Evaluations on the Regulation on the Protection and Processing of Data at the Social Security Institution

The Regulation on the Protection and Processing of Data under the Social Security Institution (‘Regulation’), which entered into force on 19 February 2022, was enacted in order to determine the procedures and principles to be followed in the processing of data obtained by the Social Security Institution (‘Institution’) by fully or partially automated or non-automated means, provided that it is part of any data recording system.

The Regulation covers the personnel of the Authority and natural persons whose personal data are processed, institutions and organisations, private law natural and legal persons who process personal data on behalf of the Authority within the scope of the activities of the Authority or to whom data is transferred.

It is noteworthy that the definitions in Art. 4 on definitions, data controller, and processing of personal data are taken verbatim from the Law No. 6698 on the Protection of Personal Data (‘Law’). In addition, MEDULA, the electronic information system implemented and operated by the Institution in order to collect healthcare service utilisation data and to perform the billing process based on these data, is also included in the definitions.

MEDULA is an important system in terms of activity, which is also included in the decisions of the Personal Data Protection Board (‘Board’). It will be seen in some Board decisions that the access to the MEDULA pharmacy printouts by the pharmacist’s spouse constitutes the offence of ‘unlawful provision or acquisition of data’ within the scope of the Turkish Penal Code, while in another announcement, there is an application for violation due to the transfer of patient information by the former employee of the pharmacy for the purpose of obtaining supply from other pharmacies and entering it into the MEDUSA system without the knowledge of the patients. In this context, the relevant system has a structure that should be approached with sensitivity in terms of intensive processing of private health data and is also included in the Regulation within this framework.

Processing & Access Principles of Personal Data, Personal Health Data and Trade Secret Data
As it is known from Article 4 of the Law, there are basic principles in the processing of personal data. These principles are also included in the Regulation. Accordingly, the principles of compliance with the law and good faith, being accurate and up-to-date when necessary, being processed for specific, explicit and legitimate purposes, being relevant, limited and proportionate to the purpose for which they are processed, and being retained for the period stipulated in the relevant legislation or required for the purpose for which they are processed are included in the Regulation.

Health service providers contracted with the Institution will be obliged to transfer the personal health data they process on behalf of the Institution to the aforementioned data recording system, and they will not be able to copy and transfer to anywhere other than this system. Authorisation must also be defined at the point of access to the relevant system. Authorisation, recording and preservation processes are left to the determination of data controllers. Another responsibility imposed on data controllers, which we are also familiar with from the Law, is that they are obliged to take all kinds of administrative and technical measures in terms of security for the protection of personal data. At this stage, the data controller is jointly responsible with the data processors.

One of the noteworthy points is the inclusion of the 72-hour data breach notification period in the Regulation, which is not included in the Law, but has found its place in practice with the decisions and announcements of the Personal Data Protection Board (‘Board’).

The access of the authorised personnel of the Authority to the data will not be considered as data transfer, provided that it is not given or disclosed to third parties and the relevant obligations regarding security are complied with. In this context, the personnel of the Institution will have access to personal data within the scope of the Regulation for audits, data processing activities, determination of health and social insurance policies and in certain other cases listed in the Regulation. It is seen that the methods and conditions of this access are also regulated in the Regulation.

Requests Regarding Personal Data Belonging to the Person and Personal Health Data
As mentioned, the rights of the persons at the point of application to the Authority mirror the ‘Rights of the Relevant Person’ regulated in Article 11 of the Law. In addition, a regulation has been made that the requests of the persons at the stage of deletion/destruction of their data in the system will be subject to the evaluation of the ‘relevant legislation unit’ as to whether the conditions for processing personal data have completely disappeared. As a result of this examination, the person must be notified within 30 days with the method and justification of which of the deletion, destruction or anonymisation procedures will be applied.

The Institution may transfer personal data to authorised persons who have permission to access the health data of the person with a court decision, other natural or legal persons with the permission given to the person himself/herself or with his/her notarised consent or by identity confirmation through the e-Government application, and to the relevant lawyer provided that the special power of attorney granted by the client includes that the lawyer may request personal data and personal health data, or may reject data requests with justification.

Requests made to the Authority shall be answered free of charge within 30 days, taking into account the nature of the request, and if it requires an additional cost, in return for the fee in the tariff determined by the Board.

Access Authorisation with Authorisation Matrix in the light of Board Decisions
As it is known, the authorisation matrix consists of a systematic system regarding who can access the data, when and how, by authorising access to all kinds of shared data, files or information. This system is very important for data controllers to take all kinds of technical and administrative measures arising from the Law within the scope of personal data security, and there are many decisions of the Board on this issue. To take a brief look;

In the summary of the Board’s Decision No. 2021/32; In the infringement application made in terms of unlawful acquisition of personal data and violation of the right to privacy upon querying the personal data of the data subject through the bank and submitting it to the court file against the data subject, the Board decided that ‘the personal data of the data subject was accessed by others illegally due to the querying and submission of the personal data of the data subject to the court by the person working within the data controller, and that the bank, which is the data controller, did not take the necessary administrative and technical measures’ and imposed administrative sanctions.[3]

In another decision, it was decided that the data controller operating in the health sector, which established the authorisation matrix system for employees before the breach occurred, took reasonable administrative and technical measures in the evaluation made by the Board after the breach.

It is understood from many decisions of the same nature that the Board places great emphasis on the authorisation matrix and access authorisation within the scope of the technical and administrative measures included in the ‘Personal Data Security Guide’ and notifies data controllers to establish the necessary system in this regard.

Measures to be Taken by Data Controllers in the Processing of Special Categories of Personal Data
The Board’s Decision No. 2018/10 on ‘Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data’ makes very essential explanations. The Regulation, which we are examining, insists on the point of precautions and measures and emphasises their importance. In this context, it will be important to mention the issue of ‘adequate measures’ in the principle decision. Namely

Determination of a systematic, sustainable and manageable policy and procedure regarding the security of special categories of personal data,
Providing trainings for the persons involved in the processing of sensitive personal data, making confidentiality agreements, making access authorisation as mentioned above and periodically checking the authorisations, removing the authorisation in case of job change or resignation and taking back the inventory allocated to them,
Preservation of personal data of special nature stored and accessed in electronic media by cryptographic methods, keeping cryptographic keys in secure and different environments, logging all data-related transactions securely, performing security tests and providing at least two-stage authentication system,
For personal data of special nature stored in physical environment, taking necessary security measures for the environment where the data is located (against situations such as electrical leakage, flood, fire, theft), preventing unauthorised entry and exit,
Sending data via encrypted corporate e-mail address or KEP (Registered Electronic Mail) account, encryption with cryptographic methods in transferring to media such as portable memory, CV and DVD, establishing VPN or using sFTP[6] method in transferring between servers in different physical environments, eroding measures against risks such as theft, loss, being seen by unauthorised persons and sending documents in the format of ‘confidential documents’ are some of the necessary measures to be taken in the transfer of sensitive personal data.
Anonymisation, as explained in the Guideline on Deletion, Destruction or Anonymisation of Personal Data (‘Guideline’) published by the Personal Data Protection Authority (‘Authority’), is the process of making personal data impossible to be associated with an identified or identifiable natural person under any circumstances, even if it is matched with other data. This Guideline also draws a roadmap by clarifying the methods for anonymisation of personal data.

For example, by using the ‘generalisation’ method, the relevant personal data may be converted into a general value, making it impossible to reach real persons. In another method, the anonymity feature can be strengthened by removing the row containing uniqueness among the relevant data from that data set. In addition to these, ‘masking’, which is frequently used today, is one of the ways of anonymisation.

Nationally and internationally accepted statistical methods will be applied in the anonymisation of personal data, personal health data and trade secret data determined by the relevant legislative units. Anonymised data may be transferred in limited number of cases listed in the Regulation if it complies with the provisions of the Regulation and if the Authority deems it appropriate as a result of the evaluation.

Anonymous data requests will be transferred by taking into account criteria such as whether the data can be created by a separate or special study, research, examination or analysis, the complexity of the anonymisation process, and whether the data is a trade secret.

The publication of the Agency’s statistical bulletins, statistical yearbooks and annual reports containing anonymised data and trade secret data shall not be considered as data transfer.

The Institution shares personal health data with the Ministry of Health upon request for the purposes of protecting public health, preventive medicine, medical diagnosis, treatment and care services, monitoring the appropriateness and appropriateness of the health services provided and planning their financing.

In the data requests of the Ministry of Health,
In the event that the data regarding the services that cannot be billed to the Institution due to force majeure from the personal health data they process on behalf of the Institution are requested by the health service providers contracted with the Institution for the provision of health services,
General provisions regarding data transfer shall apply. Although these general provisions are explained in detail in the Regulation, as a framework, it can be said that a systematic is drawn such as data transfer requests will be made in writing to the relevant regulatory unit, the regulatory unit may request additional information and documents if deemed necessary, and if the data requests are accepted, the Protocol, which has the conditions of data access and confidentiality, will be signed by the data requestors. In addition, it is also stated that data cannot be transmitted by telephone, anonymous data can be delivered to the e-mail address with the extension ‘gov.tr’ together with the encrypted file upon request to public institutions and organisations, and that data requestors cannot use the data they receive for purposes other than the purpose of the request. It is noteworthy that the transfer provisions in this scope are regulated in parallel with the Adequate Measures to be Taken by Data Controllers in the Processing of Sensitive Personal Data.

Natural and legal persons, including the personnel of the Agency accessing the data and the personnel of public institutions and organisations accessing or transferring the data, natural and legal persons providing the software and hardware of the information processing systems of health service providers;

To take all kinds of measures without any time limit in order not to use and share the data for purposes other than the purpose requested in the data request,
To act in accordance with the principle of confidentiality of personal data,
obligation to ensure the security of personal data. It is also stipulated that the regulations issued by the Board to ensure the security of personal data shall be complied with.

In case of violation of the relevant provisions regarding the protection of personal data, it is regulated that the provision on misdemeanours in Article 18 will be applied by referring to the Law and the situation will be notified to the Board. It is also stated that a criminal complaint will be filed in accordance with the relevant articles of the Turkish Criminal Code No. 5237 against those who change or disrupt the integrity of personal data from the persons who are authorised by the Authority to access them. It is known that the Board, the supervisory and regulatory body of the Law, has also filed criminal complaints against various violations.

The Agency is obliged to ensure the security of the data in the data recording system against all kinds of dangers. In addition, real and legal persons requesting data transfer will not be allowed direct access to the data recording system of the Authority, and the requested data will be transferred.

The Directorate General for Service Delivery (‘DGDSS’) is another institution that is obliged to take security measures to meet data requests. In general terms, DGDS is the institution to which data requests are forwarded after being examined by the relevant legislative units. The data to be prepared for transfer are shared by DGMM and certain data requests within the scope of the Regulation are made directly to DGMM.

Access to the Agency’s data recording system with a password will be recorded within the framework of DG HSGM’s security measures. In this regard, in order to prevent unauthorised use of the personnel with access authorisation due to reasons such as change of duty or resignation, access authorisations must be notified to DGMM by official letter.

Provided that the security measures determined by the Agency and the Board are complied with, the requests of external stakeholders to integrate their software into the Agency’s software in order to fulfil their obligations to the Agency are also decided by the Agency. At this point, the applicants shall submit their requests to the DGMM in writing.

The Regulation on the Protection and Processing of Data under the Social Security Institution, as an extension of the Law No. 6698, contains very similar and even identical provisions. Although the text in question will be executed by the President of the Social Security Institution, it contains regulations that will significantly change the system by imposing very detailed obligations on all kinds of contact of personal data, and in this context, by imposing confidentiality obligations on SSI personnel, as if a secondary legislation was issued to the Law.

It is also worth noting that the Regulation is the first text that includes detailed and exclusive regulations on health data after the ‘Personal Health Data Regulation’. In the light of these regulations, it is clear that SSI processes will operate under stricter conditions in practice, information sharing will be restricted and the process will be supported by serious sanctions.