COVID-19 UAE: Technology update on UAE Ministerial Resolution security requirements

In response to the COVID-19 pandemic and recognition of the need for employees to work remotely as far as possible, the UAE's Minister of Human Resources & Emiratisation issued Resolution No. 281 of 2020 (the Resolution) on 29 March 2020. The Resolution provides new regulations which private sector employers must follow and introduces some unique information security requirements.

From a technology and data protection perspective, the resolution is significant as it creates – for the first time in UAE federal laws – an express requirement for organisations to establish a policy framework to govern the use of IT assets and the protection of data.  Existing UAE law does protect the privacy rights of individuals to an extent but there is no formal data protection law.

Noteworthy requirements that apply to private sector businesses under the Resolution include:

• An obligation to limit the number of workers present in the workplace to 30% of the total workforce and implement customer-distancing and number limitation measures in service centres (unless the business is providing infrastructure projects, catering, communication, energy, health, education, banking, food industry, hospitality, health supplies manufacturing or cleaning services, in which case this obligation does not apply).
• A requirement to establish a screening point at the entrance of worker accommodation and offices to measure each employee's temperature and check for virus symptoms.  This must be done twice a day, on arrival and exit.  Any cases of suspected infection must be denied entry and referred to a health facility (whether detected as part of the checks or suspected for other reasons).
• An obligation to report all cases of workers showing or suspected of showing virus symptoms to the Ministry.
• Remote workers must be given access to appropriate "smart systems and electronic applications" and should be provided with support channels and the necessary equipment.
• All private sector employees must abide by the temporary remote working guidelines issued by the Ministry and appended to the resolution (the Guidelines).

From a data protection perspective, the Guidelines require employers to ensure the availability of a safe IT environment to carry out remote working subject to appropriate data privacy and confidentiality controls. Employers must set out their rights of access to IT systems.  Accordingly, this creates a new obligation on all private sector businesses in the UAE to have a codified approach to system access and information security. While many large multinationals sensibly adopt such practices, this will be a new requirement for many SMEs and local companies that have not previously been required to adopt this approach by law. 

The Guidelines also require each employee to read and comply with the employer's privacy policy. This further suggests that employers will be expected to have a written privacy policy in place that addresses the risks associated with remote working.

There is no end date or timeline attached to the Resolution, so it will need to be complied with until it is replaced or revoked.

We expect the privacy concepts in the Resolution to continue to be built out in UAE law and for data protection and privacy issues to become increasingly important issues for UAE onshore businesses to consider as part of corporate governance and resilience measures.