The Singapore Personal Data Protection Commission ("PDPC") recently released Advisory Guidelines for the Healthcare Sector (the "Guidelines"), on the application of the Personal Data Protection Act 2012 ("PDPA") to the healthcare sector. Notably, these Guidelines were developed together with the Ministry of Health ("MOH").
In particular, the Guidelines addressed the consent, purpose limitation and notification obligations, as well as the access and correction obligations extensively. It also discussed the remaining data protection obligations and the application of the Do Not Call ("DNC") provisions. This article does not cover every issue in detail but highlights some of the salient points and examples raised in the Guidelines.
Consent, purpose limitation and notification
In relation to the consent, purpose limitation and notification obligations, the PDPC noted that:
i. in situations where an individual voluntarily provides the data and it is reasonable that the individual would volunteer such data, the individual is deemed to consent to the collection, use and disclosure of that data.
Example: A patient (John) visits a healthcare institution for the first time and voluntarily fills out a registration form, providing his name, address, phone number and NRIC number. John may be deemed to have consented to the institution's collection, use and disclosure of that personal data for the provision of medical services to him. This consent would cover all activities which the institution is engaged in, including the use of the personal data by employees, and depending on the circumstances, could include volunteers and medical students under an attachment programme.
ii. if the individual gives or is deemed to have given consent to an organisation (which, in the healthcare context, would include a doctor, clinic, or healthcare institution) to disclose personal data to another organisation, the individual will be deemed to consent to the collection, use or disclosure of the personal data by that second organisation for those particular purposes.
Example: Where a doctor refers a patient to a third party (e.g. specialist, hospital or nursing home), and if the patient consents to the doctor's referral, the patient would be deemed to have consented to the doctor disclosing his personal data as required for the referral.
Use of personal data for other reasons
Using the individual's personal data for other reasons, such as marketing healthcare products or teaching, may not be reasonable in the circumstances and it is unlikely that consent would be deemed to have been provided for such purposes. In such cases, the individual should be notified of those purposes and express consent should be obtained.
Collecting personal data of other individuals from a patient
Personal data of other individuals collected from a patient may be exempted from the consent obligation if it was provided to enable the organization to provide a service for the individual's personal and domestic purposes.
Example: When a patient shares information about a family history of disease, the clinic may be exempted from the requirement to obtain consent to collect the personal data relating to the family's history of disease, if it is provided to enable the clinic to provide medical care for the patient.
An organization may collect, use and disclose a patient's personal data without consent to respond to an emergency that threatens the patient's life or health.
Obligation on organization, not employee
Depending on the circumstances, if a doctor is an employee of an organization, the organization is obligated to comply with the PDPA and the doctor is not personally liable for breaches of the PDPA. However if the doctor is in private practice, he may be subject to the data protection provisions. Whether and which data protection provisions apply to a locum doctor will depend on the arrangement between the locum doctor and the organization (e.g. whether the doctor is an employee or acting as a data intermediary).
External vendors who provide services to organizations, such as laboratory testing services, are generally regarded as data intermediaries and are subject only to the Protection and Retention obligations under the PDPA.
While organizations in the healthcare sector are still required to comply with access requests, they are not required to provide opinion data such as doctor's notes. The organization is also not required to provide copies of the original documents containing personal data (e.g. registration forms, patient record cards, electronic records, etc), although the Guidelines note that this may be the most convenient means of providing access.
As a first response to access requests about how the individual's personal data was disclosed within the past year, the organization may provide a standard list of parties to which personal data is routinely used and disclosed. The standard list should be kept updated.
Organizations are exempted from correcting professional or expert opinions such as doctors' notes.
Retention of patient records
Generally, organizations may retain personal data of existing patients in order to have access to their consultation history, as this would be considered a business purpose.
Conflicts between the PDPA and other legislation
Where the data protection provisions of the PDPA conflict with other written law, the other written laws shall prevail. Organizations are therefore still required to comply with other acts such as the Infectious Disease Act and National Registry of Diseases Act.
The Guidelines note that medical records being used for retrospective research studies may be exempted from the consent requirement if (i) the personal data is necessary for the research purpose, (ii) it is impracticable for the organization to seek the consent of the individual(s) for the use, (iii) the personal data will not be used to contact persons to ask them to participate in the research, and (iv) linkage of the personal data to other information is not harmful to the individuals identified by the personal data, and the benefits of the linkage are clearly in the public interest.
Notably, the Guidelines are silent on the use of medical records being used for prospective research. While such scenarios are regulated by the Medicines Act, Medicines (Clinical Trials) Regulations, Singapore Guideline for Good Clinical Practice, Health Sciences Authority and ethics review boards, these avenues may not be personal-data-centric. As a consequence, they may not provide the same scope of protection to the patient's personal data as provided under the PDPA.
The DNC Provisions
If a clinic calls a patient solely to provide a service call, such as confirming that the patient has completed his course of medication or to make an appointment to review the results of a previous checkup, this is not a telemarketing message under the PDPA and the clinic is not required to first check the DNC Registry before making the call.
Ongoing relationship exemption
If a patient is undergoing treatment on an ongoing basis at a clinic for a chronic ailment, this may exempt the clinic from checking the DNC Registry before sending the patient telemarketing messages about new drugs which may treat the ailment. However if the recipient of the telemarketing messages has never sought treatment at the clinic or does not have an ongoing relationship with the clinic, the clinic will not be able to avail itself of this exemption and will need to check the DNC Registry prior to sending the telemarketing message, unless it has obtained clear and unambiguous consent.