Law 18-07: Is Your Practice Compliant?

Law 18-07 governs the protection of personal data in Algeria. Does your medical practice meet all legal obligations regarding patient data?

Understanding Law 18-07 on the Protection of Personal Data

Enacted in 2018, Law 18-07 forms the legal backbone of personal data protection in Algeria. It draws heavily from the European framework (GDPR) while adapting it to the national context. For healthcare professionals — doctors, dentists, pharmacists, clinics, and medical laboratories — this law imposes specific obligations that cannot be safely ignored.

Health data is among the most sensitive categories covered by this legislation. Its intimate nature, its potential for discrimination, and its confidential character make it information requiring heightened protection. Any organization that processes medical information about its patients is directly affected.

Who Is Concerned in the Healthcare Sector?

The law applies to any data controller — that is, any individual or legal entity that determines the purposes and means of data processing. In the medical field, this includes:

  • Medical and paramedical practices (general practitioners, specialists, physiotherapists, etc.)
  • Private clinics and healthcare facilities
  • Pharmacies and dispensaries
  • Medical analysis and radiology laboratories
  • Medical software publishers acting as subcontractors

Even a small medical practice that maintains patient records on a computer system is fully subject to the requirements of Law 18-07.

Key Obligations to Meet

1. File a Declaration or Request Authorization from the ANDP

The National Authority for the Protection of Personal Data (ANDP) is the regulatory body established by the law. Before processing any health data, the data controller must file a declaration or, for sensitive processing activities, obtain prior authorization. Skipping this step exposes the practice to administrative and criminal penalties.

2. Inform Patients of Their Rights

Each patient must be informed, at the time their data is collected, of several key elements: the identity of the data controller, the purpose for which their data is being collected, any potential recipients, and their rights of access, rectification, and objection. This information can be provided through a welcome document, a notice displayed in the waiting area, or a statement included on registration forms.

3. Ensure Data Security

The law requires data controllers to implement appropriate technical and organizational measures to protect data against any loss, unauthorized access, disclosure, or destruction. In practice, this means:

  • Setting strong passwords on all workstations
  • Encrypting patient records stored digitally
  • Regularly backing up data to secure storage
  • Restricting access to authorized staff only
  • Keeping antivirus software and applications up to date

4. Manage Data Transfers

If your practice uses an external service provider — such as a cloud-hosted medical management system, an outsourced telephone reception service, or a partner laboratory — a subcontracting agreement compliant with the law must be established. Any transfer of data to a foreign country is in principle subject to ANDP authorization, except where specific exemptions apply under the law.

5. Comply with Data Retention Periods

Data must not be kept indefinitely. It should only be retained for as long as is necessary for the purpose of the processing. In the medical field, sector-specific regulations (codes of professional conduct, rules governing medical records) often specify minimum retention periods. Once those periods have elapsed, data must be deleted or anonymized.

The Risks of Non-Compliance

Law 18-07 provides a range of penalties for those who fail to comply. Violations may result in:

  • Administrative sanctions issued by the ANDP, ranging from formal warnings to compliance notices
  • Criminal penalties, which may include imprisonment and substantial fines
  • Reputational damage to the practice in the event of a publicly disclosed data breach
  • Civil liability toward patients who have suffered harm
"Patient trust is the foundation of every therapeutic relationship. Protecting their data means protecting that trust."

How to Bring Your Practice into Compliance: Key Steps

  1. Conduct an audit of your current processing activities: Take stock of all patient data collected, the tools in use, the access granted, and the third-party providers involved.
  2. Complete the required formalities with the ANDP: Determine whether your processing requires a simple declaration or full authorization, then carry out the necessary steps.
  3. Update your documentation: Draft or revise your patient information notices, consent forms, and contracts with subcontractors.
  4. Train your staff: Make sure your entire team is aware of best practices around data confidentiality and security.
  5. Secure your digital infrastructure: If needed, bring in an IT professional to assess and strengthen the security of your systems.
  6. Establish a data breach response procedure: Know exactly how to respond if a data leak occurs, including the deadlines for notifying the ANDP.

Compliance as a Competitive and Ethical Advantage

Achieving compliance with Law 18-07 is not just a legal requirement — it also sends a powerful message to your patients. In a landscape where cyberattacks on healthcare organizations are increasing worldwide, demonstrating that you take data protection seriously builds trust and strengthens patient loyalty.

Practices that get ahead of these challenges, rather than waiting to be audited, position themselves as responsible, forward-thinking players in the healthcare system. Compliance is an investment, certainly, but one whose benefits — legal, reputational, and relational — far outweigh the costs.

Conclusion

Law 18-07 places clear and demanding responsibilities on Algerian healthcare professionals when it comes to protecting their patients' personal data. Filing with the ANDP, informing patients, securing systems, and overseeing subcontractors — each obligation carries real weight. If you have not yet taken steps toward compliance, now is the time to act. Do not hesitate to seek guidance from a specialized attorney or a data protection consultant to safeguard your practice and preserve the trust your patients place in you.