The document provides an overview of Malaysia's Personal Data Protection Act 2010. It discusses key aspects of the Act including the establishment of a Personal Data Protection Commissioner, the 7 data protection principles, and requirements around notice, consent, disclosure, security, retention, data integrity and access. It also discusses some examples of data breaches and penalties for non-compliance. The Act aims to regulate the processing of personal data and protect privacy as digital data and internet usage continues to grow significantly.
3. 3
Personal Data Protection Act 2010
• Passed on 10 June 2010
• The Minister has appointed a Director General & created
a PDP Dept
• Once the PDPA comes into force the DG may assume
the role of Data Protection Commissioner
• Once the PDPA is brought into force - Data Users have 3
months to comply
5. 5
Growth of computer networks & internet –
Huge impact on society
• Over the last 3 decades computer networks have made pervasive inroads in
our everyday lives, both in business as well as the home
• The internet came along and connected the world
• Computer networks enabled efficient collection, manipulation and storage of
data – and vast quantities of it too
• Data can be stored anywhere in the world – not necessarily where it is
collected
• Gigabytes of personal data are accessed and used on daily basis
• New threats affecting privacy and data protection (identity theft, facebook,
twitter, friendster, etc)
6. 6
Has your Personal Data been abused lately?
• How many marketing sms’s do you receive in a day?
• Has a bank offered you a pre-approved loan lately?
• Does your telco send you “I love you” mms’s without your consent?
• Did you get a season’s greeting from the Prime Minister lately?
• Did you get an email telling you that you have won USD5 million in a
European lottery?
None of these activities may have had your consent
7. 7
What is Personal data
• Personal Data (PD) means any information which relates directly or
indirectly to a data subject, who is identified or identifiable from that
information
Examples : Name, Address, Photographs, IC, Bank Account details,
Medical Records / History
Some Definitions
Data Subject (DS) – an individual who is the subject of the PD –
includes patients and employees
Data User (DU) – a person who processed any PD or has control
over or authorizes the processing of any PD but does not include a
data processor
8. 8
Processing is defined widely
• Processing – means collecting, recording, holding, storing and
carrying out of operations with that data like organizations,
adaptation, retrieval, use, disclosure, transmission, transfer,
correction, erasure & destruction
Collection
Use
Disclosure
Destruction
9. 9
Application of the PDPA
• The act applies to :
(a) personal data which is processed;
(b) any person who processes and any person who has control over or
authorizes the processing of any personal data in respect of
commercial transactions and such a person is a “data user”;
Commercial transactions –
“... of a commercial nature, whether contractual or not, which includes
any matters relating to the supply or exchange of goods or services,
agency, investments, financing, banking and insurance, but does not
include a credit reporting business carried out by a credit reporting
agency under the Credit Reporting Agencies Act 2010”.
10. 10
Personal Data Flow - patient
HRM
Discharge/Payment
•HIS
Patient
Registration
(demographics )
HRM
PATIENT
Clinical
Information
at Clinic
Procedures
•HIS
•LIS
•OIS
10
HRM
HRM
Clinical
Information
at Wards
HRM
11. 11
The PDPA – Who Does it NOT Apply To?
• The PDPA does not apply to :
The Federal Government
The State Government
PD processed outside Malaysia UNLESS intended to be further
processed in Malaysia
13. 13
Current Regulatory Position – Piecemeal
Approach to Data Protection
Private
Healthcare &
Services Act
MMC Guide on
Confidentiality
Medical Act
MMC Guide on
Medical Records
and Medical
Reports
MMA Code on
Medical Ethics
Patient’s Charter
MMC Code of
Professional
Conduct
14. 14
Pre-PDPA – How Personal Data was dealt with
• PHFSA – hospitals must have a policy on Patients rights:
Information concerning medical treatment and care;
Be provided with patient’s medical report within a reasonable time
• Reg 30 – patient’s MR is the property of Hospital . Patient has a right to
request for medical report
• Retention of MR is for the Limitation Period
• Doctors have right of access to MR of old patients to defend civil actions
15. 15
MMC Guidelines on Doctors
• On medical records and reports
Medical records belong to the hospital
Information in MR belong morally and ethically to the patient
Doctors have obligation to provide comprehensive medical reports upon
request by patient (for 2nd opinion, litigation etc)
• Doctor patient confidentially
No disclosure to 3rd parties without consent of patient
Should not reveal patient PD in medical publications
Drs must exert all powers to preserve patient confidentiality
16. 16
MMC Guidelines for Doctors – Disclosure to 3rd
Parties
• Disclosure within Medical Teams
Drs must obtain consent of Patient to share PD with other doctors
Patient can refuse consent for sharing of PD between doctors
• Disclosure to Employers, Insurers
Dr must inform Patient and obtain consent before disclosure to
these parties
• Disclosure for Medical Teaching and medical audit
Should anonymise PD as far as possible
Doctors who decide to disclose PD must be prepared to explain
and justify their decision (MMC Guideline)
18. The 7 Data Protection Principles Under the
PDPA
General
principle
Notice &
Choice
Principle
Access
Principle
PDPA
Data
Integrity
Principle
Disclosure
Principle
Retention
Principle
Security
Principle
18
19. 19
No
PDP
Principles
What it covers
1
General
Principle
Consent of DS is required to process PD.
For Sensitive Personal Data – explicit consent is required
2
Notice &
Choice
Principle
DU give Notice to DS of the processing, description of PD,
purpose, source of info and right to request access, 3P to
whom DU discloses, how to limit the processing, whether it is
obligatory or voluntary to supply PD
3
Disclosure
Principle
No disclosure of PD without consent of DS
4
Security
Principle
DU must take practical steps to protect PD (IT System &
Internal processes)
5
Retention
Principle
PD should not be kept longer than necessary – must destroy
after purpose is met
6
Data Integrity
Principle
DU must ensure Data processed is accurate, complete and upto-date having regard to the purpose of collection
7
Access
Principle
DS must have access and be able to correct if inaccurate
20. 20
1. General Principle - consent
• A data user cannot process any PD about a Data Subject unless the Data Subject has
given his consent.
• Consent can be expressed or implied
• PD cannot be processed unless :
PD is processed for a lawful purpose directly related to the activity of the Data
User
The processing of PD is necessary for or directly related to that purpose
Directly related to that purpose means the reason that the PD was collected.
Eg: a person comes for a blood test and his consent is acquired to conduct all the
necessary test. However, the consent shall not extend to the publication of his blood
test results in a medical article.
PD is adequate but not excessive in relation to that purpose
Eg: a patients comes to ER to see the doctor for fever medication. It is not necessary to
ask the patient of his grandparents, aunt, uncle’s names, IC, add etc.
Distinction between consent for medical purpose and other purpose
22. 22
2. Notice & Choice Principle
• A DS is required to give written consent to DU:
That PD is being processed and provide a description of the PD being
processed
The purposes for which the PD is collected and processed
DS’s right to request access to and request correction of the PD
Disclosure to any 3rd parties that may be made
23. 23
3. Disclosure principle
• No Personal Data shall be disclosed without the consent of the DS:
For any other purpose other than the original purpose as disclosed to the
DS at the time of collection
A purpose directly related to the purpose above
To any party other than a 3rd party already notified to the DS (under Notice
Principle)
• Disclosure for the purpose of research, discussions in medical meetings /
seminars :This disclosure is allowed as long as the data that is being disclosed cannot be
related to a particular person
• Note: Disclosure to the Ministry of Health – this is a compulsory disclosure
and thus shall be exempted.
24. 24
Case note - disclosure
Improper
disclosure of
SPD to
Government
Agency
The complainant had medical
tests at a pathology clinic and
asked that the results be
provided only to their treating
medical specialist and solicitor.
The tests results were to be part
of a claim that the complainant
was making to a federal
government agency.
The complainant later became
aware that the clinic had
provided the results directly to
that government agency.
DS complained to the Data
Commissioner
The clinic advised the clinic
staff to send directly to the
government agency noted on
the complainant’s form.
The clinic contended that this
was an isolated error.
As this information was
disclosed for a purpose other
than the primary purpose for
which it was collected. The
commissioner formed the view
that the disclosure was an
interference with the
complainant’s privacy.
The clinic paid compensation
to the DS.
26. 26
4. Security Principle
• DU shall take practical steps to protect PD from any
Loss, misuse, modification
Unauthorized or accidental access or disclosure
Alteration or destruction
Having regard to location, IT systems and mode of transfer of PD
• Hospital IT systems such as the HMIS, HIS and LIS need strict policies
• Transfer to 3rd party service providers such as outside lab and transfers of PD overseas
Security issues : use of portable devices (laptops, USB, External hard drive, CD, DVD)
Transmission of patient info via fax
Medical devices storage function
Remote access to MR
Doctors have to comply with Hospital’s policies regarding
PDPA requirements
28. 28
Sony fined GBP 250,000 for Breach of
Security
• A cyber attack on the SONY’s PlayStation Network in April 2011 put a
huge number of consumers at risk of identity theft including credit card
details
• It could have been prevented if Sony’s software was up-to-date and
technical developments hadn’t made passwords unsecure
• “There’s no disguising that this is a business that should have known
better,” said the ICO’s data protection director David Smith
• It is a company that trades on its technical expertise and there is no
doubt in my mind that they had access to both the technical expertise
and the resources to keep this information safe.
29. 29
Data Processor
• Where PD is processed on behalf of DU the DU shall ensure that the
Data Processor :
Provides guarantees in respect of technical and security
measures governing the processing; and
Takes reasonable steps to ensure compliance with those
measures
Eg: The IT system in SDMC PC – system designed for SDH and they do have
access to our patient records.
Data Processor = Outsourced Service Providers
31. 31
Retention Principle
• PD shall not be kept longer than is necessary for the fulfillment of the original
purpose
• DU has duty to take all reasonable steps to ensure that PD is :
• Destroyed (must be done in a proper manner); or
• Permanently deleted
…… if it is no longer required for the purpose for which it was processed
QUESTION : how long is long?
Depends on the nature of your business and the commercial reasons to
keep data
7 years / 25 years / hospital policy
34. 34
Data Integrity Principle
• DU has duty to take all reasonable steps to ensure that PD is :
• Accurate
• Complete
• Not misleading; and
• Kept up to date
35. 35
7. Access Principle
• A data subject shall be given access to his personal data upon Data Access Request
• All information that is being processed by or on behalf of the Data User
• Entitled to an intelligible
copy of the PD
• Access can be just to view or
get a copy
• Subject to some exceptions
Under the PDPA, patient may now get
access to his entire MR
36. 36
Case note
Who can
access PD
Hospital prepared a health
report for an insurance
company
Patient wanted a copy under
access principle
Hospital refused
DC held that all PD held by
the hospital, including
report should be provided
to the data subject
Regardless for whom it was
prepared
38. 38
GE Healthcare Admits Sending NHS Patient
Data to US
• Personal details of 600,000 patients were sent to the US following a
mistake made by the NHS’s IT provider, GE Healthcare
• GE Healthcare admitted that the error had occurred after it had obtained
more patient data than it needed, but stressed that there was no need to
worry
• Overloaded in PD
• GE Healthcare recently discovered that they obtained more patient data
from diagnostic imaging products than they needed to perform services
to their customers
39. 39
NHS Trust fined 325,000 for data breach
• Brighton and Sussex University Hospital NHS Trust has been fined
400,000 euros following a serious breach of the UK Data Protection Act
• Highly sensitive personal data belonging to tens of thousands of patients
and staff, including some relating to HIV and Genito Urinary Medicine
patients, on hard drives sold on an Internet auction site in October and
November 2010
• The Data breach occurred when an individual engaged by the Trust’s IT
service provider, was tasked to destroy approximately 1000 hard drives
• The individual sold 4 hard drives on an internet auction in December
2010
40. 40
Offences and Penalties
• If a body corporate commits an offence under the PDPA, any person who at the
time of the offence was a director, CEO, COO, Manager etc may be charged
jointly or severally with the company
• Liability also is attached to Senior Management for acts or omissions of any
employee acting in the course of their employment.
• Section 5 (1)
Anyone who contravenes the Personal Data Protection Principles commits and
offence and shall, on conviction, be liable to a fine not exceeding RM300,000
or to imprisonment for a term not exceeding 2 years or to both
Penalties for other offences ranges from RM100k to RM500k with
imprisonment ranging from 1 – 3 years
Eg. For unlawful collection or selling of PD – 500k and 3 years