Morocco: Cloud in Healthcare Services

1. Key regulators in this industry are the Ministry of Health, the General Secretariat of the Government and to a lesser degree the National Council of Doctors and the relevant Regional Council of Doctors.¹⁵
2. There are also many other regulators regulating other practitioners and healthcare industry role-players.¹⁶

The use of cloud services is not expressly addressed in any specific healthcare legislation. There may however be laws applicable to the healthcare industry which may need to be taken into account, including the obligation on relevant role-players to keep confidential and not to disclose certain information (see below).

There is presently no uniform regulation of cloud services in Morocco. Role-players within the healthcare sector would, however, need to be mindful of the following regulatory provisions in moving to the cloud:

• Certain general and specific requirements relating to the security and protection of the confidentiality of patients which preclude disclosure of personal and medical information save in specific circumstances, such as with the patient's prior consent.¹⁷
• The data controller in charge of the processing of the health personal information must set up control and security measures to prevent unauthorised access to the records and to the storage facility in which, or system by which, records are kept.¹⁸
• The information systems of the Ministry of Health shall comply with guidelines from the IT System Department.¹⁹
• Pharmacies: A prescription book record must be kept in respect with certain medicines in hard copy on all premises where such medicines are sold or dispensed. The prescription book must be kept for a period of at least ten years after the date of the last entry.²⁰

Information regarding health or sex life is treated as special personal information, and its processing²¹ will be subject to specific requirements, which in most cases requires the data controller to obtain prior authorization of the National Control Commission for the Protection of Personal Data (CNDP).²² However, this will not preclude processing with the consent of the data subject, or processing (with only a prior declaration to the CNDP) in cases which relate to:

• preventative medicine, medical diagnosis, the provision of care or treatment or the management of healthcare services when the data is processed by a health professional subject to the obligation of professional secrecy, or by another person also subject to an equivalent obligation of secrecy;²³ and
• processing aiming solely at the selection of people who may benefit from an individual right, service, or contract and who are not excluded from such benefit as a result of a law or regulation.²⁴

Furthermore, any healthcare industry role-player, which amounts to a public institution or an infrastructure of vital importance,²⁵ should ensure compliance with the National Directive for the Security of Information Systems²⁶ and Decree No. 2-15-712 dated 22 March 2016 laying down the plan for the protection of sensitive information systems of institutions of vital importance and ensure that its sensitive data²⁷ is hosted in Morocco. The National Directive for the Security of Information Systems does not define what sensitive data refers to within the context of each entity. Accordingly, a data classification framework that is adopted by the entity and endorsed by the regulator is always recommended in order to define what “sensitive data” means to such entity and stay compliant with the National Directive for the Security of Information Systems.

Furthermore, regardless of its status of infrastructure of vital importance and subject to specific exemptions²⁸, any healthcare industry role-player having recourse to encryption means or services is required to file a prior declaration or authorization²⁹, as the case may be, before the General Direction for the Security of Information Systems³⁰.

No, there are no laws requiring approval from healthcare regulatory authorities for the use of cloud services. Specific care should however be taken in light of the above considerations given that there are stringent obligations on the sector's role-players to maintain the privacy of patients and the confidentiality of patient information, as well as the safekeeping of records.

To the extent that health information is to be transferred outside of Morocco without compliance with the data transfer requirements set out below, the data controller will require prior authorisation from the CNDP (see below).³¹

Healthcare regulatory authorities possess fairly broad inspection powers which include the power to enter the relevant premises and to access relevant information. For example, a health officer may require the person in charge of a health establishment to produce for inspection, or for purposes of making copies or extracts, any document including any health record that the establishment is required to maintain.³²

Under the Law No. 09-08 relating to the protection of individuals with respect to the processing of personal data (the "Law 09-08"), personal information may be transferred outside of Morocco provided the requirements of Law 09-08 are met. Law 09-08³³ permits the transfer of personal information to a foreign country in specific circumstances, including if the recipient is subject to a law, binding corporate rules or a binding agreement which provides an adequate level of protection as contemplated in Law 09-08, or with the prior authorization of the CNDP.

Microsoft holds itself accountable to and is subject to laws of general application applicable to information technology service providers, and has binding agreements which, in its view, provide adequate protection. In addition, Microsoft adheres to the EU Model Clauses as well as the EU Privacy Shield and the ISO 27018 Privacy Standard. Microsoft is also committed to ensuring that its products and services comply with the EU General Data Protection Regulation (GDPR) which came into force in May 2018.