BR Law Corporation
br@brlawcorp.com +65 6899 9888
  • Our Team
  • Practice Areas
  • News and Insights
  • Join Us
  • Contact Us
br@brlawcorp.com +65 6899 9888

Privacy and Healthcare in Singapore

 
12 January 2015
Dharma Sadasivan
Picture
​The Singapore Personal Data Protection Commission ("PDPC") recently released Advisory Guidelines for the Healthcare Sector (the "Guidelines"), on the application of the Personal Data Protection Act 2012 ("PDPA") to the healthcare sector. What's notable about these Guidelines is that they were developed together with Singapore's Ministry of Health ("MOH").
By and large, the Guidelines are uncontroversial. Some highlights:
  • Examples of where individuals would be deemed to consent to the collection, use and/or disclosure of their personal data: (a) Where a patient fills out a registration form when visiting a clinic; (b) Where a patient consents to a doctor referring him/her to a third party doctor
  • Using a patient's personal data for other reasons such as marketing or teaching may not be reasonable in the circumstances and consent should be obtained
  • Personal data of other individuals may be exempted from the consent obligation if it was provided to enable the doctor/clinic/hospital to treat the patient (e.g. if a patient shares information about the family's history of disease)
  • Organizations can collect, use and disclose a patient's personal data without consent to respond to the patient's medical emergency
  • If a doctor is an employee of a clinic/hospital, the obligation to comply with the PDPA falls on the clinic/hospital. If the doctor is self-employed, he/she may be required to comply with the PDPA
  • Doctors are not required to provide opinion data such as their notes to respond to access requests
  • Organizations are not required to provide copies of the original documents containing personal data (e.g. registration forms, patient record cards, electronic records, etc) to respond to access requests
  • Doctors are not required to correct their professional or expert opinions in response to a correction request (obviously)
  • Organizations may retain personal data of existing patients to have access to their consultation history.
  • Organizations are still required to comply with other acts such as the Infectious Diseases Act and National Registry of Diseases Act. The PDPA does not exempt organizations from compliance with other acts.

The Guidelines also shed some light on how the PDPA affects third parties:
  • Locum doctors: Whether and which data protection provisions apply to a locum doctor depends on the arrangement between the locum doctor and the organization. Example: If the doctor is an employee or data intermediary, the hiring organization is responsible for complying with all the data protection provisions, while the doctor is independently responsible for complying with the protection and retention obligations under the PDPA.
  • Third party service providers: Third party service providers such as lab testing services will generally be regarded as data intermediaries, and are therefore only required to comply with the protection and retention obligations under the PDPA.

Do-Not-Call compliance
Again, uncontroversial. If a clinic is calling a patient for service-related purposes such as to follow-up on an appointment, this is not regarded as a telemarketing message and the clinic is not required to check the DNC register prior to making the call. Tagging on a marketing element to a service call will change the nature of the call and it will be regarded as a telemarketing call.

If a patient is undergoing treatment on an ongoing basis at a clinic for a chronic ailment, the clinic may be able to avail itself of the ongoing relationship exemption, which exempts the clinic from checking the DNC Registry before sending the patient telemarketing messages about new drugs which may treat the ailment. This exemption won't apply to recipients who have never sought treatment at the clinic or who don't have ongoing relationships with the clinic.

As always, telemarketing messages can always be sent if clear and unambiguous consent has been obtained from the recipient.

DNC compliance can be confusing at first glance, so training will be necessary to ensure that staff who make such calls know what's acceptable and what is off-limits. It's also worth remembering that generally, the organization (and not the staff personally) is responsible for DNC compliance, so the organization has a vested interest in ensuring that their staff are well trained.

Research:
This is an interesting area. The Guidelines note that medical records being used for retrospective research studies may be exempted from the consent requirement if:
  • the personal data is necessary for the research purpose, 
  • it is impracticable for the organization to seek the consent of the individual(s) for the use, 
  • the personal data will not be used to contact persons to ask them to participate in the research, and 
  • linkage of the personal data to other information is not harmful to the individuals identified by the personal data, and the benefits of the linkage are clearly in the public interest.

The Guidelines are silent on the use of medical records being used for prospective research. That's not to say that prospective research isn't regulated - the Medicines Act, Medicines (Clinical Trials) Regulations, Singapore Guideline for Good Clinical Practice, Health Sciences Authority and ethics review boards provide comprehensive regulation in relation to clinical trials. However the clinical trial regulatory framework isn't personal-data-centric. As such, it's not likely to provide quite the same scope of protection to personal data as the PDPA.

Contract research organizations and other entities conducting clinical trials will therefore need to ensure that their informed consent forms now specifically comply with the PDPA in addition to existing clinical trial regulatory requirements. (e.g. Informed consent forms should provide notice relating to the collection, use and disclosure, including transfers out of Singapore, of the subject's personal data.)

Healthcare research involves many disclosures and transfers of personal data, such as transferring DNA samples to labs outside Singapore, or genetic information to third parties such as research centres or other doctors. Clinical trials are often global endeavors at the Phase 3 stage, which means there may be transfers of personal data around the world. I also suspect that genetic information is hard to anonymize, assuming it can be anonymized at all.

I'm keeping my fingers crossed that the PDPC will release more information on the application of the PDPA to clinical trials and, more generally, prospective research in the healthcare sector, and I think there is room for our privacy framework to cover this area more comprehensively.


Dharma Sadasivan
Associate Director, BR Law Corporation
dharma@brlawcorp.com

Post date. Edit this to change the date post was posted. Does not show up on published site. 12/1/2015


Your comment will be posted after it is approved.


Leave a Reply.

    We're Here To Help

    Our team welcome any comments or questions and will gladly assist you with your enquiry. You can call us on +65 6899 9888 or fill out our simple contact form. 

    Disclaimer

    The materials in these articles have been prepared for general informational purposes only and are not legal advice or a substitute for legal counsel. If you require legal advice for your particular circumstances, please consult a suitably qualified legal counsel. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. You should not rely or act upon this information without seeking professional counsel. Whilst we endeavour to ensure that the information in these articles is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. The authors of the articles are or were employees of BR Law Corporation at the time of  publication, but may no longer be, now or in the future, in the employ of the firm.

    Subscribe to our Newsletter

    Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
    Subscribe to Newsletter

    RSS Feed

    Categories

    All
    Awards And Accolades
    Commercial Transactions
    Conveyancing
    Corporate Law
    COVID19
    Criminal Law
    Dispute Resolution
    Family And Matrimonial Law
    Intellectual Property
    International Law
    Personal Data Protection
    Probate And Administration
    Technology
    Wills And Trusts

    Archives

    September 2021
    July 2021
    May 2021
    April 2021
    October 2020
    September 2020
    July 2020
    May 2020
    April 2020
    January 2020
    October 2019
    June 2019
    March 2019
    February 2019
    January 2019
    December 2018
    August 2018
    July 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    September 2017
    August 2017
    January 2017
    September 2016
    March 2015
    January 2015
    July 2014
    June 2014
    May 2014
    April 2014

Firm Brochure

Download
Brochure in Japanese
Brochure in Mandarin

Our ecosystem

Our related services:
BR Family Assets

Practice Areas

Subscribe to our quarterly newsetter to keep up to date with a wealth of insights from the BR Law, BR Family Assets and BR Corporate services team.
Subscribe to Newsletter

Contact Us

+65 6899 9888 Telephone
+65 6338 5377 Fax (Main)
+65 6394 7318 Fax (Branch)
 
br@brlawcorp.com
 
Main Office
4 Battery Road #29-00
Bank of China
Singapore 049908

Branch Office
24 Raffles Place
#19-05 Clifford Centre
Singapore 048621

Awards and Accolades

Picture
Terms of Use​  •  Privacy Statement
​© Copyright 2018 BR Law Corporation. Registered in Singapore (UEN: 200312051N).