The Singapore Personal Data Protection Commission ("PDPC") recently released Advisory Guidelines for the Healthcare Sector (the "Guidelines"), on the application of the Personal Data Protection Act 2012 ("PDPA") to the healthcare sector. What's notable about these Guidelines is that they were developed together with Singapore's Ministry of Health ("MOH").
By and large, the Guidelines are uncontroversial. Some highlights:
The Guidelines also shed some light on how the PDPA affects third parties:
Again, uncontroversial. If a clinic is calling a patient for service-related purposes such as to follow-up on an appointment, this is not regarded as a telemarketing message and the clinic is not required to check the DNC register prior to making the call. Tagging on a marketing element to a service call will change the nature of the call and it will be regarded as a telemarketing call.
If a patient is undergoing treatment on an ongoing basis at a clinic for a chronic ailment, the clinic may be able to avail itself of the ongoing relationship exemption, which exempts the clinic from checking the DNC Registry before sending the patient telemarketing messages about new drugs which may treat the ailment. This exemption won't apply to recipients who have never sought treatment at the clinic or who don't have ongoing relationships with the clinic.
As always, telemarketing messages can always be sent if clear and unambiguous consent has been obtained from the recipient.
DNC compliance can be confusing at first glance, so training will be necessary to ensure that staff who make such calls know what's acceptable and what is off-limits. It's also worth remembering that generally, the organization (and not the staff personally) is responsible for DNC compliance, so the organization has a vested interest in ensuring that their staff are well trained.
This is an interesting area. The Guidelines note that medical records being used for retrospective research studies may be exempted from the consent requirement if:
The Guidelines are silent on the use of medical records being used for prospective research. That's not to say that prospective research isn't regulated - the Medicines Act, Medicines (Clinical Trials) Regulations, Singapore Guideline for Good Clinical Practice, Health Sciences Authority and ethics review boards provide comprehensive regulation in relation to clinical trials. However the clinical trial regulatory framework isn't personal-data-centric. As such, it's not likely to provide quite the same scope of protection to personal data as the PDPA.
Contract research organizations and other entities conducting clinical trials will therefore need to ensure that their informed consent forms now specifically comply with the PDPA in addition to existing clinical trial regulatory requirements. (e.g. Informed consent forms should provide notice relating to the collection, use and disclosure, including transfers out of Singapore, of the subject's personal data.)
Healthcare research involves many disclosures and transfers of personal data, such as transferring DNA samples to labs outside Singapore, or genetic information to third parties such as research centres or other doctors. Clinical trials are often global endeavors at the Phase 3 stage, which means there may be transfers of personal data around the world. I also suspect that genetic information is probably hard to anonymize, assuming it can be anonymized at all.
I'm keeping my fingers crossed that the PDPC will release more information on the application of the PDPA to clinical trials and, more generally, prospective research in the healthcare sector, and I think there is room for our privacy framework to cover this area more comprehensively.
Associate Director, Bernard & Rada Law Corporation
The posts found in this Law Blog are not legal advice, nor are they given for the purpose of providing legal advice.
You should contact your lawyer for legal advice if you need legal assistance.