Out-Law News | 15 Sep 2014 | 9:28 am | 2 min. read
The Personal Data Protection Commission has published new guidance on how Singapore's data protection laws apply in the health sector (29-page / 144KB PDF). The guidance contains an example which confirms that personal data about patients can be used without their consent for the purpose of research.
The example cited in the guidance refers to a health organisations that wants to use historical medical records stored in its databases for the purpose of research into " the epidemiology of diseases and socio-demographic characteristics of past patients" so as to influence its future public health strategies. The research concerned could not "reasonably be accomplished" without the data being in identifiable form, it said.
According to the example, the health body does not hold contact details for the individual patents and it would be "impracticable" for it to "seek consent from the individuals" because it does not know whether the patients are still alive or where they are living. In the example, the "linkage of the personal data to other information is not harmful to the individuals identified by the personal data and the benefits to be derived from the linkage are clearly in the public interest".
The PDPC said that the health body referenced in the example would be likely to be able to use the medical records in its archives without consent for its research under Singapore's Personal Data Protection Act (PDPA).
The PDPA contains rules on the collection, use or disclosure of individuals' personal data. It came fully into force in July. The rules generally place conditions on the collection, use or disclosure of personal data which include requiring organisations in certain cases to obtain individuals' consent to that collection, use or disclosure.
However, the rules also contain a number of exceptions to the consent requirement. Under one such exemption under the Act, organisations may use personal data without consent "for a research purpose, including historical or statistical research", subject to a number of qualifications.
Under those qualifications, the right to use personal data without consent in research projects only applies if "the research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form". In addition, it must be "impracticable for the organisation to seek the consent of the individual for the use" and the data must not be used to "contact persons to ask them to participate in the research".
The final condition is that the linkage between the personal data and other information envisaged for use in a research project must not be "harmful to the individuals identified by the personal data" and the benefits of the linkage of the data must be "clearly in the public interest".
The PDPC's health sector guidance has been published alongside other data protection guidelines for organisations operating in the education (25-page / 301KB PDF) or social services (30-page / 355KB PDF) sectors. In May it published data protection guidance for telecoms market operators and businesses in the real estate agency sector.
The health sector guidelines highlight how Singapore's data protection laws apply in a number of practical scenarios, including in cases where patients are referred from one health care provider to another. It also sets out what permissions medical professionals can be deemed to have been given by patients seeking medical care and the extent to which new consent is required to use patient data in another context.
According to the guidance, health bodies do not need to obtain new consent from patients to share medical records with other health bodies each time they want to share that data for the purpose of facilitating medical treatment to those patients if they have obtained patients' consent to the disclosure of their data for that purpose once before.