Pdpa presentation


Published on

Presentation on the Personal Data Protection Act
slides courtesy of the Subang Jaya Medical Centre

Published in: Health & Medicine, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Pdpa presentation

  1. 1. 1
  3. 3. 3 Personal Data Protection Act 2010 • Passed on 10 June 2010 • The Minister has appointed a Director General & created a PDP Dept • Once the PDPA comes into force the DG may assume the role of Data Protection Commissioner • Once the PDPA is brought into force - Data Users have 3 months to comply
  4. 4. 4 Minister of Information Communication and Culture Appeal Mechanism Personal Data Protection Commissioner Data User Forum Advisory Committee Data User
  5. 5. 5 Growth of computer networks & internet – Huge impact on society • Over the last 3 decades computer networks have made pervasive inroads in our everyday lives, both in business as well as the home • The internet came along and connected the world • Computer networks enabled efficient collection, manipulation and storage of data – and vast quantities of it too • Data can be stored anywhere in the world – not necessarily where it is collected • Gigabytes of personal data are accessed and used on daily basis • New threats affecting privacy and data protection (identity theft, facebook, twitter, friendster, etc)
  6. 6. 6 Has your Personal Data been abused lately? • How many marketing sms’s do you receive in a day? • Has a bank offered you a pre-approved loan lately? • Does your telco send you “I love you” mms’s without your consent? • Did you get a season’s greeting from the Prime Minister lately? • Did you get an email telling you that you have won USD5 million in a European lottery? None of these activities may have had your consent
  7. 7. 7 What is Personal data • Personal Data (PD) means any information which relates directly or indirectly to a data subject, who is identified or identifiable from that information  Examples : Name, Address, Photographs, IC, Bank Account details, Medical Records / History Some Definitions Data Subject (DS) – an individual who is the subject of the PD – includes patients and employees Data User (DU) – a person who processed any PD or has control over or authorizes the processing of any PD but does not include a data processor
  8. 8. 8 Processing is defined widely • Processing – means collecting, recording, holding, storing and carrying out of operations with that data like organizations, adaptation, retrieval, use, disclosure, transmission, transfer, correction, erasure & destruction Collection Use Disclosure Destruction
  9. 9. 9 Application of the PDPA • The act applies to : (a) personal data which is processed; (b) any person who processes and any person who has control over or authorizes the processing of any personal data in respect of commercial transactions and such a person is a “data user”; Commercial transactions – “... of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”.
  10. 10. 10 Personal Data Flow - patient HRM Discharge/Payment •HIS Patient Registration (demographics ) HRM PATIENT Clinical Information at Clinic Procedures •HIS •LIS •OIS 10 HRM HRM Clinical Information at Wards HRM
  11. 11. 11 The PDPA – Who Does it NOT Apply To? • The PDPA does not apply to : The Federal Government The State Government  PD processed outside Malaysia UNLESS intended to be further processed in Malaysia
  12. 12. 12 Healthcare Sector in Malaysia Current Position Pre PDPA 2010
  13. 13. 13 Current Regulatory Position – Piecemeal Approach to Data Protection Private Healthcare & Services Act MMC Guide on Confidentiality Medical Act MMC Guide on Medical Records and Medical Reports MMA Code on Medical Ethics Patient’s Charter MMC Code of Professional Conduct
  14. 14. 14 Pre-PDPA – How Personal Data was dealt with • PHFSA – hospitals must have a policy on Patients rights: Information concerning medical treatment and care; Be provided with patient’s medical report within a reasonable time • Reg 30 – patient’s MR is the property of Hospital . Patient has a right to request for medical report • Retention of MR is for the Limitation Period • Doctors have right of access to MR of old patients to defend civil actions
  15. 15. 15 MMC Guidelines on Doctors • On medical records and reports Medical records belong to the hospital Information in MR belong morally and ethically to the patient  Doctors have obligation to provide comprehensive medical reports upon request by patient (for 2nd opinion, litigation etc) • Doctor patient confidentially No disclosure to 3rd parties without consent of patient Should not reveal patient PD in medical publications Drs must exert all powers to preserve patient confidentiality
  16. 16. 16 MMC Guidelines for Doctors – Disclosure to 3rd Parties • Disclosure within Medical Teams Drs must obtain consent of Patient to share PD with other doctors Patient can refuse consent for sharing of PD between doctors • Disclosure to Employers, Insurers Dr must inform Patient and obtain consent before disclosure to these parties • Disclosure for Medical Teaching and medical audit Should anonymise PD as far as possible Doctors who decide to disclose PD must be prepared to explain and justify their decision (MMC Guideline)
  17. 17. 17 PDPA
  18. 18. The 7 Data Protection Principles Under the PDPA General principle Notice & Choice Principle Access Principle PDPA Data Integrity Principle Disclosure Principle Retention Principle Security Principle 18
  19. 19. 19 No PDP Principles What it covers 1 General Principle Consent of DS is required to process PD. For Sensitive Personal Data – explicit consent is required 2 Notice & Choice Principle DU give Notice to DS of the processing, description of PD, purpose, source of info and right to request access, 3P to whom DU discloses, how to limit the processing, whether it is obligatory or voluntary to supply PD 3 Disclosure Principle No disclosure of PD without consent of DS 4 Security Principle DU must take practical steps to protect PD (IT System & Internal processes) 5 Retention Principle PD should not be kept longer than necessary – must destroy after purpose is met 6 Data Integrity Principle DU must ensure Data processed is accurate, complete and upto-date having regard to the purpose of collection 7 Access Principle DS must have access and be able to correct if inaccurate
  20. 20. 20 1. General Principle - consent • A data user cannot process any PD about a Data Subject unless the Data Subject has given his consent. • Consent can be expressed or implied • PD cannot be processed unless :  PD is processed for a lawful purpose directly related to the activity of the Data User The processing of PD is necessary for or directly related to that purpose Directly related to that purpose means the reason that the PD was collected. Eg: a person comes for a blood test and his consent is acquired to conduct all the necessary test. However, the consent shall not extend to the publication of his blood test results in a medical article. PD is adequate but not excessive in relation to that purpose Eg: a patients comes to ER to see the doctor for fever medication. It is not necessary to ask the patient of his grandparents, aunt, uncle’s names, IC, add etc. Distinction between consent for medical purpose and other purpose
  21. 21. 21
  22. 22. 22 2. Notice & Choice Principle • A DS is required to give written consent to DU: That PD is being processed and provide a description of the PD being processed The purposes for which the PD is collected and processed  DS’s right to request access to and request correction of the PD Disclosure to any 3rd parties that may be made
  23. 23. 23 3. Disclosure principle • No Personal Data shall be disclosed without the consent of the DS: For any other purpose other than the original purpose as disclosed to the DS at the time of collection A purpose directly related to the purpose above To any party other than a 3rd party already notified to the DS (under Notice Principle) • Disclosure for the purpose of research, discussions in medical meetings / seminars :This disclosure is allowed as long as the data that is being disclosed cannot be related to a particular person • Note: Disclosure to the Ministry of Health – this is a compulsory disclosure and thus shall be exempted.
  24. 24. 24 Case note - disclosure Improper disclosure of SPD to Government Agency The complainant had medical tests at a pathology clinic and asked that the results be provided only to their treating medical specialist and solicitor. The tests results were to be part of a claim that the complainant was making to a federal government agency. The complainant later became aware that the clinic had provided the results directly to that government agency. DS complained to the Data Commissioner The clinic advised the clinic staff to send directly to the government agency noted on the complainant’s form. The clinic contended that this was an isolated error. As this information was disclosed for a purpose other than the primary purpose for which it was collected. The commissioner formed the view that the disclosure was an interference with the complainant’s privacy. The clinic paid compensation to the DS.
  25. 25. 25 The security principle need to be adequate but it shouldn’t be unreasonable.
  26. 26. 26 4. Security Principle • DU shall take practical steps to protect PD from any Loss, misuse, modification Unauthorized or accidental access or disclosure Alteration or destruction Having regard to location, IT systems and mode of transfer of PD • Hospital IT systems such as the HMIS, HIS and LIS need strict policies • Transfer to 3rd party service providers such as outside lab and transfers of PD overseas Security issues : use of portable devices (laptops, USB, External hard drive, CD, DVD) Transmission of patient info via fax Medical devices storage function Remote access to MR Doctors have to comply with Hospital’s policies regarding PDPA requirements
  27. 27. 27
  28. 28. 28 Sony fined GBP 250,000 for Breach of Security • A cyber attack on the SONY’s PlayStation Network in April 2011 put a huge number of consumers at risk of identity theft including credit card details • It could have been prevented if Sony’s software was up-to-date and technical developments hadn’t made passwords unsecure • “There’s no disguising that this is a business that should have known better,” said the ICO’s data protection director David Smith • It is a company that trades on its technical expertise and there is no doubt in my mind that they had access to both the technical expertise and the resources to keep this information safe.
  29. 29. 29 Data Processor • Where PD is processed on behalf of DU the DU shall ensure that the Data Processor :  Provides guarantees in respect of technical and security measures governing the processing; and  Takes reasonable steps to ensure compliance with those measures  Eg: The IT system in SDMC PC – system designed for SDH and they do have access to our patient records. Data Processor = Outsourced Service Providers
  30. 30. 30 5. Retention Principle
  31. 31. 31 Retention Principle • PD shall not be kept longer than is necessary for the fulfillment of the original purpose • DU has duty to take all reasonable steps to ensure that PD is : • Destroyed (must be done in a proper manner); or • Permanently deleted …… if it is no longer required for the purpose for which it was processed QUESTION : how long is long?  Depends on the nature of your business and the commercial reasons to keep data  7 years / 25 years / hospital policy
  32. 32. 32
  33. 33. 33 6. Data Integrity Principle
  34. 34. 34 Data Integrity Principle • DU has duty to take all reasonable steps to ensure that PD is : • Accurate • Complete • Not misleading; and • Kept up to date
  35. 35. 35 7. Access Principle • A data subject shall be given access to his personal data upon Data Access Request • All information that is being processed by or on behalf of the Data User • Entitled to an intelligible copy of the PD • Access can be just to view or get a copy • Subject to some exceptions Under the PDPA, patient may now get access to his entire MR
  36. 36. 36 Case note Who can access PD Hospital prepared a health report for an insurance company Patient wanted a copy under access principle Hospital refused DC held that all PD held by the hospital, including report should be provided to the data subject Regardless for whom it was prepared
  37. 37. 37
  38. 38. 38 GE Healthcare Admits Sending NHS Patient Data to US • Personal details of 600,000 patients were sent to the US following a mistake made by the NHS’s IT provider, GE Healthcare • GE Healthcare admitted that the error had occurred after it had obtained more patient data than it needed, but stressed that there was no need to worry • Overloaded in PD • GE Healthcare recently discovered that they obtained more patient data from diagnostic imaging products than they needed to perform services to their customers
  39. 39. 39 NHS Trust fined 325,000 for data breach • Brighton and Sussex University Hospital NHS Trust has been fined 400,000 euros following a serious breach of the UK Data Protection Act • Highly sensitive personal data belonging to tens of thousands of patients and staff, including some relating to HIV and Genito Urinary Medicine patients, on hard drives sold on an Internet auction site in October and November 2010 • The Data breach occurred when an individual engaged by the Trust’s IT service provider, was tasked to destroy approximately 1000 hard drives • The individual sold 4 hard drives on an internet auction in December 2010
  40. 40. 40 Offences and Penalties • If a body corporate commits an offence under the PDPA, any person who at the time of the offence was a director, CEO, COO, Manager etc may be charged jointly or severally with the company • Liability also is attached to Senior Management for acts or omissions of any employee acting in the course of their employment. • Section 5 (1) Anyone who contravenes the Personal Data Protection Principles commits and offence and shall, on conviction, be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or to both  Penalties for other offences ranges from RM100k to RM500k with imprisonment ranging from 1 – 3 years  Eg. For unlawful collection or selling of PD – 500k and 3 years
  41. 41. 41 THANK YOU