The PDPA and Doctors
It is important that everyone in the healthcare industry – doctors, dentists, pharmacists etc. – know that the PDPA is now upon us. Everyone in the private sector service industry which uses and processes personal data in commercial transactions comes under this Act which was gazetted to be enforced on November 15, 2013 (albeit with a short grace period).
The act is designed to protect one’s personal data and ensure privacy so that one’s personal data is not abused.
Here is a brief slide presentation which tells you about the PDPA
Here are a few important things to note for doctors
1) Doctors can be both Data Users (one who holds and processes the data) as well as Data Subjects (those whose data is being held and processed).
2) All private hospitals, clinics and pharmacies come under the PDPA as it stands, and according to the Law are required to register as Data Users.
3) The Act does not apply to the Government sector
4) Healthcare information (e.g. patients’health records and data) is deemed “sensitive” data under the PDPA section 40 so explicit consent is required e.g. when issuing a medical report.
5) The penalty for non-compliance with the code of practice is “a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.”
Recently there was a bit of a kerfuffle when doctors (as Data Subjects) were required to sign a consent form by a large pharmaceutical company, giving them rather blanket permission to do whatever they wish with the Doctors’ personal data. This naturally upset the doctors and the doctors organisations like the FPMPAM have advised doctors NOT TO SIGN until this is clarified. Perhaps the pharmaceutical company concerned was merely trying to protect itself under the PDPA but it should have made it clear the Doctors’ data would be use only in the course of relevant business dealings. (If I am not mistaken, all that was needed is an implied consent in this case rather than explicit consent, for dealings between the pharmaceutical firm and doctors).
Doctors who run private clinics should be even more concerned that unless there is a change to the Act, they are now required by Law (yes, yet another layer of bureaucracy apart from the PHFSA) to register their clinic as a Data User and this entails submitting a registration form with required documentation. There are also annual fees to contend with, the quantum varying depending on whether one is a Sole proprietorship, Partnership or a Sdn Bhd.
This important topic is being covered and discussed in the Dobbs Forum for Malaysian doctors thread The PDPA and Doctors . Links to downloading the registration form, clarification about the fees and more information about the issue with the pharmaceutical firm above can be found in the thread, as well as more information about the PDPA itself. If you have questions or wish to know more, please join the forum and ask there.
For interested readers, here is the link to the Act