — Data Protection & Privacy

Chapter 7 — Data Protection & Privacy

7.1 Policy Statement

ARmed for Medical Training and Consultancy – LLC – OP.C shall ensure that all learner and faculty data collected during CME/CPD activities is processed, stored, and transmitted in compliance with the UAE Personal Data Protection Law (PDPL) and DOH standards.
Data collection will be minimal, relevant, and necessary, and information will only be used for CME/CPD accreditation, reporting, and quality assurance.

Reference: DOH requires CME/CPD providers to secure learner information, protect confidentiality, and maintain records for at least 6 years.

7.2 Rationale

  • DOH Standards: mandate that providers maintain secure, auditable data management systems for attendance, evaluation, and reporting.
  • UAE PDPL (2021): enforces principles of lawfulness, transparency, and accountability in personal data processing.
  • Protecting learner data ensures compliance, maintains trust, and safeguards ARmed’s accreditation.

7.3 Scope of Data Collected

7.3.1 Learner Data

  • Full name.
  • Professional license number / healthcare ID.
  • Specialty and role.
  • Attendance records (QR scans, LMS reports, sign-in logs).
  • Evaluation survey responses.
  • Assessment results (pre/post-tests, OSATS).
  • Certificates issued (credit records).

7.3.2 Faculty Data

  • Full name and professional CV.
  • License/registration details.
  • Conflict of Interest (COI) disclosures.
  • Teaching performance evaluations.

7.4 Principles of Data Management

  1. Lawful & Fair Processing: Data collected only for CME/CPD accreditation and reporting.
  2. Purpose Limitation: Data used exclusively for activity evaluation, certification, and DOH reporting.
  3. Data Minimization: Only essential fields are collected (no excessive personal details).
  4. Accuracy: Records verified at point of collection; errors corrected promptly.
  5. Storage Limitation: Records retained for 6 years, then securely deleted.
  6. Integrity & Confidentiality: Data secured via encryption, password protection, and access controls.
  7. Accountability: QA Officer responsible for compliance with PDPL and DOH requirements.

 

7.5 Data Flow Map

Collection → Processing → Storage → Reporting → Archival → Deletion

  • Collection: registration forms, LMS logins, sign-in sheets.
  • Processing: Coordinator uploads attendance and evaluation data into official CME/CPD database.
  • Storage: secure cloud servers + on-site encrypted backups.
  • Reporting: completions uploaded to DOH within 30 days.
  • Archival: retained for 6 years.
  • Deletion: secure shredding (paper) or digital wiping (electronic).

7.6 Access Rights & Security

  • Access Rights:
    • Coordinator: operational access to learner/faculty data.
    • QA Officer: access for audits.
    • Scientific Director: oversight access.
    • CEO: access to compliance reports.
  • Security Measures:
    • Password-protected files.
    • Role-based access controls.
    • Audit trails of access and changes.
    • Two-factor authentication for LMS and reporting portals.

 

 

 

7.7 Breach Response SOP

7.7.1 Identification

  • Any suspected breach (unauthorized access, data loss, cyber incident) reported immediately to QA Officer.

7.7.2 Containment

  • IT team isolates affected system.
  • Temporary suspension of access rights if necessary.

7.7.3 Notification

  • Internal notification: Scientific Director and Oversight Committee.
  • External notification: DOH and UAE Data Office within 72 hours, if required by PDPL.
  • Learners/faculty informed if their personal data is compromised.

7.7.4 Remediation

  • Corrective measures implemented (system patch, process change).
  • CAPA log updated and follow-up audit conducted.

7.8 Learner Rights

Learners and faculty have the right to:

  • Access their own records.
  • Request corrections to inaccurate data.
  • Request deletion after retention period expires.
  • Withdraw consent for optional/non-essential data processing.

 

7.9 Documentation & Retention

  • All data protection policies, breach logs, and access records retained for 6 years.
  • DOH auditors may request access at any time.
  • Evidence of compliance with UAE PDPL maintained for legal accountability.

7.10 Continuous Quality Improvement

  • Data protection processes reviewed annually by Oversight Committee.
  • Risk assessments conducted quarterly for IT and data security.
  • Learner privacy and confidentiality questions included in evaluation surveys.

Comments are closed.