Generally, medical data privacy laws don't apply if there is no personally identifiable information (PII) that connects a specific individual to specific health information. Care should still be taken to secure and protect the data.

Overview

Data residency laws are country specific, but generally allow for data residency outside the original country if there is no PII. If there is PII as long as there’s ‘Comparable Levels of Protection’ in the country of storage to the country of origin then it complies with the law. ‍

Below are links to relevant laws and guidance for more details.‍

‍

Canada

Privacy Act

• Anonymized exclusion

PIPEDA

• Anonymized exclusion
• PII definition
• Storing data outside of Canada

Province Specific Laws

Each province in Canada also has its own laws around personal and health information. Most of these are very similar to PIPEDA, and also generally don’t apply if there’s no PII.

• Province specific overview 

‍

USA

HIPAA

• Anonymized exclusion
• PII definition

‍

Europe 

Each country in Europe also often has its own data laws - see below.

GDPR

• PII definition
• Anonymized exclusion
• Anonymization vs pseudonymization
• Storing data outside Europe

‍

UK

DPA 2018 and UK GDPR are enforced alongside Europe GDPR. While there is no explicit anonymization exclusion in the policies, both laws only apply to Personal Data which is defined as data that can be used to identify a specific individual. The ICO May 2021 guidance states that anonymized data is not Personal Data, thus it is exempt from DPA 2018 and UK GDPR law.

‍

Defacto Law

Countries that do not have established data privacy laws typically fallback to using HIPAA laws.