What security obligations are imposed on data controllers and data processors?
Security requirements may not always be included in the data protection law, but are key to guaranteeing lawful processing of personal data. The entity processing the data must take all useful precautions with respect to the nature of the data and the risk presented by the processing, to preserve the security of the data and prevent alteration, corruption or access by unauthorized third parties. Appropriate technical and organizational measures should be implemented to ensure a level of security appropriate to the risk.
There are no general security obligations imposed on employers and third-party processors of HR-related data in mainland UAE (although there are some security codes and frameworks which apply to the public sector).
It is important to take practical steps to limit unauthorized disclosure of sensitive information to third parties. Disclosure of sensitive information without the consent of the concerned individual(s) could constitute an offence under the Penal Code (Art. 379). Therefore, general best practice measures should be followed to protect both employee and job applicant data.
There are some sector-specific security requirements which may impact employee data processing. Federal Law No. 2 of 2019 on the Use of Information and Communication Technology (ICT) in Health Fields imposes security requirements on health-related data in the healthcare sector. For example, encryption is required for email and electronic communications containing patient information. It is currently unclear if this law will apply to all employee-related health data or just to health data held by healthcare companies, such as medical providers and insurers.
Some free trade zones in the UAE have specific security obligations relating to processing personal data. For example, the Dubai International Financial Center and the Abu Dhabi Global Market both require the implementation of technical and organizational measures to protect the processing of personal data. These laws do not mandate specific technical standards but require a risk-based approach appropriate to the processing activity and the risk of harm.
HR Best Practices: Follow general best practices, such as ensuring contracts with service providers detail the security and confidentiality measures that will be implemented. In addition, make sure to obtain consent from individuals, prior to disclosing sensitive information to third parties.
In the free trade zones, there may be more specific security requirements.