Data Protection & Privacy in Malaysian Total Hospital Information System


Published on

shares the recent presentation at the University of Oxford Centre for Health, Law and Emerging Technologies (HeLEX) on 10th August 2011. He was the academic visitor during the summer of 2011 (1st August 2011 - 19th August 2011). The works and research is under progress.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Protection & Privacy in Malaysian Total Hospital Information System

  1. 1. Adequacy of data protection in total hospital information system (THIS); THE MALAYSIAN STORY<br />By Noriswadi Ismail<br />Doctoral Researcher in RFID, Data Protection & Privacy<br />MARA Scholar & HeLEX Academic Visitor <br />(1st August 2011 – 19th August 2011)<br />
  2. 2. Executive Summary<br />::: Introduction<br />::: THIS Brief Background<br />::: Research Methodology<br />::: PDPA 2010<br />::: 7 Data Protection Principles<br />::: Observations<br />::: Interim recommendation<br />::: Conclusion<br />::: References<br />
  3. 3. Introduction<br />
  4. 4. Introduction<br />10th Malaysian Plan (2010-2014)<br />::: Transforming delivery of the healthcare system (Streamlining regulatory and service provision rules, reviewing legislation and regulations & review financing options);<br />::: Increasing quality, capacity and coverage of the healthcare infrastructure (Expanding primary care services, strengthening secondary and tertiary care services and improving provision of healthcare services); <br />::: Shifting towards wellness and disease prevention, rather than treatment (Expanding the healthy lifestyle campaign and encouraging healthy and active lifestyle); and<br />::: Increasing the quality of human resources for health<br />
  5. 5. THIS Brief Background<br />::: Integrated and comprehensive information system that manages, processes and retains all data relating to administrative, financial and clinical<br />::: Dr. Rasiah S., “…Electronic Information System that supports the core business of patient care which enables and facilitates the functions in fulfilling its services…”<br />Source: New Generation Hospitals – IT hospitals, Malaysia’s Health 2005, Ministry of Health, pp 177-186.<br />
  6. 6. THIS Brief Background<br />Source: Dr. Nor Bizura Abdul Hamid, Planning and Development Division, Ministry of Health, “HIS – Malaysian Experience” presentation slides,<br /> pages 3-5 of 37<br />
  7. 7. THIS Brief Background<br />Source: Dr. Nor Bizura Abdul Hamid, Planning and Development Division, Ministry of Health, “HIS – Malaysian Experience” presentation slides,<br /> page 25 of 37<br />
  8. 8. THIS Brief Background(Application Architecture) <br />Source: Dr Saadon Ibrahim, Privilege Management and Access Controls in HIS Hospitals, Clinical Information Technology Coordinator, Hospital Sultan Ismail, Malaysia, MSC Malaysia IHE Education Session 3/09, Electronic Health Record Privacy, Slide 10 of 47.<br />
  9. 9. Research Methodology<br />::: Literature Review:Journals and policy papers ( 1st August – 19th August 2011)<br />::: Observations: Malaysian Personal Data Protection Act 2010 (25th July 2011 – 19th August 2011)<br />::: Qualitative: Semi-structured interview with focused groups – IT Service Providers, Doctors, IT Team, Patients and Users (January 2012-February 2012)<br />
  10. 10. Research Methodology<br />::: Limitation: Most of the literature materials are in medical informatics and information system. Lack of legal materials and multidisciplinary materials on the same (especially on local content – Malaysia’s regime/contour)<br />
  11. 11. PDPA 2010<br />Transborder<br />Data flow?<br />Full / Partial<br />Independence?<br />Data User Forum<br />
  12. 12. *Exemptions<br /><ul><li>Processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes;
  13. 13. * Processed for prevention or detection of crime or for the purpose of investigations;
  14. 14. * The apprehension or prosecution of offenders;
  15. 15. The assessment or collection of any tax or any other imposition of a similar nature;
  16. 16. * Processed in relation to information of the physical or mental health of a data subject;
  17. 17. * Processed for preparing statistics or carrying out research;
  18. 18. * Processed for the purpose of or in connection with any order or judgment of a court;
  19. 19. Processed for the purpose of discharging regulatory functions; and
  20. 20. * Processed only for journalistic, literary or artistic purposes</li></li></ul><li>7 Data Protection Principles<br />
  21. 21. Observations<br />::: Actors in action: Ministry of Health officials, doctors, consultants (local or foreign), patients (local or foreign), third parties (vendors, contractors, service providers and sub-contractors)<br />::: Many actors, different liabilities<br />::: Exemption: Ministry of Health officials, Federal and State Government doctors – leads to uncertainty in comprehensively applying the PDPA 201 although these actors are dealing directly with patients (as data subjects) and consultants<br />
  22. 22. Observations<br />::: Consultants: How their relationship is defined in THIS?<br />::: Patients: How secured the patients’ personal sensitive data are processed, managed and retained throughout THIS? What happens to the data of demised patients? Who owns it? And whether PDPA 2010 addresses the period of retention on the same?<br />::: Third parties: Is contractual obligations suffice? <br />
  23. 23. Observations<br />::: Transfer of doctors/patients: Whethersuch transfers reach the adequacy level within the PDPA 2010 - is/are yet to be tested.<br />::: Secondary Opinion: Whether seeking such secondary opinion outside Malaysia deemed to be adequate under the PDPA 2010 - is yet to be tested<br />:::Transborder data flow: Whether such transborder data flow from a Malaysian hospital to another hospital deemed to be regarded as commercial transaction – is yet to be tested<br />
  24. 24. Observations<br />::: THIS dilemma 1:Different hospitals, different service providers (system integrators) – Standardisation challenge<br />::: THIS dilemma 2: Different policies on the integrated systems, and different levels of information security & privilege access – privilege management<br />::: THIS dilemma 3: At least, there are 3-4 parties involved in a specific application architecture. A back-to-back arrangement on data protection & privacy compliance is technically sophisticated<br />
  25. 25. Interim recommendation<br />‘360 degree data health check’<br />
  26. 26. Interim recommendation<br />::: Rationale 1: To be able to understand the inter-relationship<br />::: Rationale 2: To be able to assess the limitations<br />::: Rationale 3: To be able to recommend workable information governance model for THIS <br />
  27. 27. Interim recommendation<br />::: How to achieve this?: Pilot interview and semi-structured interview (qualitative)<br />::: Expected period of outcome: By the fourth quarter of 2011 or the latest, first quarter of 2012.<br />::: Dissemination strategy: Publication in the Malaysian Journal of Public Health and series of workshops & presentations before the Ministry of Health: Expected by first quarter of 2012.<br />
  28. 28. References<br />Articles & Policy Papers<br />Dr. Nor Bizura Abdul Hamid of Planning and Development Division, Ministry of Health Malaysia’s presentation on Hospital Information System – Malaysian Experience<br />Dr. Saadon Ibrahim of Clinical Information Technology Coordinator, Hospital Sultan Ismail Malaysia’s presentation on Privilege Management and Access Control in HIS hospitals<br />Economic Transformation Programme – A Roadmap for Malaysia, Chapter 16, healthcare (p1-36)<br />Ganthan Narayana Samy, Rabiah Ahmad and Zuraini Ismail, Threats to Health Information Security, Journal of Information Assurance and Security 5 (2010) 146-153<br />Health Facts 2009, Health Informatics Centre, Planning and Development Division Ministry of Health Malaysia (July 2010)<br />Sapiah Sulaiman and Rose Alinda Alias, Information Ethics in Malaysia paperless Hospital, Proceedings of the Postgraduate Annual Research Seminar 2006<br />Suhaila Samsuri, Rabiah Ahmad and Zuraini Ismail, Towards Implementing a Privacy Policy: An Observation on Existing Practices in Hospital Information System, Journal of e-health Management, Vol. 2011 (2011), Article ID345834.<br />The 10th Malaysian Plan (2010-2014)<br />
  29. 29. References<br />Book<br />Abu Bakar Munir & Siti Hajar Yasin, Personal Data Protection in Malaysia, Law and Practice, Sweet & Maxwell Asia (2010)<br />Websites<br />MSC Malaysia <><br />PEMANDU, Economic Transformation Programme <><br />Ministry of Health Malaysia <><br />Malaysia Health Fact 2009 <><br />
  30. 30. Conclusion<br />It is hoped that the impact of this research will be able to address the application of PDPA 2010 within the Total Hospital Information System (THIS). <br />It is also hoped that the outcome of dissemination shall become a blueprint headway to responding any potential issues relating to data protection and privacy compliance in Malaysia’s healthcare.<br />
  31. 31.
  32. 32. Thank YouE: <> &<><br />