pdpa presentation
DESCRIPTION
Presentation on the Personal Data Protection Act slides courtesy of the Subang Jaya Medical CentreTRANSCRIPT
1
2
PERSONAL DATA PROTECTION ACT 2010
3
Personal Data Protection Act 2010
• Passed on 10 June 2010
• The Minister has appointed a Director General & created a PDP Dept
• Once the PDPA comes into force the DG may assume the role of Data Protection Commissioner
• Once the PDPA is brought into force - Data Users have 3 months to comply
4
Minister of Information
Communication and Culture
Personal Data Protection
Commissioner
Advisory Committee
Data User
Data User Forum
Appeal Mechanism
5
Growth of computer networks & internet – Huge impact on society
• Over the last 3 decades computer networks have made pervasive inroads in our everyday lives, both in business as well as the home
• The internet came along and connected the world
• Computer networks enabled efficient collection, manipulation and storage of data – and vast quantities of it too
• Data can be stored anywhere in the world – not necessarily where it is collected
• Gigabytes of personal data are accessed and used on daily basis
• New threats affecting privacy and data protection (identity theft, facebook, twitter, friendster, etc)
6
Has your Personal Data been abused lately?• How many marketing sms’s do you receive in a day?
• Has a bank offered you a pre-approved loan lately?
• Does your telco send you “I love you” mms’s without your consent?
• Did you get a season’s greeting from the Prime Minister lately?
• Did you get an email telling you that you have won USD5 million in a European lottery?
None of these activities may have had your consent
7
What is Personal data
• Personal Data (PD) means any information which relates directly or indirectly to a data subject, who is identified or identifiable from that information Examples : -
Name, Address, Photographs, IC, Bank Account details, Medical Records / History
Some Definitions
Data Subject (DS) – an individual who is the subject of the PD – includes patients and employees
Data User (DU) – a person who processed any PD or has control over or authorizes the processing of any PD but does not include a data processor
8
Collection
Use
Disclosure
Destruction
• Processing – means collecting, recording, holding, storing and
carrying out of operations with that data like organizations,
adaptation, retrieval, use, disclosure, transmission, transfer,
correction, erasure & destruction
Processing is defined widely
9
Application of the PDPA
• The act applies to :
(a) personal data which is processed;
(b) any person who processes and any person who has control over or authorizes the processing of any personal data in respect of commercial transactions and such a person is a “data user”;
Commercial transactions –
“... of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”.
10
Personal Data Flow - patient
PatientRegistration
(demographics )
Clinical Information
at Clinic
Clinical Information
at Wards
Procedures
Discharge/Payment
10
•HIS
•HIS•LIS•OIS
HRM
HRM
HRM
HRM
HRM
PATIENT
11
The PDPA – Who Does it NOT Apply To?
• The PDPA does not apply to :
The Federal Government
The State Government
PD processed outside Malaysia UNLESS intended to be further processed in Malaysia
12
Healthcare Sector in Malaysia
Current Position
Pre PDPA
2010
13
Current Regulatory Position – Piecemeal Approach to Data Protection
Private Healthcare & Services Act
Medical Act
MMC Guide on Medical Records and Medical
Reports
MMC Code of Professional Conduct
Patient’s Charter
MMA Code on Medical Ethics
MMC Guide on Confidentiality
14
Pre-PDPA – How Personal Data was dealt with
• PHFSA – hospitals must have a policy on Patients rights:
Information concerning medical treatment and care;
Be provided with patient’s medical report within a reasonable time
• Reg 30 – patient’s MR is the property of Hospital . Patient has a right to request for medical report
• Retention of MR is for the Limitation Period
• Doctors have right of access to MR of old patients to defend civil actions
15
MMC Guidelines on Doctors• On medical records and reports
Medical records belong to the hospital
Information in MR belong morally and ethically to the patient
Doctors have obligation to provide comprehensive medical reports upon request by patient (for 2nd opinion, litigation etc)
• Doctor patient confidentially
No disclosure to 3rd parties without consent of patient
Should not reveal patient PD in medical publications
Drs must exert all powers to preserve patient confidentiality
16
MMC Guidelines for Doctors – Disclosure to 3rd Parties
• Disclosure within Medical TeamsDrs must obtain consent of Patient to share PD with other doctorsPatient can refuse consent for sharing of PD between doctors
• Disclosure to Employers, InsurersDr must inform Patient and obtain consent before disclosure to these parties
• Disclosure for Medical Teaching and medical auditShould anonymise PD as far as possible
Doctors who decide to disclose PD must be prepared to explain and justify their decision (MMC Guideline)
17
PDPA
18
The 7 Data Protection Principles Under the PDPA
PDPA
General principle
Notice & Choice Principle
Disclosure Principle
Security Principle
Retention Principle
Data Integrity Principle
Access Principle
19
No PDP Principles
What it covers
1 General Principle
Consent of DS is required to process PD. For Sensitive Personal Data – explicit consent is required
2 Notice & Choice Principle
DU give Notice to DS of the processing, description of PD, purpose, source of info and right to request access, 3P to whom DU discloses, how to limit the processing, whether it is obligatory or voluntary to supply PD
3 Disclosure Principle
No disclosure of PD without consent of DS
4 Security Principle
DU must take practical steps to protect PD (IT System & Internal processes)
5 Retention Principle
PD should not be kept longer than necessary – must destroy after purpose is met
6 Data Integrity Principle
DU must ensure Data processed is accurate, complete and up-to-date having regard to the purpose of collection
7 Access Principle
DS must have access and be able to correct if inaccurate
20
1. General Principle - consent•A data user cannot process any PD about a Data Subject unless the Data Subject has given his consent.
•Consent can be expressed or implied
•PD cannot be processed unless :
PD is processed for a lawful purpose directly related to the activity of the Data User
The processing of PD is necessary for or directly related to that purpose
Directly related to that purpose means the reason that the PD was collected.
Eg: a person comes for a blood test and his consent is acquired to conduct all the necessary test. However, the consent shall not extend to the publication of his blood test results in a medical article.
PD is adequate but not excessive in relation to that purpose
Eg: a patients comes to ER to see the doctor for fever medication. It is not necessary to ask the patient of his grandparents, aunt, uncle’s names, IC, add etc.
Distinction between consent for medical purpose and other purpose
21
22
2. Notice & Choice Principle
• A DS is required to give written consent to DU:
That PD is being processed and provide a description of the PD being processed
The purposes for which the PD is collected and processed
DS’s right to request access to and request correction of the PD
Disclosure to any 3rd parties that may be made
23
3. Disclosure principle
• No Personal Data shall be disclosed without the consent of the DS:
For any other purpose other than the original purpose as disclosed to the DS at the time of collection
A purpose directly related to the purpose above
To any party other than a 3rd party already notified to the DS (under Notice Principle)
• Disclosure for the purpose of research, discussions in medical meetings / seminars :-
This disclosure is allowed as long as the data that is being disclosed cannot be related to a particular person
• Note: Disclosure to the Ministry of Health – this is a compulsory disclosure and thus shall be exempted.
24
Case note - disclosure
Improper disclosure of SPD to Government Agency
The complainant had medical tests at a pathology clinic and asked that the results be provided only to their treating medical specialist and solicitor.
The tests results were to be part of a claim that the complainant was making to a federal government agency.
The complainant later became aware that the clinic had provided the results directly to that government agency.
DS complained to the Data Commissioner
The clinic advised the clinic staff to send directly to the government agency noted on the complainant’s form.
The clinic contended that this was an isolated error.
As this information was disclosed for a purpose other than the primary purpose for which it was collected. The commissioner formed the view that the disclosure was an interference with the complainant’s privacy.
The clinic paid compensation to the DS.
25
The security principle need to be adequate but it shouldn’t be unreasonable.
26
4. Security Principle• DU shall take practical steps to protect PD from any
Loss, misuse, modificationUnauthorized or accidental access or disclosureAlteration or destruction
Having regard to location, IT systems and mode of transfer of PD
• Hospital IT systems such as the HMIS, HIS and LIS need strict policies
• Transfer to 3rd party service providers such as outside lab and transfers of PD overseas
Security issues : use of portable devices (laptops, USB, External hard drive, CD, DVD)
Transmission of patient info via fax
Medical devices storage function
Remote access to MR
Doctors have to comply with Hospital’s policies regarding PDPA requirements
27
28
Sony fined GBP 250,000 for Breach of Security
• A cyber attack on the SONY’s PlayStation Network in April 2011 put a huge number of consumers at risk of identity theft including credit card details
• It could have been prevented if Sony’s software was up-to-date and technical developments hadn’t made passwords unsecure
• “There’s no disguising that this is a business that should have known better,” said the ICO’s data protection director David Smith
• It is a company that trades on its technical expertise and there is no doubt in my mind that they had access to both the technical expertise and the resources to keep this information safe.
29
Data Processor
• Where PD is processed on behalf of DU the DU shall ensure that the Data Processor :
Provides guarantees in respect of technical and security measures governing the processing; and
Takes reasonable steps to ensure compliance with those measures Eg: The IT system in SDMC PC – system designed for SDH and they do have
access to our patient records.
Data Processor = Outsourced Service Providers
30
5. Retention Principle
31
Retention Principle
• PD shall not be kept longer than is necessary for the fulfillment of the original purpose
• DU has duty to take all reasonable steps to ensure that PD is :
•Destroyed (must be done in a proper manner); or
•Permanently deleted
…… if it is no longer required for the purpose for which it was processed
QUESTION : how long is long?
Depends on the nature of your business and the commercial reasons to keep data
7 years / 25 years / hospital policy
32
33
6. Data Integrity Principle
34
Data Integrity Principle
• DU has duty to take all reasonable steps to ensure that PD is :
•Accurate
•Complete
•Not misleading; and
•Kept up to date
35
7. Access Principle• A data subject shall be given access to his personal data upon Data Access Request
• All information that is being processed by or on behalf of the Data User
• Entitled to an intelligible copy of the PD
• Access can be just to view orget a copy
• Subject to some exceptions
Under the PDPA, patient may now get access to his entire MR
36
Case note
Who can access PD
Hospital prepared a health report for an insurance company
Patient wanted a copy under access principle
Hospital refused
DC held that all PD held by the hospital, including report should be provided to the data subject
Regardless for whom it was prepared
37
38
GE Healthcare Admits Sending NHS Patient Data to US
• Personal details of 600,000 patients were sent to the US following a mistake made by the NHS’s IT provider, GE Healthcare
• GE Healthcare admitted that the error had occurred after it had obtained more patient data than it needed, but stressed that there was no need to worry
• Overloaded in PD
• GE Healthcare recently discovered that they obtained more patient data from diagnostic imaging products than they needed to perform services to their customers
39
NHS Trust fined 325,000 for data breach
• Brighton and Sussex University Hospital NHS Trust has been fined 400,000 euros following a serious breach of the UK Data Protection Act
• Highly sensitive personal data belonging to tens of thousands of patients and staff, including some relating to HIV and Genito Urinary Medicine patients, on hard drives sold on an Internet auction site in October and November 2010
• The Data breach occurred when an individual engaged by the Trust’s IT service provider, was tasked to destroy approximately 1000 hard drives
• The individual sold 4 hard drives on an internet auction in December 2010
40
Offences and Penalties
• If a body corporate commits an offence under the PDPA, any person who at the time of the offence was a director, CEO, COO, Manager etc may be charged jointly or severally with the company
• Liability also is attached to Senior Management for acts or omissions of any employee acting in the course of their employment.
• Section 5 (1)
Anyone who contravenes the Personal Data Protection Principles commits and offence and shall, on conviction, be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or to both
Penalties for other offences ranges from RM100k to RM500k with imprisonment ranging from 1 – 3 years
Eg. For unlawful collection or selling of PD – 500k and 3 years
41
THANK YOU