• This policy exists to ensure the organization is committed to treat personal data and/or sensitive personal data in accordance with the Personal Data Protection Act 2010 (hereinafter referred to as `PDPA’), the Private Healthcare Facilities and Services Act 1998 (Act 586) And Regulations & Order, other related.
• The organization will comply with all relevant legislation, codes of professional ethics and accepted standards with regard to patient/customer’s rights to privacy and to have personal disclosures and medical information handled with strict confidentiality as underpinned by legal and professional standards.
• To provide instructional guideline on handling matter relating to personal data and privacy.
• To ensure effective and appropriate processing of personal data and privacy of our employees, consultants practicing within the organization, locums, external service providers, patients, customers, visitors and those who visit the organization (hereinafter referred to collectively as the stakeholders of the organization)
• The protection of Personal Data is an important concern to the organization and any Personal Data collected will be treated in accordance with the Personal Data Protection

All employees within the organization, contractual employees and all external service providers for the organization. This policy also applies to all consultants practicing within this organization

It is the policy of the organization, contractual employees and all external service providers for the organization. This policy also applies to all consultants practicing within the organization.

3.1     Collection of Personal Data & Sensitive Personal Data
The organization collects personal data and/or sensitive personal data from employees, contractual employees, consultants practicing within the organization (independent contractors), external service providers, patient/customer and in an emergency, the organization also collects personal data and/or sensitive personal data from a family member, friend, carer or other person so that the organization can provide appropriate healthcare to the patient/customer.

The organization personal data includes but is not limited to the following:
a) Personal data of the employees
b) Medical records of patients
c) Personal records of the consultants practicing within the organization
d) Other records such as complainants, external service providers, corporate clients, GPs etc.

3.2    Security & Confidentiality of Personal Data & Sensitive Personal Data Collected

The organization follow strict rules and policies regarding the secure storage of personal information in all formats in order to protect personal data and /or sensitive personal data of the stakeholders of the organization from unauthorized /accidental access, loss release or other misuse.

3.3    Collection of Personal Data & Sensitive Personal Data

When collecting personal data, the organization shall collect it for a directly related purpose and shall ensure at all times that the personal data collected is relevant and adequate for the purpose it was originally collected for.

3.4    The 7 Principles under PDPA

a) The General Principle (section 6 PDPA)
b) Notice and Choice Principle (section 7 PDPA)
c) Disclosure Principle (section 8 PDPA)
d) Security Principle (section 9 PDPA)
e) Retention Principle (section 10 PDPA)
f) Data Integrity Principle (section 11 PDPA)
g) Access Principle (section 12 PDPA).

3.5    Use or Disclosure of Personal Data & Sensitive Personal Data

Personal data and/or sensitive personal data held either in paper or electronic format may be used by the organization, or disclosed outside the organization, to enable appropriate health services to be provided to the patient/customer and/or the stakeholders of the organization whether or not in the course of their duties subject always that it shall only be used for the purpose(s) that was agreed for. For example, personal data and/or sensitive personal data may be used or disclosed in the following manner, which include but not limited to the following instances:

• Personal data and/or sensitive personal data of the employees of the organization are collected or provided for employment related purposes.
• Personal data and/or sensitive personal data of the stakeholders of the organization are processed by the organization together with third party agent/managed care organization for claim processing, review and other related matter in the course of services by the organization toward and for the stakeholders of the organization.
• Limited access of the records in Hospital Information Systems is granted to authorized vendor of the organization for trouble shooting purposes only.

Personal data and/or sensitive personal data of the stakeholders of the organization shall not be disclosed to third party except with the consent or explicit consent of the stakeholders of the organization.

3.6    Exemption Under PDPA

Section 45 (1) There shall be exempted from the provisions of this Act personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs, including recreational purposes.

Section 45 (2) Subject to section 46, personal data:

a) Processed for:

• The prevention or detection of crime or for the purpose of investigations
• The apprehension of prosecution of offenders or
• The assessment or collection of any tax or duty or any other imposition of a similar nature,

Shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act:

b) Processed in relation to information of the physical or mental health of a data subject shall be exempted from the Access Principle and other related provisions of this Act of which the application of the provisions to the data subject would be likely to cause serious harm to the physical or mental health of the data subject or any other individual;

c) Processed for preparing statistics or carrying out research shall be exempted from the General Principle and other related provisions of this Act, provided that such personal data is not processed for any other purpose and that the resulting statistics or the results of the research are not made available in a form which identifies the data subject;

d) That is necessary for the purpose of or in connection with any other judgment of a court shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act;

e) Processed for the purpose of discharging regulatory functions shall be exempted from the General Principle, Notice and Choice Principle, Disclosure Principle and Access Principle and other related provisions of this Act if the application of those provisions to the personal data would be likely to prejudice the proper discharge of those functions; or

f) Processed only for journalistic, literary or artistic purposes shall be exempted from the General Principle, Data Integrity Principle and Access Principle and other related provisions of this Act, provide that:

• The processing is undertaken with a view to the publication by any person of the journalistic, literary or artistic material;
• The data user reasonably believes that, taking into account the special importance of public interest in freedom of expression, the publication would be in the public interest and
• The data user reasonably believed that in all the circumstances compliance with the provision in respect of which the exemption is claimed is incompatible with the journalistic, literary or artistic purposes.

Section 46 (1) The Minister may, upon the recommendation of the Commissioner by order published in the Gazette exempt —

a) The application of any of the Personal Data Protection Principles under this Act to any data user or class of data users or
b) Any data user or class of data users from all or any of the provisions of this Act.

Section 46 (2) — The Minister may impose any terms or conditions as he thinks fit in respect of any exemption made under subsection (1)

Section 45 & 46 of PDPA. Please consult Personal Data Protection Officer (hereinafter referred to as “PDPO”) of the organization for further advice and clarification.

3.7        Extent of Disclosure of Personal Data Under PDPA

Section 39 Notwithstanding section 8, personal data of a data subject may be disclosed by a data user for any purpose other than the purpose for which the personal data was to be disclosed at the time of its collection or any other purpose directly related to that purpose, only under the following circumstances:

a) The data subject had given his consent to the disclosure;

b) The disclosure —
i) Is necessary for the purpose of preventing or detecting a crime or for the purpose of investigations or
ii) Was required or authorized by or under any law or by the order of a court;

c) The data user acted in the reasonable belief that he had in law the right to disclose the personal data to the other person;

d) The data user acted in the reasonable belief that he would have had the consent of the data subject if the data subject had known of the disclosing of the personal data and the circumstances of such disclosure; or

e) The disclosure was justified as being in the public interest in the circumstances as determined by the Minister.

3.8     Processing of Sensitive Personal Data

PDPA Section 40 (1) Subject to subsection (2) and section 5, a data user shall not process any sensitive personal data of a data subject except in accordance with the following conditions:

• The data subject has given his explicit consent to the processing of the personal data;
• The processing is necessary —
• For the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment;    

ii)     In order to protect the vital interests of the data subject or another person, in a case where —
(a) Consent cannot be given by or on behalf of the data subject; or
(b) The data user cannot reasonably be expected to obtain the consent of the data subject;

iii)      In order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;

iv)    For medical purposes and is undertaken by-

(a) A healthcare professional or
(b) A person who, in the circumstances, owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;

• For the purpose of or in connection with any legal proceedings;
• For the purpose of obtaining legal advice;
• For the purpose of establishing, exercising or defending legal rights;
• For the administration of justice;
• For the exercise of any functions conferred on any person by or under any writted law; or
• For any other purposes as the Minister thinks fit or

(c)   The information contained in the personal data has been made public as a result of steps deliberately taken by data subject.

Section 40 (2) The Minister may by order published in the Gazette exclude the application of subparagraph (1)(b)(i), (viii) or (ix) in such cases as may be specified in the order, the condition in subparagraph (1)(b)(i), (viii) or (ix) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

Section 40 (4) For the purpose of this section —
“medical purposes’ includes the purposes of preventive medicine, medical diagnosis, medical research, rehabilitation and the provision of care and treatment and the management of healthcare services;

“healthcare professional” means a medical practitioner, dental practitioner, pharmacist, clinical psychologist, nurse, midwife, medical assistant, physiotherapist, occupational therapist and other allied healthcare professionals and any other person involved in the giving of medical, health, dental, pharmaceutical and any other healthcare services under the jurisdiction of the Ministry of Health.

3.9 Transfer of Personal Data

Personal data collected by the organization should not be transferred to other parties without the consent of the stakeholders of the organization. Any transfer of personal data to third parties must be properly documented. Please consult the PDPO if in any doubt.

3.10 PDPA Compliance by the Organization

Medical Record Officer had been appointed as PDPO for the organization to assist, organize, implement and update the PDPA compliance program within the organization.  Those employed by the organization whether permanent employees, contractual employees, consultants and external service providers shall comply with PDPA.

3.11 PDPA & Patient/Customer Rights & Responsibilities Awareness To Patient Customer, Family Members & Carer of the Patient/Customer

The organization will and had disseminated information with regard to patient rights and responsibilities along with awareness of PDPA and patient/customer rights and responsibilities through pamphlets, brochures, PDPA Notice sent to the stakeholders of the organization.

Patient personal data is governed by the PDPA in which such information is referred to as “Personal Data” (personal information such as name, gender, contact details etc.) which also includes “Sensitive Personal Data” (personal information relating to physical or mental health condition, religious belief etc) — hereinafter collectively referred to as “Personal Data”. The protection of personal data is an important concern to the organization and any Personal Data collected will be treated in accordance with the Personal Data Protection

Personal Data and Sensitive Personal Data include but not limited to:

a)  The Patient’s health condition or healthcare history which means any care services or procedure provided to diagnose, treat or maintain the Patient’s physical or mental condition; provided to prevent disease or injury or promote health; or that affects the structure or a function of the body and includes the sale or dispensing of a drug device, equipment or other item pursuant to a prescription.

b)  Provision of healthcare to the Patient; or

c)  Payment for healthcare provided to the patient which include the “Medical Record Number” and any other identifying number, symbol or particular assigned to the patient, the room number and any identifying information about the patient that is collected in the course of and is incidental to, the provision of healthcare or payment for healthcare, professional fees, charges, costs and /or expenses howsoever defined      or incurred for medical treatment/services and /or surgical procedure, nursing care, pharmacy or any other related  or incidental  services  provided  by the  medical consultants and/or the Hospital.

3.12 Training Programs within the organization with regard to duties of confidentiality

In-house trainings are conducted by the respective departments to educate employees and consultants on duties of confidentiality and privacy rights toward patient/customer, the family member and carer for the patient/customer of the organization.  HODs to attend external seminars to enhance knowledge with regard to duties of confidentiality.

In House training on confidentiality and privacy rights towards the stakeholders of the organization are conducted on an ad-hoc basis, when the needs arise.

3.13 Media Enquiries with regards to incidents within the organization

Director of Marketing is the main liason with media representatives and is responsible to communicate with the Media and other personnel within the organization when receiving queries on incidents happening within the organization that requires feedback and reply from the organization.

3.15 All enquiries pertaining to PDPA shall be directed to PDPO