Mexico

Mexico

Law Name

Ley Federal de Protección de Datos Personales en Posesión de los Particulares (2010)

Law for the Protection of Personal Data, Mexico City (2018)

Link to the Law

http://www.diputados.gob.mx/LeyesBiblio/pdf/LFPDPPP.pdf

http://www.ssp.df.gob.mx/documentos/transparencia/normatividad_relacionada/ley_de_prote ccion_de_datos_personales.pdf

Data Transfer

The third party that the data is being transferred to must comply with the privacy and security regulations set in place that the titular already consented to. Consent isn’t needed when it is stated elsewhere in the law or when the data is needed for prevention, a medical diagnosis, sanitary assistance or medical treatment.

Data Sharing

The agency responsible for the database is obligated to establish and maintain administrative, technical and physical security measures that allow for the protection of data so that they are not damaged, lost, altered or destroyed without authorization. The privacy consent form should address who the agency responsible is, what the data will be used for, the options that there are to limit the use of the data, the means to exercise your right in access, rectification, cancelation or opposition of the data and law, the transference of the data and how the responsible will communicate changes in the privacy regulations in place. In the case of sensitive data, the privacy consent form must expressly address what the data will be used for. For health or other sensitive data, written consent is necessary in order to process information and data (can be an electronic signature or on paper). No database can be created with sensitive data without having legitimate reason to be established.

Data Retention

Any data subject or legal representative, can access, rectify, or cancel the use of the data. The data subject can rectify and modify data when it is incorrect or incomplete and at all times has the right to cancel the use of the data (there needs to be documentation to support this). If a third party is using the data, the responsible must communicate any changes or cancellation of use of the data to the third party. The agency responsible for the database does not need to cancel personal data when data is being used under a private contract that needs the data to fulfill its purpose, legal purposes for the data subject or the state (public interest) or for medical purposes as long as the practitioner maintains their vow of keeping the information private.

Governance

Each agency responsible for the database should designate people or a department for personal data that will manage the solicitations of the data subjects in regards to their rights for personal data. Civil or governmental organizations must have mechanisms in place to measure the efficiency and protection of data.

Enforcement

The institute is required to verify that what is stated in the law is being followed, interpret the law, help the agency responsible for the database with technical questions they have and cooperate with other supervising authorities and national and international organisms. Analysis, studies and research for protection of personal data should be developed.

Breach Notification

If there is any sort of breach in security that can significantly harm the rights of the data subject, the data subject needs to be informed immediately by the agency responsible. If the data is breached, but it does not harm their rights to privacy and the breach can be contained then there is no need for notification.

Health Privacy Law

http://www.salud.gob.mx/unidades/cdi/legis/lgs/index-indice.htm

Ley General de Salud

Everyone has the right to the protection of his or her health. The law is divided and covers the National Health System, the role and protection of data in Health Services, Social Protection, scientific investigations, prevention and control of disease, etc. Consent must be given in order for scientific investigation to be conducted.

 Electronic Health Records Law

http://www.dof.gob.mx/normasOficiales/4151/salud/salud.htm

Norma Oficial Mexicana NOM-024-SSA3-2010

The norm details how and whom is in control of maintaining the privacy of the “Expediente Clínico Electrónico” or EHR. There is a chart that details the functions and the criteria for evaluation and how to proceed according to the law.

Guidelines for the use of Electronic Health Records issued by the Secretary of Health, Federal Government of Mexico (2011)

https://www.who.int/goe/policies/countries/mex_ehealth.pdf