Levels of Protection in using Cloud Computing in Health Sector
under Islamic and Saudi Laws
Emna Chikhaoui
Prince Sultan University, College of Law, Prince Nasser Bin Farhan Street, Riyadh, Saudi Arabia
Keywords: Cloud Computing, e-Health, Protection, Privacy, Security, Legislation.
Abstract: The implementation of cloud computing in the context of health information provides a hardware
independent manner of accessing, sharing data, streamlining costs and optimizing efficiency. Despite the
benefits provided by cloud computing, the process of migrating from a health care IT system remains slow
and subject to privacy and security challenges. In this paper we explore the levels of protection in using the
clod in health sector under Islamic law and Saudi legislation.
1 OBJECTIVES OF RESEARCH
To present the opportunities and challenges of cloud
computing in health organizations.
To discuss privacy under Islamic law which may
hinder the adoption of health care cloud computing.
To analyse current privacy and data protection
laws in Islamic and Saudi legislation.
To suggest measures that may enhance the
viability of cloud computing.
2 METHODOLOGY
The purpose of this research paper is to analyze the
viability of health care cloud computing in the
context of Saudi and Islamic privacy legislation. To
achieve this objective, we use the following
methodology:
Content analysis where literature and laws;
including Islamic law and Saudi legislation
regarding privacy and security concerns were
analyzed.
3 FINDINGS
Cloud computing represents a paradigm shift in
healthcare IT. However current data center IT is
resistant to change as a consequence of privacy, data
protection and data reliability concerns, as well as
Saudi Arabia's complex jurisdiction. Thus in
addition to raising consumer awareness on cloud
computing, the legislation of privacy, confidentiality
and security remain obstacles to be overcome.
4 INTRODUCTION
Cloud computing is an emerging technology with
the potential to revolutionize health care services,
however one must observe a series of principles
before moving safely to the cloud.
The public should be aware of health information
privacy, confidentiality and security of health data.
Legislators continue to regulate the ever changing
field of health informatics.
The Health Insurance Portability and
Accountability Act of 1996 (HIPPA) mandates the
development of a national privacy law, security
standards and electronic transactions standards and
provides penalties for standards violations and
wrongful disclosures of health information (Chandra
and Adesh, 2013).
Other contributions to public awareness of
privacy and data security rights include the 1995
European Union's Enactment of the Data Privacy
Directive, officially Directive 95/46/ EC on the
protection of individuals with regard to the
processing of personal data within the European
Union and the free movement of such data. The
General Data Protection Regulation adopted in April
2016 has superseded the Data Protection Directive
and became enforceable on 25 May 2018. However,
Chikhaoui, E.
Levels of Protection in using Cloud Computing in Health Sector under Islamic and Saudi Laws.
DOI: 10.5220/0007232704310437
In Proceedings of the 10th International Joint Conference on Knowledge Discovery, Knowledge Engineering and Knowledge Management (IC3K 2018) - Volume 1: KDIR, pages 431-437
ISBN: 978-989-758-330-8
Copyright © 2018 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
431
in Saudi Arabia privacy law in the context of
information security and consumer data protection is
yet to be legislated and implemented. This paper
addresses the issues of privacy, confidentiality and
security of health care cloud computing through the
perspective of Islamic and Saudi Law.
5 SOURCES AND GENERAL
PRINCIPLES OF PRIVACY
UNDER ISLAMIC LAW
One should note that all religious texts from the
Quran or the Sunnah lie at the highest level of
authoritativeness as sources of law in Islam. This
makes the implications of their language a ready
material for legal principles to be derived from.
Whilst the term “privacy” is not explicitly referred
to in the Quran, it contains verses emphasizing the
importance of the individual right to privacy.
Several Quranic verses emphasize individual's
right to privacy. The most prominent of these are
two verses referring to the privacy of the home: “O
you who have attained to faith! Do not enter houses
other than your own unless you have obtained
permission “hatta tasta’nisu" and greeted their
inmates” (Asad, 2008). These excerpts evidence the
textual basis for privacy protection as applied to
privacy in the household. Additionally, the Quran
establishes a right to privacy for people vis-à-vis
their family members, that is, within their own
home. The Quran (24: 58) specifies three times at
least when explicit permission has to be taken before
people could enter into the private domain (room,
etc) of their parents: before the dawn prayer, during
the afternoon (possible time for napping), and after
the night prayer.
This Quranic principle applies to all Muslims,
but young adults who have recently reached the age
of puberty are simply encouraged in this verse to get
accustomed to the habit of seeking permission when
they want to enter rooms other than theirs, so that
such becomes second nature to all members of the
family. The Prophet of Islam has emphasized the
duty of protecting the privacy of people’s
correspondence and communication whether or not
they take place in a private place. The Prophet is
reported to have said “He, who looks into a letter
belonging to his brother, looks into the hellfire.”
(Bin Asha’th, 2008).
This establishes that, even if a private
communication is conveyed outside of a private
environment, the nature of the correspondence
creates a right to privacy that must be applied to the
correspondence. The forgoing Quranic verses and
Sunnah of the Prophet establishes the very basis of
right to privacy and its utmost importance.
Moreover, if a Muslim has committed a crime and
the investigation could potentially breach his
privacy, the Prophet very clearly advises not to
proceed with the investigation. Thus, the texts from
Quran and Sunnah of the Prophet suggest that the
practice of deploying modern technologies by the
present governments in breach of privacy is to be
considered as un-Islamic.
The Islamic principles on privacy can be
summarized as follows: (Muhammad, 2011). Every
man and woman has certain information for which
they have the right and obligation to keep secret.
The extent of secrecy changes according to the
nature of the observer, the time of observation, and
the amount of information observed. Some of the
secrets can be joint secrets and all the parties have
the obligation to keep it secret. Some of the secrets
can be shared (disclosed to someone else) but the
nature of the observer is conditional (who the
someone could be?) and then the one who receives it
has the obligation to keep it secret. It is undesirable
to investigate the secrets of someone else and
intrusion into the privacy of someone else is
punishable by law.
5.1 Privacy: A Sharia Law Perspective
As per the earlier discussion on the concept of
privacy in Islam, one can figure out that right to
privacy has not been introduced as a distinctive,
well-defined legal term in Islamic legal manuals.
Islamic juristic language indicates that the privacy of
the individual constituted one of Muslim jurists’
concerns. In Islamic legal literature one may find
references to Quranic Ayats and Hadiths of the
Prophet establishing privacy aspects of what is
considered in contemporary legal terms as the right
to privacy.
Protection for the individual privacy has not been
totally neglected in Islam as evidenced in the Quran
and Sunnah of the Prophet (sources of Islamic Law)
establishing the right to privacy. In fact, scholars of
Islamic law have paid considerable attention to the
topics related to the different aspects of privacy. The
sanctity of one's body privacy is recognized in
Islamic law and the Quran (24-58) demarcates
certain periods in a day which are times of privacy
for an individual and indicates the need for prior
permission before entering the private premises of
another. These periods are before the prayer at
FR-HT 2018 - Special Session on Managing Digital Data, Information and Records: Firm Responses to Hard Technologies
432
dawn, during the afternoon where one needs to rest
and also after the night prayer.
In addition, domestic privacy is also considered
an important facet of Islamic life and this idea
permeates different aspects of Sharia. Moreover,
privacy as to proprietary interests was the first legal
aspect of privacy recognized by the Muslim jurists.
In fact, the Quran (24:27-8) forbids entering
another's house without prior permission. It is
understood that recognizing privacy in the domestic
domain is not just illegal, but it may be also
considered as an intrusion into matters of sensitivity
which may enlarge the scope of privacy in Islamic
law.
Islamic Law offers protection for privacy as
shown in Quran and Sunnah, however, attempts
should be made at articulating the general principles
of classical Islamic Law and addressing the
emerging challenges of technological evolution.
(Rehman, 2017). Moreover, the studies reveal that in
classical Islamic Law privacy is confined to the
concept of physical intrusion whereas nowadays it is
possible to invade a person's privacy without
physical intrusion of the private sphere.
5.2 The Islamic Law of Evidence and
Privacy
The Muslim jurists agree that high standards of
testimony in most of the criminal cases are required
to punish an offender. For example, in cases of
adultery the law requires four witnesses. The
stipulation of a testimony by four witnesses in order
to prosecute a person who is accused of adultery is a
sign of Islamic law’s adherence to the protection of
privacy since such a stipulation deters those with
inquisitive attitudes from violating the privacy of
those who may be practicing such unlawful activities
in their private environment. When three
eyewitnesses testify that adultery had been practiced
not only is it insufficient to prosecute the accused,
but also the witnesses may be accused of slander.
Privacy in Islamic law enjoys an influential
position in terms of its penetration of both criminal
and civil legal matters, since it is the ultimate
reference as to whether there are any fruits to
considering an act illegal or undesirable from a legal
point of view. When the law of evidence makes
harder trying people who are accused of privacy-
related offences, its promotion of privacy becomes
all the more significant. Islamic law’s promotion of
privacy is remarkably beyond the modern man’s
expectations.
The Prophet discouraged people from confessing
to committing shameful acts which have not resulted
in infringement on people’s rights. The spirit of
respect for privacy in this line of thought is
emphasized by other traditions. For example, the
Prophet has reportedly said, “If you have been
embroiled in an embarrassing sin, which God chose
not to disclose, do not disclose it yourselves.” The
Prophet has even turned his face away (twice) from
a man who wanted to confess before the Prophet that
he committed adultery. After the man insisted on
conveying his confession for the third time, the
Prophet investigated the possibility that the
confessor’s mental state or drunkenness may have
led him to make his confession. Only after these
possibilities were excluded, the punishment was
carried out. Some Muslim jurists have relied on this
story to argue that people are not encouraged to
confess to committing crimes that have not been
prosecuted, if the rights of others (such as their
property, etc) are not involved. It is clear that such a
rule promotes the individual’s privacy. However,
the Prophet is reported to have insisted that once
complaint about a major crime is elevated to the
Muslim authorities, no one can stop the prosecution
of the criminal.
Another example of the protection of privacy
offered in the Islamic law of evidence is that Muslim
jurists express their reluctance to accept the
testimony of individuals when it is made either for
or against a family member or a former family
member of their own. Family members, are the ones
most acquainted with the details of each other’s
private life. Although Muslim jurists do not use the
language of privacy to justify their reluctance to hear
these testimonies, their attitude has definitely led to
the enlargement of people’s privacy.
One more (rather striking) example of the
protection of privacy in the Islamic law of evidence
may be discerned from the following: under Hanafi
law, if someone confesses (in confidence) to
committing a crime in the presence of another and
asks the latter not to convey to others the content of
her/his confession, the confession witness must
refrain from testifying against the confessor. But,
what if the person decides to violate the confessor’s
privacy anyway? Here disagreement arises- some
Hanafí jurists call upon the judge to accept the
hearing of that testimony and others do not. Thus,
according to the first opinion, although the one who
promised not to convey the content of the confession
was supposed to keep his promise, his privacy-
violating testimony may be heard.
Levels of Protection in using Cloud Computing in Health Sector under Islamic and Saudi Laws
433
According to the other opinion, such a testimony
may not be heard. The same disagreement among
Hanafí jurists arises in the case where a man denies
his debt in public and acknowledges it only when he
meets in private settings with his creditor. If the
latter allows two persons to attend a private
encounter without his party’s knowledge and solicits
the denier’s acknowledgement of the debt, can the
judge support the creditor’s claim based on the
testimony of the secret witnesses? Hanafí jurists
have disagreed on this question: some accepted the
hearing of the testimony despite the violation of
privacy and some rejected it because of the
unlawfulness of deception and spying.
Islamic law acknowledges the right to privacy
and links it to communication, information,
territorial and bodily privacy. However, Islamic Law
alone cannot address the challenges that arise from
privacy breaches in the ever -changing world of
emerging technologies.
6 PRIVACY PROTECTION
UNDER SAUDI LEGISLATION
Whilst Saudi Arabia under the Vision 2030 has
launched many projects and initiated numerous
initiatives to improve the health care service, foreign
companies and health organizations in Saudi Arabia
are still grappling with legal issues to make use of
cloud computing due to the legal vacuum and the
absence of legislation as to privacy and data
protection (Torry Horris, 2015).
6.1 Ministry of Health Vision e-Health
The Ministry of Health (MoH) under Vision 2030
has developed a business strategy and 5years plan to
realize this vision, and has positioned e-Health as a
primary transformation agent and enabler (Ministry
of Health, 2018). The e-Health strategy supports the
primary MoH goals:
To care for patients
To connect providers at all levels of care
To measure the performance of healthcare delivery
To transform healthcare delivery to a consistent
world-class standard.
The e-health strategy will benefit the healthcare
professionals (doctors, nurses.), who will have
access to patients' data at any time, to information
that allows them to compare their own practice
results and trends against national performance
statistics.
It will also benefit the patients by allowing them
to access credible health information from any
preferred channel (web, SMS, telephone...), receive
a faster diagnosis when medical care is needed,
reducing time, pressure and confusion when getting
services from different locations.
These are some benefits of the Saudi e-health
strategy under Vision 2030.
Huge efforts have been made by MoH to
improve the health care services, however in terms
of laws for privacy and data protection, Saudi Arabia
doesn't have a privacy law and data protection.
6.2 Legislation
As of 2018 Saudi Arabia has not passed a
comprehensive legislation on privacy or data
protection per se, although it has devised a strategic
plan for privacy protection. However, currently,
there are Laws which may be considered legal
instruments in the protection of data.
6.2.1 Constitutional Laws
The Basic Law of Governance no: A/90 dated the
27th Sha'ban 1412H (1 March 1992) which refers to
the Constitution of Saudi Arabia provides for the
privacy of individuals in article 40. The protection
includes privacy of telegraphic, telephonic, postal
and other means of communication. It prohibits
interception or eavesdropping of private
communication except for legal purposes.
Similarly, the Civil Service regulation in article
12 prohibits the civil servants to disclose secret or
confidential information acquired while at work. The
Constitutional provisions could be applied to protect
e-health information of patients in private sector and
the public sector employees are bound by the
Constitution and Civil Service regulation. These two
laws could be easily applied to cover any unlawful
use, collection and disclosure of information of e-
health patients. In the absence of any relevant
legislation, the Saudi judges have discretion to apply
Shariaa principles which stipulate that an individual,
in case of breach, be compensated for his loss as a
result of the disclosure of his personal data by
another party (Reda et al., 2012).
Furthermore, there are other specific sector laws
which may be used as legal instruments in the
protection of data in Saudi Arabia.
6.2.2 Specific-sector Laws
There are certain general available laws that can be
extended to protect e-health data privacy and “Data”
FR-HT 2018 - Special Session on Managing Digital Data, Information and Records: Firm Responses to Hard Technologies
434
under article 1(4) of the Anti-Cyber Crime Law of
2007 (Royal Decree, 2002), is defined as
information, commands, message, voices or images
which are prepared or have been prepared for use in
computers. This definition could include a saved,
processed, transmitted or constructed data. If the
private information of a person is processed by
computers, then this definition could include private
data. However, there is no available definition of
“personal data” given in any existing legislation
though one could define it as any information
relating to a living and identifiable individual.
Similarly, privacy is not legally defined but could be
interpreted as a right associated with the dignity of
an individual. Anti-Cyber Crime Law in articles 3-5
penalizes violation of private data which is
transmitted via information networks without
consent or authorization. Violation of these
provisions will warrant a penalty up to SAR
3,000,000 in fine and a maximum of four years’
imprisonment. Thus, any personal information
including e-health data available in the Cloud will be
protected against unauthorized collection, usage or
misuse.
The Telecommunications Act issued by the
Council of Ministers Resolution No 74 of 05/03/
1422 H (23 May 2001) and its Bylaws also could be
applied in protection of privacy or data privacy.
Article 37(7) prohibits telecommunication service
providers from intercepting data or calls carried on
public telecommunication networks. Article 37(13)
criminalizes intentional disclosure of information or
content that have been intercepted. The bylaws in
article 56(1) state that a service provider shall not
disclose information other than users’ name address
and telephone number without prior consent from
the users or if otherwise required by law. It also
requires to take all reasonable steps to ensure the
confidentiality of users’ communication (article 57
(1)).
Article 58 (2) and (3) of the bylaws mandates the
operators of telecommunication facilities and
networks to respect privacy of users. The bylaw also
states that user information shall not be collected
without informing the user. It also prohibits
collection, usage, maintenance and disclosure of
personal information for undisclosed purposes.
Thus if the telecommunication service providers
are also providing Cloud services for healthcare
facilities or educational service facilities they are
expected by law to adhere to privacy and data
protection rules under Telecommunications Act and
its Bylaws. Any unauthorized use, disclosure and
transmission of information will be punishable by
this law. This law imposes a fine not exceeding SAR
5,000,000.
In addition, the Electronic Transaction Protection
Law (promulgated by Royal Decree No. M/8 of 8
Rabi I 1428H (March 26 2007) also mentions the
privacy protection of users of the services of
certification service providers. The law in article
1(11) defines “electronic data” as data with
electronic features in the form of texts, codes,
images, graphics, sounds or any other electronic
form, either collective or separate. Article 18(5)
requires the certification authority to maintain and
ensure that their staff maintains the confidentiality of
information obtained in the course of business unless
authorized by the certificate holders. This
authorization must be either in writing or electronic
form. Oral authorization is not considered as
authorization under this law. Article 23 (2 -4) states
the following as offence: A certificate holder’s use
of information concerning the applicant, for
purposes other than certification without the
applicant’s consent in a written or electronic form. A
certificate holder’s disclosure of information
accessed by virtue of his work without the certificate
holder’s consent in a written or electronic form, or
as provided for by law. A certification service
provider’s provision of false or misleading
information to the Commission, or misuse of
certification services.
In the event the e-health or education cloud
service providers or the users obtain certification
from a certification authority, any breaches of
private information provided in the course of
business needs to be kept secret by the certification
authority unless authorized. Any abuse will warrant
a fine up to SAR 5,000,000 fine and a maximum of
5 years’ imprisonment or both. In addition, the
Healthcare Professions Practices Regulation requires
the health practitioner to protect personal
information of patients. This law could be
extrapolated to services provided via cloud
computing facilities.
Furthermore, the KSA Healthcare Practice Code
requires that a health practitioner safeguards the
secrets of patients except inter alia where written
approval of the relevant patient is obtained.
Violators of such confidentiality requirements can
be subject to a fine not exceeding 20,000 Saudi
Riyals (approximately US$5,333) and other
disciplinary penalties such as the suspension of
practicing license. Such penalties may be increased
based on the severity of the relevant breach or its
reoccurrence.
Levels of Protection in using Cloud Computing in Health Sector under Islamic and Saudi Laws
435
However, Saudi Arabia’s data protection and
interception laws and implementing regulations are
still relatively new and developing. They reflect the
Growing global recognition of the importance of
control over private data in the digital age. The
organization possessing such data should be aware
of information where that disclosure result in loss or
harm to the individual (Cisco Systems, 2009).
6.2.3 Limitations
Whilst the government of Saudi Arabia is
determined to provide best health care facilities and
spent billions to upgrade the systems including IT
infrastructure, until today Saudi Arabia didn't see
any specific provisions on data protection. Thus the
Saudi courts are left with considerable discretion to
deal with privacy breach complaints and in the
absence of a comprehensive legislation on data
privacy, the general principles of Sharia law will
prevail. In addition to that there is no central place
where decisions are continuously indexed, collected
and made available for the public. some consider
that the lack of a binding precedent system makes
the situation more complex (Pearson, 2012).
7 CONCLUSIONS AND
RECOMMENDATIONS
Whilst the use of cloud allows providers and more
importantly health care delivery organizations the
opportunity to focus less on IT management and
more on delivering care to the patients (Chikhaoui et
al., 2017), Saudi Arabia still continues to have a
legislative vacuum in privacy and data protection,
leaving the courts under a full discretion as to the
application of a specific law in case of data privacy
violations.
One cannot ignore that Saudi Arabia is investing
generously in the field of healthcare, specifically on
the improvement of health care and the use of
technology to provide better services. Moreover,
debates and researches are conducted to introduce
cloud computing in the health sector and steps have
already been taken.
The Ministry of Health is aware that the
improvement of health care services and the ever
growing medical data requires expansion of current
computational and storage capacities. In order to
meet the needs of medical departments, health care
facilities must continuously improve the level of
modern system by using advanced science and
technology innovation (Chikhaoui et al., 2017).
The updating and maintenance of IT systems in
healthcare facilities is neither cost efficient nor
effective. Cloud computing is the only technology
that mitigates the continuous need to invest in IT
infrastructure, by providing access to computing
resources, applications, and services on a ‘per use'
model, which dramatically brings down the cost and
simplifies the adoption of technology. Several EMR
vendors are offering their solutions as a cloud-based
offering, providing an alternative approach to help
hospitals better manage the otherwise massive
capital IT investments that would be needed to
support EMR implementations (Chikhaoui et al.,
2017).
However, there is an ongoing debate within
healthcare as to the viability of cloud-based
solutions given the need for patient privacy and
sensitive personal information (Anand et al., 2014).
Privacy, security of information and
confidentiality are the issues raised in Saudi Arabia
as to moving to the cloud in the health sector. The
Cloud computing paradigm is still relatively young
in terms of maturity and adoption.
Before moving completely to the use of this new
technology, the risk should be assessed as to the
trust in the Cloud Service provider for the security of
sensitive information of health and the consumer
should be fully aware in order to avoid any problem
as to the violation of data protection. In addition, a
comprehensive law on privacy and data protection
should be implemented to protect the safety of
individuals’ personal data against any misuse or
theft of data.
The availability of a comprehensive legislation
on data privacy will definitely complement the
government’s effort to have an international
recognized heath sector.
ACKNOWLEDGEMENTS
The author acknowledges the support of Prince
Sultan University in doing research and is grateful to
Microsoft for funding previous research in similar
topics.
REFERENCES
Chandra, Adesh. (2013) ‘Privacy Issues and Measurement
in Cloud Computing: A Review’, International
Journal of Advanced Research in Computer Science,
Vol 4, No. 4.
FR-HT 2018 - Special Session on Managing Digital Data, Information and Records: Firm Responses to Hard Technologies
436
Asad, Muhammad. (2008) The Message of Qur’an.
California: The Book Foundation.
Bin Asha’th, Suliman. (2008) Sunan Abu Dawud, Book 8,
Hadith 1480. Riyadh: Darussalam Publishers.
Muhammad, Abdulkader. (2011) ‘Information Technology
(IT) Ethics in the light of Islam’, International Islamic
University Chittagong, Vol. 9, p243 – 260.
Rehman, Hafiz Aziz. (2017) ‘Right to privacy: A
comparative perspective in law and Shariah’, Acta
Islamica University of Islamabad, Vol. 5, p. 25.
Torry Horris Business Solutions. (2015) Cyber Security
and Data Privacy Law in Saudi Arabia.
Gupta, Vishal. (2011) ‘Cloud Computing in Healthcare’,
Express Healthcare. Available at:
http://archivehealthcare.expressbpd.com/201109/itathe
althcare04.shtml.
Ministry of Health. (2018) ‘National e-Health Strategy
Vision 2030’. Available at: https://www.moh.gov.sa/
en/Ministry/nehs/Pages/default.aspx.
Reda, Eyad and Alsheikh, Turki. (2012) ‘Data protection
in Saudi Arabia’, Thomson Reuters.
Royal Decree. (2007) ‘Anti-Cyber Crime Law’, No. M/17
8 Rabi I 1428/ 26.
Cisco Systems. (2009) ‘Cloud Computing in Healthcare’.
Available at: https://www.cisco.com/c/en_in/about/
knowledge-network/cloud-computing.html
Pearson, Siani. (2012). ‘Privacy, Security and Trust in
Cloud Computing. Privacy and Security for Cloud
Computing’ p.3-42, HP Laboratories. Available at:
https://pdfs.semanticscholar.org/59c5/cb96e6160d0b0
76286f4052f310c3bba7f19.pdf.
Chikhaoui, Emna, & Sarabeddine, Jawahitha, & Parveen,
Rehana. (2017) ‘Privacy and Security Issues in The
Use of Clouds in E-Health in The Kingdom of Saudi
Arabia’, IBIMA Publishing, Vol. 2017. Available at:
https://ibimapublishing.com/articles/CIBIMA/2017/36
9309/369309.pdf
Anand, DR. S.K. Srivatsa, (2014) ‘An Implementation of
Health Care Industry Through Cloud Computing
Technology’, International Journal of Emerging
Technologies in Computational and Applied Sciences,
p.332-333. Available at: http://iasir.net/IJETCAS
papers/NCRICA.pdf.
Levels of Protection in using Cloud Computing in Health Sector under Islamic and Saudi Laws
437