Decision Instrument · Data Governance & Compliance · Payer or Provider
Health Data Governance Diagnostic
A 25-question structured assessment evaluating your PDPL readiness across lawful basis and consent, controller obligations, sensitive-data safeguards, third-party and cross-border processing, and governance and breach response. Designed for payers and providers whose analytics ambition is increasing their sensitive health data processing.
5 domains
25 questions
Approximately 15 minutes
Payer or provider perspective
Self-assessment version. Available as a facilitated Full Diagnostic with independent records-of-processing review, lawful-basis analysis for analytics use cases, and a board-ready PDPL remediation roadmap.
Several questions have payer-specific and provider-specific variants reflecting different data processing contexts under the PDPL.
Section 1 of 50% complete
Section 1 of 5
Lawful Basis & Consent Architecture
Evaluates whether your organisation has established a documented lawful basis for processing sensitive health data, particularly for the secondary analytical uses the reform agenda depends on, and whether consent is properly obtained, recorded, and withdrawable.
Has your organisation documented a specific lawful basis under the PDPL for each category of personal data processing it conducts, distinguishing the basis for core operations from the basis for analytics and secondary use?
Strong - 3 pointsLawful basis is documented for every processing category, with separate analysis for primary and secondary use, reviewed by qualified counsel.
Partial - 2 pointsLawful basis is documented for core operations but secondary analytical use has not been separately analysed.
Weak - 0 pointsNo formal documentation of lawful basis. Processing proceeds on the assumption that operational necessity covers it.
Question 2
Has your organisation specifically established the lawful basis for using member claims and health data in fraud detection, underwriting models, and risk stratification beyond the original insurance contract purpose?
Has your organisation specifically established the lawful basis for the secondary use of patient records in AI deployment, performance benchmarking, and research beyond the original treatment purpose?
Strong - 3 pointsSecondary-use lawful basis is documented for each analytical use case, with purpose limitation explicitly addressed.
Partial - 2 pointsThe issue is recognised and partially addressed but not documented for all analytical use cases.
Weak - 0 pointsSecondary analytical use proceeds on the assumption that the original purpose consent extends to it.
Question 3
Is consent, where it is the lawful basis relied upon, obtained and recorded in a manner that meets PDPL requirements, including the ability for data subjects to withdraw consent?
Strong - 3 pointsConsent is obtained against PDPL standards, recorded auditably, and a functioning withdrawal mechanism is in place.
Partial - 2 pointsConsent is obtained but recording is incomplete or withdrawal is not operationally supported.
Weak - 0 pointsConsent practices have not been reviewed against PDPL requirements.
Question 4
Is purpose limitation enforced, ensuring that health data collected for one purpose is not repurposed for analytics or other uses without a fresh lawful basis assessment?
Strong - 3 pointsPurpose limitation is enforced through documented controls, and new uses trigger a formal basis reassessment.
Partial - 2 pointsPurpose limitation is acknowledged but not consistently enforced through controls.
Weak - 0 pointsData is reused across purposes without a structured reassessment process.
Question 5
Does your organisation apply data minimisation, processing only the health data necessary for each defined purpose rather than retaining and analysing data simply because it is available?
Strong - 3 pointsData minimisation is a documented principle applied to each processing activity and analytical dataset.
Partial - 2 pointsMinimisation is recognised but analytical datasets often include more data than strictly necessary.
Weak - 0 pointsData is collected and retained broadly, without a minimisation discipline.
Section 2 of 5
Controller Obligations & Data Mapping
Tests whether your organisation has established the Controller obligations the PDPL requires: records of processing activities, registration considerations, data mapping, and impact assessments for high-risk processing.
Tests against: Unmapped Processing · Missing RoPA
Question 6
Does your organisation maintain records of processing activities, documenting data categories, purposes, legal bases, and retention periods across all sensitive health data processing?
Strong - 3 pointsComprehensive records of processing activities are maintained, kept current, and cover all processing including analytics.
Partial - 2 pointsRecords exist but are incomplete, outdated, or do not cover analytical processing.
Weak - 0 pointsNo records of processing activities are maintained.
Question 7
Has your organisation completed a data mapping exercise identifying what sensitive health data it holds, where it resides, who has access, and where it flows internally and externally?
Strong - 3 pointsA complete data map exists covering storage, access, and internal and external flows, maintained as data movements change.
Partial - 2 pointsPartial mapping exists but is incomplete or does not capture all flows, particularly to analytics environments.
Weak - 0 pointsNo systematic data mapping has been conducted.
Question 8
Has your organisation addressed its registration obligations under the National Register of Controllers, determining whether and how it must register?
Strong - 3 pointsRegistration obligations have been formally assessed and the organisation is compliant with the National Register requirements.
Partial - 2 pointsRegistration obligations are recognised but assessment or action is incomplete.
Weak - 0 pointsRegistration obligations have not been assessed.
Question 9
Does your organisation conduct data protection impact assessments for high-risk processing, including large-scale sensitive health data analytics and AI deployment?
Strong - 3 pointsImpact assessments are conducted for all high-risk processing, documented, and used to shape controls before processing begins.
Partial - 2 pointsImpact assessments are conducted occasionally or after processing has started.
Weak - 0 pointsNo impact assessment process exists for high-risk processing.
Question 10
Are data retention periods defined and enforced for health data, with deletion or anonymisation when the retention period expires, rather than indefinite retention of longitudinal records?
Strong - 3 pointsRetention periods are defined per data category and enforced through deletion or anonymisation processes.
Partial - 2 pointsRetention periods are defined but enforcement is inconsistent or manual.
Weak - 0 pointsNo defined retention policy. Health data is retained indefinitely by default.
Section 3 of 5
Sensitive Health Data Safeguards
Evaluates the technical and organisational safeguards applied to sensitive health data: access controls, encryption, de-identification for analytics, and the proportionality of protection to the elevated sensitivity of health records.
Are technical and organisational safeguards applied to sensitive health data that are proportionate to its elevated sensitivity, exceeding the protections applied to ordinary personal data?
Strong - 3 pointsEnhanced safeguards specific to sensitive health data are documented, implemented, and audited.
Partial - 2 pointsSafeguards exist but are not differentiated for the elevated sensitivity of health data.
Weak - 0 pointsHealth data is protected with the same baseline controls as any other data, or controls are undefined.
Question 12
Are access controls enforced so that sensitive health data is accessible only to those with a defined need, with access logged and reviewed?
Strong - 3 pointsRole-based access controls are enforced, access is logged, and logs are reviewed for inappropriate access.
Partial - 2 pointsAccess controls exist but are broad, or logging is not reviewed.
Weak - 0 pointsAccess to health data is broadly available internally without granular control.
Question 13
Is health data de-identified, pseudonymised, or anonymised for analytical use where the analysis does not require identifiable records, reducing the sensitive-data exposure of the analytics environment?
Strong - 3 pointsDe-identification is applied by default for analytics, with re-identification controlled and justified only where necessary.
Partial - 2 pointsDe-identification is used sometimes but identifiable data is often processed for analytics by default.
Weak - 0 pointsAnalytics is conducted on fully identifiable health data without de-identification.
Question 14
Is encryption applied to sensitive health data both at rest and in transit, including within analytics pipelines and when shared with processors?
Strong - 3 pointsEncryption at rest and in transit is enforced across all systems holding or moving health data, including analytics.
Partial - 2 pointsEncryption is applied in some systems but gaps exist, particularly in analytics or integration layers.
Weak - 0 pointsEncryption is inconsistent or absent in key systems.
Question 15
Are the AI and analytics environments that process health data subject to the same governance and safeguard standards as production clinical or claims systems, rather than operating as lower-controlled sandboxes?
Strong - 3 pointsAnalytics and AI environments are governed to the same standard as production, with no lower-controlled copies of sensitive data.
Partial - 2 pointsAnalytics environments have some controls but are not held to the full production standard.
Weak - 0 pointsHealth data is copied into analytics or AI environments with weaker controls than production.
Section 4 of 5
Third-Party & Cross-Border Processing
Tests whether controller-processor relationships and cross-border data transfers are governed by the contractual architecture the PDPL requires, including SDAIA Standard Contractual Clauses for transfers outside the Kingdom.
Tests against: Supply-Chain Gap · Unlawful Transfer
Question 16
Are all third parties processing health data on your behalf governed by data processing agreements that meet PDPL controller-processor requirements?
Strong - 3 pointsAll processors are under PDPL-compliant data processing agreements, with terms reviewed and a complete processor inventory maintained.
Partial - 2 pointsSome processors are under appropriate agreements but coverage is incomplete or terms are generic.
Weak - 0 pointsVendors process health data under standard commercial contracts without PDPL data processing terms.
Question 17
Has your organisation identified every cross-border transfer of health data, including data moving to international cloud platforms, offshore analytics teams, foreign AI vendors, or international group functions?
Strong - 3 pointsAll cross-border transfers are mapped, with destination, mechanism, and lawful basis documented for each.
Partial - 2 pointsMajor transfers are known but a complete inventory does not exist, particularly for cloud and analytics.
Weak - 0 pointsCross-border transfers have not been systematically identified.
Question 18
Where health data is transferred outside the Kingdom, are the SDAIA Standard Contractual Clauses or another lawful transfer mechanism in place for each transfer?
Strong - 3 pointsThe appropriate SCC template or lawful mechanism is in place for every cross-border transfer, with documentation.
Partial - 2 pointsTransfer mechanisms are in place for some transfers but not consistently across all.
Weak - 0 pointsCross-border transfers occur without a documented lawful transfer mechanism.
Question 19
Does your organisation conduct due diligence on the data protection practices of processors handling health data, rather than relying solely on contractual assurances?
Strong - 3 pointsProcessor due diligence is conducted before engagement and periodically thereafter, with findings documented.
Partial - 2 pointsSome due diligence occurs but is not systematic or periodic.
Weak - 0 pointsProcessors are engaged on contractual assurances alone, without due diligence.
Question 20
Is accountability for processor compliance clearly retained at the Controller level, with the organisation understanding that it carries primary responsibility for processor failures?
Strong - 3 pointsController accountability is explicitly understood and managed, with processor oversight as an ongoing governance function.
Partial - 2 pointsAccountability is recognised but processor oversight is not actively managed.
Weak - 0 pointsThe organisation assumes processor failures are the processor's liability alone.
Section 5 of 5
Governance, DPO & Breach Response
Evaluates whether data protection is governed with named accountability, board-level visibility, breach notification readiness, and integration with the analytics and AI governance the organisation is building, rather than run as an isolated compliance function.
Tests against: Orphaned Compliance · No Breach Plan
Question 21
Has your organisation appointed or designated responsibility for data protection, with the authority and competence to oversee PDPL compliance across operations and analytics?
Strong - 3 pointsA qualified data protection function is in place with defined authority, resourcing, and reporting line to senior leadership.
Partial - 2 pointsResponsibility is assigned but the function lacks authority, resourcing, or competence to be effective.
Weak - 0 pointsNo clear data protection accountability has been designated.
Question 22
Does the board or a board-level committee receive regular reporting on data protection compliance and the organisation's sensitive-data risk exposure?
Strong - 3 pointsThe board receives structured data protection reporting with risk exposure, incidents, and remediation tracked.
Partial - 2 pointsSome reporting reaches leadership but not as a structured board-level cycle.
Weak - 0 pointsData protection is not reported at board level. It is treated as an operational IT matter.
Question 23
Does your organisation have a documented breach notification process that meets PDPL requirements, with the capability to detect, assess, and report a sensitive-data breach within required timeframes?
Strong - 3 pointsA tested breach response plan exists with detection, assessment, and notification procedures meeting PDPL timeframes.
Partial - 2 pointsA breach process exists on paper but has not been tested or may not meet required timeframes.
Weak - 0 pointsNo documented breach notification process exists.
Question 24
Is data protection governance integrated with the organisation's analytics, AI, and reform initiatives, so that new processing is assessed for compliance before it is built, rather than reviewed afterwards?
Strong - 3 pointsData protection is embedded in analytics and AI governance by design, with compliance assessed at project initiation.
Partial - 2 pointsData protection is consulted on analytics projects but not integrated into their governance by default.
Weak - 0 pointsData protection and analytics operate as separate functions. Compliance is reviewed late or not at all.
Question 25
Has your organisation assessed its data subject rights handling, with the operational capability to respond to access, correction, and other rights requests within PDPL requirements?
Strong - 3 pointsData subject rights processes are operational, tested, and able to respond within required timeframes.
Partial - 2 pointsRights handling exists but is manual, slow, or not fully aligned to PDPL requirements.
Weak - 0 pointsNo defined process for handling data subject rights requests.
Health Data Governance Diagnostic - Results
Your Data Governance Profile
0
/ 75
Calculating...
Processing...
Domain Breakdown
Lawful Basis & Consent
0/15
Controller Obligations
0/15
Sensitive-Data Safeguards
0/15
Third-Party & Cross-Border
0/15
Governance & Breach Response
0/15
Indicative Findings
Calculating...
This self-assessment shows the methodology. The facilitated diagnostic goes further.
A facilitated HealthElevate data governance diagnostic includes independent records-of-processing review, lawful-basis analysis for your specific analytics use cases, cross-border transfer audit, and a board-ready PDPL remediation roadmap.
The Data Governance Gap: PDPL and the Foundation Under Every Healthcare Analytics Ambition
The analytical context behind this instrument: why every analytics capability the reform demands processes the most protected category of personal data, and why the PDPL foundation is a board-level concern.