When an organization, such as healthcare institutions, collect, use, or disclose an individual’s personal data, they are obliged to comply with the provisions of the PDPA unless they are in the course of acting on behalf of a public agency, or else they will be imposed with a hefty fine.
PDPA compliance for the healthcare sector: Consent, Purpose Limitation, and Notification Obligations
As laid out in the Revised Advisory Guidelines for Healthcare Sector of 2014, it provides that whenever an organization undertakes activities relating to the collection, use, or disclosure of personal data, they are required to acquire consent from the individuals and notify them for such collection, use, and disclosure of personal data, unless exceptions apply.
Under the revised guidelines for the PDPA compliance for the healthcare sector, the PDPC does not state any specific manner of obtaining consent from individuals, which means that it is in the discretion of the Organization as to how they acquire it.
PDPA compliance for the healthcare sector: Considerations in obtaining consent
According to the Revised Advisory Guidelines for Healthcare Sector of 2014, concerning the consent obligations of healthcare institutions before the collection, usage, or disclosure of personal data of individuals, these healthcare institutions should consider:
a) Whether the individual (or a person who has the legal authority to validly act on behalf of the individual) had been notified of the purposes for the collection, use, or disclosure of his personal data and had given consent to such collection, use, or disclosure;
b) If consent had not been given, whether consent can be deemed to have been provided by the individual (or a person who has the legal authority to validly act on behalf of the individual) for the collection, use, or disclosure of his personal data for the purpose; and
c) Whether the collection, use, or disclosure without the consent of the individual is required or authorized under the PDPA or any other written law, in particular, assessing whether the circumstances fall within any of the exceptions from the Consent Obligation in the Second, Third or Fourth Schedules to the PDPA.
PDPA compliance for the healthcare sector: Access and Correction Obligation
As provided under Section 21(1) of the PDPA, upon the request of the individual, the PDPA compliance for the social service sector also includes providing the following:
a) personal data about the individual that is in their possession or under the control of the Organization; and
b) information about the ways in which that personal data has been or may have been used or disclosed by the Organization within a year before the date of the individual’s request.
Furthermore, under Sections 22(1) and 22(2) of the PDPA, individuals may request a correction of their personal data or its omission from possession of the Organization. The Organization must make the necessary corrections upon receiving the correction request unless the Organization is satisfied on reasonable grounds that the correction should not be made.
PDPA compliance for the healthcare sector: Do Not Call Provision
Under the Do Not Call provision of the PDPA, organizations are not allowed to send specified messages to the individual’s telephone or mobile number registered in the Do Not Call Registry. Otherwise, such Organizations will face a hefty fine.
Under the Do Not Call Provision, these specified messages are messages with a purpose to offer to supply, advertise or promote goods or services, land or an interest in land, or a business or investment opportunity, or a supplier of such goods, services, land or opportunity.
However, there are exceptions to this rule: if the consent was given by the recipient, if the message was not specified, or if such message is a specified one, the Organization is exempted from complying with its obligation under the Exemption Order.
Under the Exemption Order, if there exists an “ongoing relationship” between the sender and a recipient, the Organization is exempted from the requirement to check the relevant Do Not Call Registers.
In the determination of an ongoing relationship between the patient and the healthcare institution, the following must be observed:
- The frequency of visits the patient makes to the clinic; and
- The patient has agreed to a course of treatment that requires several separate visits to the clinic.
Hiring a Data Protection Officer (DPO) and PDPA compliance for the healthcare sector
Organizations that collect, use, and disclose data are covered under the PDPA. From what we have learned from the PDPC decision and undertakings, if there is a breach, regardless of its cause (i.e., if it was just a mere mistake of its employee), the Organization could be made to pay a hefty fine of up to S$1,000,000. To avoid this, the appointing of a DPO comes to play.
The DPO’s importance lies in ensuring that all the compliance with the PDPA is met. For every Organization covered by the PDPA, they are required to appoint DPOs to ensure that no breach will happen any time in the future.
This is because the DPO is tasked to do the following responsibilities to limit any data breach:
a. Putting together a personal data protection policy that sets out the purposes for which personal data may be collected, used, or disclosed by the healthcare institutions, as well as other data protection practices to ensure compliance with the PDPA and making information about this policy available to all stakeholders;
b. Raising awareness and fostering a culture of data protection among staff and key personnel
c. Developing and implementing policies and processes for the proper handling and management of personal data protection-related queries and complaints (e.g., access and correction requests) and making information about the complaints process available on request; and
d. Alerting healthcare institutions to any risks that might arise concerning collecting, using, or disclosing personal data.
Also Read: PDPA compliance for Singapore schools