Nine years after its initial inception, Singapore’s data protection authority (Commission) published in September 2023 an updated set of advisory guidelines for the healthcare sector (Revised Guidelines).

As with other advisory guidelines issued by the Commission, the Revised Guidelines are not intended to be legally binding, but will guide the interpretation and enforcement of Singapore’s comprehensive data protection law, the Personal Data Protection Act (PDPA) in the context of the nation’s booming healthcare sector.

Singapore as a medical tourism destination

Singapore boasts a strong healthcare sector that is supported by advanced IT and digital systems and infrastructure. It attracts more than 500,000 medical tourists annually, accounting for approximately US$ 1 billion in tourism spending. Major healthcare providers have established their regional headquarters in Singapore, and the country’s healthcare market is expected to grow to US$49.4 billion by 2029[1].

Data privacy regulation in Singapore

Whilst the PDPA was first introduced in Singapore in 2012, the law was significantly amended in 2020, with key changes made to implement:

  • Brand new legal bases for processing personal data, including for the legitimate interests or for a ‘business improvement’ purpose of the controller organisation. These would do away with the need for consent.
  • A right of data portability that can be exercised by individuals (with details on implementation expected to follow in due course).
  • Mandatory data breach reporting.
  • Higher financial penalties of up to 10% of an organisation’s annual (domestic) turnover.

Updated rules reflect impact of digitalization on healthcare industry

In a similar vein, the Revised Guidelines bring about numerous important updates. Chiefly, they:

  • Clarify when:
    • Consent is valid.
    • Consent is deemed to be given by a patient.
    • It is reasonable for data to be used for a particular purpose.
  • Make reference to real life case examples to illustrate when and how obligations in the PDPA apply.
  • Incorporate the new and/or revised legal bases introduced by the 2020 amendments to the PDPA, namely:

The Legitimate Interest Exception

This can be either a:

(i) broad exception which requires the organisation to assess that its legitimate interests outweigh any adverse effect on the individual, and then to mitigate any adverse effects; or

(ii) a specific exception specified in the PDPA, such as for an evaluative purpose in the context of employment, for an investigation or legal proceeding, or for recovery or payment of a debt owed.

The Business Improvement Exception

This can be invoked for personal data already collected where its use is to:

(i) develop new goods, services, or methods or processes of business operations;

(ii) understand consumer behaviour; or

(iii) customize products for them.

The Research Exception

This enables organisations to conduct broad research and development including into the development of health products or medicine, subject to the following conditions:

(i) the research cannot be reasonably accomplished without the data being in an individually identifiable form;

(ii) there is clear public benefit;

(iii) results will not be used to make any decision that affects the individual;

(iv) any publication of the results must not identify the individual; and

(v) if disclosed, it was impracticable to seek the individual’s consent.

The Revised Guidelines provide for specific case examples for how these could apply, in the contexts of:

  • patient personal data being collected for medical care;
  • patient consent being obtained for medical students or doctors on an attachment stint to process their data;
  • referrals; and
  • other purposes, such as for quality assurance, teaching, marketing, an emergency, and mergers and acquisitions.

Specific illustrations have also been inserted to clarify how healthcare organisations must respond to access and correction requests, as well as how to comply with the accuracy, protection, retention, cross border transfer, data breach notification and accountability obligations in the PDPA. Finally, additional scenarios have been added which help guide healthcare entities in navigating the rules pertaining to Singapore’s Do Not Call scheme, which is a national telemarketing opt-out registry, when communicating with patients.

Concluding remarks

The Revised Guidelines underscore the large (and expanding) breadth of use cases of patient data in and by the healthcare industry. More crucially, it offers much-needed guidance on the regulatory impact of the PDPA on businesses operating in Singapore’s healthcare ecosystem as well as pragmatic solutions for proactive compliance. The focus on patients’ privacy juxtaposed with other policy aims such as sustaining a high standard of public health and ensuring a robust and thriving reputation for our healthcare institutions globally, represents a collaborative approach that is also forward looking and should be welcomed by all stakeholders alike.