Privacy and Healthcare in Singapore

12 January 2015

Dharma Sadasivan

​The Singapore Personal Data Protection Commission ("PDPC") recently released Advisory Guidelines for the Healthcare Sector (the "Guidelines"), on the application of the Personal Data Protection Act 2012 ("PDPA") to the healthcare sector. What's notable about these Guidelines is that they were developed together with Singapore's Ministry of Health ("MOH").

By and large, the Guidelines are uncontroversial. Some highlights:

• Examples of where individuals would be deemed to consent to the collection, use and/or disclosure of their personal data: (a) Where a patient fills out a registration form when visiting a clinic; (b) Where a patient consents to a doctor referring him/her to a third party doctor
• Using a patient's personal data for other reasons such as marketing or teaching may not be reasonable in the circumstances and consent should be obtained
• Personal data of other individuals may be exempted from the consent obligation if it was provided to enable the doctor/clinic/hospital to treat the patient (e.g. if a patient shares information about the family's history of disease)
• Organizations can collect, use and disclose a patient's personal data without consent to respond to the patient's medical emergency
• If a doctor is an employee of a clinic/hospital, the obligation to comply with the PDPA falls on the clinic/hospital. If the doctor is self-employed, he/she may be required to comply with the PDPA
• Doctors are not required to provide opinion data such as their notes to respond to access requests
• Organizations are not required to provide copies of the original documents containing personal data (e.g. registration forms, patient record cards, electronic records, etc) to respond to access requests
• Doctors are not required to correct their professional or expert opinions in response to a correction request (obviously)
• Organizations may retain personal data of existing patients to have access to their consultation history.
• Organizations are still required to comply with other acts such as the Infectious Diseases Act and National Registry of Diseases Act. The PDPA does not exempt organizations from compliance with other acts.

The Guidelines also shed some light on how the PDPA affects third parties:

• Locum doctors: Whether and which data protection provisions apply to a locum doctor depends on the arrangement between the locum doctor and the organization. Example: If the doctor is an employee or data intermediary, the hiring organization is responsible for complying with all the data protection provisions, while the doctor is independently responsible for complying with the protection and retention obligations under the PDPA.
• Third party service providers: Third party service providers such as lab testing services will generally be regarded as data intermediaries, and are therefore only required to comply with the protection and retention obligations under the PDPA.

Do-Not-Call compliance
Again, uncontroversial. If a clinic is calling a patient for service-related purposes such as to follow-up on an appointment, this is not regarded as a telemarketing message and the clinic is not required to check the DNC register prior to making the call. Tagging on a marketing element to a service call will change the nature of the call and it will be regarded as a telemarketing call.

If a patient is undergoing treatment on an ongoing basis at a clinic for a chronic ailment, the clinic may be able to avail itself of the ongoing relationship exemption, which exempts the clinic from checking the DNC Registry before sending the patient telemarketing messages about new drugs which may treat the ailment. This exemption won't apply to recipients who have never sought treatment at the clinic or who don't have ongoing relationships with the clinic.

As always, telemarketing messages can always be sent if clear and unambiguous consent has been obtained from the recipient.

DNC compliance can be confusing at first glance, so training will be necessary to ensure that staff who make such calls know what's acceptable and what is off-limits. It's also worth remembering that generally, the organization (and not the staff personally) is responsible for DNC compliance, so the organization has a vested interest in ensuring that their staff are well trained.

Research:
This is an interesting area. The Guidelines note that medical records being used for retrospective research studies may be exempted from the consent requirement if:

• the personal data is necessary for the research purpose, 
• it is impracticable for the organization to seek the consent of the individual(s) for the use, 
• the personal data will not be used to contact persons to ask them to participate in the research, and 
• linkage of the personal data to other information is not harmful to the individuals identified by the personal data, and the benefits of the linkage are clearly in the public interest.

The Guidelines are silent on the use of medical records being used for prospective research. That's not to say that prospective research isn't regulated - the Medicines Act, Medicines (Clinical Trials) Regulations, Singapore Guideline for Good Clinical Practice, Health Sciences Authority and ethics review boards provide comprehensive regulation in relation to clinical trials. However the clinical trial regulatory framework isn't personal-data-centric. As such, it's not likely to provide quite the same scope of protection to personal data as the PDPA.

Contract research organizations and other entities conducting clinical trials will therefore need to ensure that their informed consent forms now specifically comply with the PDPA in addition to existing clinical trial regulatory requirements. (e.g. Informed consent forms should provide notice relating to the collection, use and disclosure, including transfers out of Singapore, of the subject's personal data.)

Healthcare research involves many disclosures and transfers of personal data, such as transferring DNA samples to labs outside Singapore, or genetic information to third parties such as research centres or other doctors. Clinical trials are often global endeavors at the Phase 3 stage, which means there may be transfers of personal data around the world. I also suspect that genetic information is hard to anonymize, assuming it can be anonymized at all.

I'm keeping my fingers crossed that the PDPC will release more information on the application of the PDPA to clinical trials and, more generally, prospective research in the healthcare sector, and I think there is room for our privacy framework to cover this area more comprehensively.


Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com