SlideShare a Scribd company logo

Pdpa presentation

Download as PPTX, PDF
Alan Teh, profile picture
Alan Teh

The document provides an overview of Malaysia's Personal Data Protection Act 2010. It discusses key aspects of the Act including the establishment of a Personal Data Protection Commissioner, the 7 data protection principles, and requirements around notice, consent, disclosure, security, retention, data integrity and access. It also discusses some examples of data breaches and penalties for non-compliance. The Act aims to regulate the processing of personal data and protect privacy as digital data and internet usage continues to grow significantly.

Health & MedicineBusiness
1 of 41
Downloaded 392 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Most read
19
Most read
20
Most read
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
1
2 PERSONAL DATA PROTECTION ACT 2010
3 Personal Data Protection Act 2010 • Passed on 10 June 2010 • The Minister has appointed a Director General & created a PDP Dept • Once the PDPA comes into force the DG may assume the role of Data Protection Commissioner • Once the PDPA is brought into force - Data Users have 3 months to comply
4 Minister of Information Communication and Culture Appeal Mechanism Personal Data Protection Commissioner Data User Forum Advisory Committee Data User
5 Growth of computer networks & internet – Huge impact on society • Over the last 3 decades computer networks have made pervasive inroads in our everyday lives, both in business as well as the home • The internet came along and connected the world • Computer networks enabled efficient collection, manipulation and storage of data – and vast quantities of it too • Data can be stored anywhere in the world – not necessarily where it is collected • Gigabytes of personal data are accessed and used on daily basis • New threats affecting privacy and data protection (identity theft, facebook, twitter, friendster, etc)
6 Has your Personal Data been abused lately? • How many marketing sms’s do you receive in a day? • Has a bank offered you a pre-approved loan lately? • Does your telco send you “I love you” mms’s without your consent? • Did you get a season’s greeting from the Prime Minister lately? • Did you get an email telling you that you have won USD5 million in a European lottery? None of these activities may have had your consent
7 What is Personal data • Personal Data (PD) means any information which relates directly or indirectly to a data subject, who is identified or identifiable from that information  Examples : Name, Address, Photographs, IC, Bank Account details, Medical Records / History Some Definitions Data Subject (DS) – an individual who is the subject of the PD – includes patients and employees Data User (DU) – a person who processed any PD or has control over or authorizes the processing of any PD but does not include a data processor
8 Processing is defined widely • Processing – means collecting, recording, holding, storing and carrying out of operations with that data like organizations, adaptation, retrieval, use, disclosure, transmission, transfer, correction, erasure & destruction Collection Use Disclosure Destruction
9 Application of the PDPA • The act applies to : (a) personal data which is processed; (b) any person who processes and any person who has control over or authorizes the processing of any personal data in respect of commercial transactions and such a person is a “data user”; Commercial transactions – “... of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”.
10 Personal Data Flow - patient HRM Discharge/Payment •HIS Patient Registration (demographics ) HRM PATIENT Clinical Information at Clinic Procedures •HIS •LIS •OIS 10 HRM HRM Clinical Information at Wards HRM
11 The PDPA – Who Does it NOT Apply To? • The PDPA does not apply to : The Federal Government The State Government  PD processed outside Malaysia UNLESS intended to be further processed in Malaysia
12 Healthcare Sector in Malaysia Current Position Pre PDPA 2010
13 Current Regulatory Position – Piecemeal Approach to Data Protection Private Healthcare & Services Act MMC Guide on Confidentiality Medical Act MMC Guide on Medical Records and Medical Reports MMA Code on Medical Ethics Patient’s Charter MMC Code of Professional Conduct
14 Pre-PDPA – How Personal Data was dealt with • PHFSA – hospitals must have a policy on Patients rights: Information concerning medical treatment and care; Be provided with patient’s medical report within a reasonable time • Reg 30 – patient’s MR is the property of Hospital . Patient has a right to request for medical report • Retention of MR is for the Limitation Period • Doctors have right of access to MR of old patients to defend civil actions
15 MMC Guidelines on Doctors • On medical records and reports Medical records belong to the hospital Information in MR belong morally and ethically to the patient  Doctors have obligation to provide comprehensive medical reports upon request by patient (for 2nd opinion, litigation etc) • Doctor patient confidentially No disclosure to 3rd parties without consent of patient Should not reveal patient PD in medical publications Drs must exert all powers to preserve patient confidentiality
16 MMC Guidelines for Doctors – Disclosure to 3rd Parties • Disclosure within Medical Teams Drs must obtain consent of Patient to share PD with other doctors Patient can refuse consent for sharing of PD between doctors • Disclosure to Employers, Insurers Dr must inform Patient and obtain consent before disclosure to these parties • Disclosure for Medical Teaching and medical audit Should anonymise PD as far as possible Doctors who decide to disclose PD must be prepared to explain and justify their decision (MMC Guideline)
17 PDPA
The 7 Data Protection Principles Under the PDPA General principle Notice & Choice Principle Access Principle PDPA Data Integrity Principle Disclosure Principle Retention Principle Security Principle 18
19 No PDP Principles What it covers 1 General Principle Consent of DS is required to process PD. For Sensitive Personal Data – explicit consent is required 2 Notice & Choice Principle DU give Notice to DS of the processing, description of PD, purpose, source of info and right to request access, 3P to whom DU discloses, how to limit the processing, whether it is obligatory or voluntary to supply PD 3 Disclosure Principle No disclosure of PD without consent of DS 4 Security Principle DU must take practical steps to protect PD (IT System & Internal processes) 5 Retention Principle PD should not be kept longer than necessary – must destroy after purpose is met 6 Data Integrity Principle DU must ensure Data processed is accurate, complete and upto-date having regard to the purpose of collection 7 Access Principle DS must have access and be able to correct if inaccurate
20 1. General Principle - consent • A data user cannot process any PD about a Data Subject unless the Data Subject has given his consent. • Consent can be expressed or implied • PD cannot be processed unless :  PD is processed for a lawful purpose directly related to the activity of the Data User The processing of PD is necessary for or directly related to that purpose Directly related to that purpose means the reason that the PD was collected. Eg: a person comes for a blood test and his consent is acquired to conduct all the necessary test. However, the consent shall not extend to the publication of his blood test results in a medical article. PD is adequate but not excessive in relation to that purpose Eg: a patients comes to ER to see the doctor for fever medication. It is not necessary to ask the patient of his grandparents, aunt, uncle’s names, IC, add etc. Distinction between consent for medical purpose and other purpose
21
22 2. Notice & Choice Principle • A DS is required to give written consent to DU: That PD is being processed and provide a description of the PD being processed The purposes for which the PD is collected and processed  DS’s right to request access to and request correction of the PD Disclosure to any 3rd parties that may be made
23 3. Disclosure principle • No Personal Data shall be disclosed without the consent of the DS: For any other purpose other than the original purpose as disclosed to the DS at the time of collection A purpose directly related to the purpose above To any party other than a 3rd party already notified to the DS (under Notice Principle) • Disclosure for the purpose of research, discussions in medical meetings / seminars :This disclosure is allowed as long as the data that is being disclosed cannot be related to a particular person • Note: Disclosure to the Ministry of Health – this is a compulsory disclosure and thus shall be exempted.
24 Case note - disclosure Improper disclosure of SPD to Government Agency The complainant had medical tests at a pathology clinic and asked that the results be provided only to their treating medical specialist and solicitor. The tests results were to be part of a claim that the complainant was making to a federal government agency. The complainant later became aware that the clinic had provided the results directly to that government agency. DS complained to the Data Commissioner The clinic advised the clinic staff to send directly to the government agency noted on the complainant’s form. The clinic contended that this was an isolated error. As this information was disclosed for a purpose other than the primary purpose for which it was collected. The commissioner formed the view that the disclosure was an interference with the complainant’s privacy. The clinic paid compensation to the DS.
25 The security principle need to be adequate but it shouldn’t be unreasonable.
26 4. Security Principle • DU shall take practical steps to protect PD from any Loss, misuse, modification Unauthorized or accidental access or disclosure Alteration or destruction Having regard to location, IT systems and mode of transfer of PD • Hospital IT systems such as the HMIS, HIS and LIS need strict policies • Transfer to 3rd party service providers such as outside lab and transfers of PD overseas Security issues : use of portable devices (laptops, USB, External hard drive, CD, DVD) Transmission of patient info via fax Medical devices storage function Remote access to MR Doctors have to comply with Hospital’s policies regarding PDPA requirements
27
28 Sony fined GBP 250,000 for Breach of Security • A cyber attack on the SONY’s PlayStation Network in April 2011 put a huge number of consumers at risk of identity theft including credit card details • It could have been prevented if Sony’s software was up-to-date and technical developments hadn’t made passwords unsecure • “There’s no disguising that this is a business that should have known better,” said the ICO’s data protection director David Smith • It is a company that trades on its technical expertise and there is no doubt in my mind that they had access to both the technical expertise and the resources to keep this information safe.
29 Data Processor • Where PD is processed on behalf of DU the DU shall ensure that the Data Processor :  Provides guarantees in respect of technical and security measures governing the processing; and  Takes reasonable steps to ensure compliance with those measures  Eg: The IT system in SDMC PC – system designed for SDH and they do have access to our patient records. Data Processor = Outsourced Service Providers
30 5. Retention Principle
31 Retention Principle • PD shall not be kept longer than is necessary for the fulfillment of the original purpose • DU has duty to take all reasonable steps to ensure that PD is : • Destroyed (must be done in a proper manner); or • Permanently deleted …… if it is no longer required for the purpose for which it was processed QUESTION : how long is long?  Depends on the nature of your business and the commercial reasons to keep data  7 years / 25 years / hospital policy
32
33 6. Data Integrity Principle
34 Data Integrity Principle • DU has duty to take all reasonable steps to ensure that PD is : • Accurate • Complete • Not misleading; and • Kept up to date
35 7. Access Principle • A data subject shall be given access to his personal data upon Data Access Request • All information that is being processed by or on behalf of the Data User • Entitled to an intelligible copy of the PD • Access can be just to view or get a copy • Subject to some exceptions Under the PDPA, patient may now get access to his entire MR
36 Case note Who can access PD Hospital prepared a health report for an insurance company Patient wanted a copy under access principle Hospital refused DC held that all PD held by the hospital, including report should be provided to the data subject Regardless for whom it was prepared
37
38 GE Healthcare Admits Sending NHS Patient Data to US • Personal details of 600,000 patients were sent to the US following a mistake made by the NHS’s IT provider, GE Healthcare • GE Healthcare admitted that the error had occurred after it had obtained more patient data than it needed, but stressed that there was no need to worry • Overloaded in PD • GE Healthcare recently discovered that they obtained more patient data from diagnostic imaging products than they needed to perform services to their customers
39 NHS Trust fined 325,000 for data breach • Brighton and Sussex University Hospital NHS Trust has been fined 400,000 euros following a serious breach of the UK Data Protection Act • Highly sensitive personal data belonging to tens of thousands of patients and staff, including some relating to HIV and Genito Urinary Medicine patients, on hard drives sold on an Internet auction site in October and November 2010 • The Data breach occurred when an individual engaged by the Trust’s IT service provider, was tasked to destroy approximately 1000 hard drives • The individual sold 4 hard drives on an internet auction in December 2010
40 Offences and Penalties • If a body corporate commits an offence under the PDPA, any person who at the time of the offence was a director, CEO, COO, Manager etc may be charged jointly or severally with the company • Liability also is attached to Senior Management for acts or omissions of any employee acting in the course of their employment. • Section 5 (1) Anyone who contravenes the Personal Data Protection Principles commits and offence and shall, on conviction, be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or to both  Penalties for other offences ranges from RM100k to RM500k with imprisonment ranging from 1 – 3 years  Eg. For unlawful collection or selling of PD – 500k and 3 years
41 THANK YOU

More Related Content

PPT
Personal Data Protection in Malaysia
khenghoe
 
PDF
Checklist for SMEs for GDPR compliance
Sarah Fox
 
PPT
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
PDF
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
PPTX
GDPR Introduction and overview
Jane Lambert
 
PDF
An overview of the Indian Data Privacy Bill
Komal Gadia
 
PDF
Overview on data privacy
Amiit Keshav Naik
 
Personal Data Protection in Malaysia
khenghoe
 
Checklist for SMEs for GDPR compliance
Sarah Fox
 
Personal Data Protection in Malaysia
MSC Malaysia Cybercentre @ Bangsar South City
 
Everything you Need to Know about The Data Protection Officer Role
HackerOne
 
skillcast-gdpr-training-presentation-q320.pptx
RahulGarg294918
 
GDPR Introduction and overview
Jane Lambert
 
An overview of the Indian Data Privacy Bill
Komal Gadia
 
Overview on data privacy
Amiit Keshav Naik
 

What's hot (20)

PPTX
PDPA Compliance Preparation
LawPlus Ltd.
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PPT
PDPA 2010 at office (HairulHafiz)
Hairul Hafiz Hasbullah
 
PPTX
Applying the Personal Data Protection Act (Singapore)
Benjamin Ang
 
PPTX
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PDF
Melihat RUU Pelindungan Data Pribadi
ICT Watch
 
PDF
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
PPTX
Presentation on GDPR
DipanjanDey12
 
PDF
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
PDF
Werksmans presentations on popi
Werksmans Attorneys
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
PDF
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPTX
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
PDF
GDPR for Dummies
Caroline Boscher
 
PPTX
GDPR Presentation
CILIP Ireland
 
PDF
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
PDF
Data protection regulations in Nigeria
Mercy Akinseinde
 
PDF
Complying with Singapore Personal Data Protection Act - A Practical Guide
Daniel Li
 
PDPA Compliance Preparation
LawPlus Ltd.
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
PDPA 2010 at office (HairulHafiz)
Hairul Hafiz Hasbullah
 
Applying the Personal Data Protection Act (Singapore)
Benjamin Ang
 
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
Gdpr presentation
Sudarsan Reddy
 
Melihat RUU Pelindungan Data Pribadi
ICT Watch
 
Privacy-ready Data Protection Program Implementation
Eryk Budi Pratama
 
Presentation on GDPR
DipanjanDey12
 
GDPR Basics - General Data Protection Regulation
Vicky Dallas
 
Werksmans presentations on popi
Werksmans Attorneys
 
Legal obligations and responsibilities of data processors and controllers und...
IT Governance Ltd
 
Personal Data Protection Singapore - Pdpc corporate-brochure
Jean Luc Creppy
 
Introduction to GDPR
Priyab Satoshi
 
GDPR: Training Materials by Qualsys
Qualsys Ltd
 
GDPR for Dummies
Caroline Boscher
 
GDPR Presentation
CILIP Ireland
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Data protection regulations in Nigeria
Mercy Akinseinde
 
Complying with Singapore Personal Data Protection Act - A Practical Guide
Daniel Li
 
Ad

Viewers also liked (20)

PDF
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 
PPT
Data protection act
Iqbal Bocus
 
PDF
Half day public-seminar_on_pdpa_2010_-_250711
Quotient Consulting
 
PPT
Presentation ICT2
safa
 
PPTX
Tindak Malaysia: The Die Is Cast
Alan Teh
 
PDF
PMPASKL 52nd AGM and ASM
Alan Teh
 
PDF
Stem congress brochure 180912
Alan Teh
 
PPTX
Role of cancer genomics and next generation sequencing.pptx 2
Alan Teh
 
PPTX
Survey results on EMR
Alan Teh
 
PPT
MOH1Care
Alan Teh
 
PPT
Data Privacy in India and data theft
Amber Gupta
 
PPTX
Cyberlaw
Shanmugam Thiagoo
 
PPTX
Chapter 1
Hajar Len
 
PPT
Impact of ict on privacy and personal data
mohd kamal
 
PPTX
Understanding your heart health with your helo
Alan Teh
 
PPT
Lower Urinary Tract Symptoms in Men for GPs
Alan Teh
 
PPTX
Multiple Myeloma
Alan Teh
 
PPTX
Legal Framework of Internet Banking
Mahyuddin Khalid
 
PPTX
Hacking and Hacktivism
rashidirazali
 
PDF
GST for Doctors
Alan Teh
 
Personal Data Protection Act - Employee Data Privacy
legalPadmin
 
Data protection act
Iqbal Bocus
 
Half day public-seminar_on_pdpa_2010_-_250711
Quotient Consulting
 
Presentation ICT2
safa
 
Tindak Malaysia: The Die Is Cast
Alan Teh
 
PMPASKL 52nd AGM and ASM
Alan Teh
 
Stem congress brochure 180912
Alan Teh
 
Role of cancer genomics and next generation sequencing.pptx 2
Alan Teh
 
Survey results on EMR
Alan Teh
 
MOH1Care
Alan Teh
 
Data Privacy in India and data theft
Amber Gupta
 
Cyberlaw
Shanmugam Thiagoo
 
Chapter 1
Hajar Len
 
Impact of ict on privacy and personal data
mohd kamal
 
Understanding your heart health with your helo
Alan Teh
 
Lower Urinary Tract Symptoms in Men for GPs
Alan Teh
 
Multiple Myeloma
Alan Teh
 
Legal Framework of Internet Banking
Mahyuddin Khalid
 
Hacking and Hacktivism
rashidirazali
 
GST for Doctors
Alan Teh
 
Ad

Similar to Pdpa presentation (20)

PDF
CyberQ Personal Data Protection Hand-out V6.0.pdf
MathewPVarghese1
 
PPTX
Technology, policy, privacy and freedom
Prachi Gulihar
 
PPTX
Data Privacy and Data Protection-ACT-2023-15-12-2023.pptx
Abhishek759064
 
PDF
Data Decoded: Understanding India's Draft Data Protection Bill
Antaraa Vasudev
 
PPTX
Governance And Data Protection In The Health Sector - Billy Hawkes
healthcareisi
 
PDF
Pasoco ITSMF,SPMI-PDPA-140626-public
PasocoPteLtd
 
PPTX
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
Vijay Dalmia
 
PPTX
3A – DATA PROTECTION: ADVICE
CFG
 
PPTX
Law and Data Protection.pptx by Dr. M.K.
ManishChoudhary246763
 
PPTX
Seminar General Data Protection Regulation
Axon Lawyers
 
PPTX
Presentation gdpr ahti
Sofie van der Meulen
 
PPTX
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upekha Vandebona
 
PDF
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Anastasiya Lemysh
 
PDF
Data Protection Act 1998 (amended 2000)
The Pathway Group
 
PPT
2014 dpa training february nn
Lawrence Serewicz
 
PPT
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 
PPTX
Hexagon presentation light.pptx
PabRonaldCalanoc1
 
PPT
Data Protection Act
mrbennett2009
 
PPTX
Paperless Lab Academy 'legal aspects of big data analytics'
Axon Lawyers
 
PPTX
PLA Legal aspects of Big Data analytics final
Sofie van der Meulen
 
CyberQ Personal Data Protection Hand-out V6.0.pdf
MathewPVarghese1
 
Technology, policy, privacy and freedom
Prachi Gulihar
 
Data Privacy and Data Protection-ACT-2023-15-12-2023.pptx
Abhishek759064
 
Data Decoded: Understanding India's Draft Data Protection Bill
Antaraa Vasudev
 
Governance And Data Protection In The Health Sector - Billy Hawkes
healthcareisi
 
Pasoco ITSMF,SPMI-PDPA-140626-public
PasocoPteLtd
 
DIGITAL PERSONAL DATA PROTECTION ACT 2023-PPT-VPD.pptx
Vijay Dalmia
 
3A – DATA PROTECTION: ADVICE
CFG
 
Law and Data Protection.pptx by Dr. M.K.
ManishChoudhary246763
 
Seminar General Data Protection Regulation
Axon Lawyers
 
Presentation gdpr ahti
Sofie van der Meulen
 
Chapter 08 – Data Protection, Privacy and Freedom of Information - BIT IT5104
Upekha Vandebona
 
Personal Data Protection in Pharmaceutical Sector (webinar presentation)
Anastasiya Lemysh
 
Data Protection Act 1998 (amended 2000)
The Pathway Group
 
2014 dpa training february nn
Lawrence Serewicz
 
Merit Event - Understanding and Managing Data Protection
meritnorthwest
 
Hexagon presentation light.pptx
PabRonaldCalanoc1
 
Data Protection Act
mrbennett2009
 
Paperless Lab Academy 'legal aspects of big data analytics'
Axon Lawyers
 
PLA Legal aspects of Big Data analytics final
Sofie van der Meulen
 

More from Alan Teh (20)

PPTX
Talk on Prostate Cancer, KL
Alan Teh
 
PDF
Guide to GST for Healthcare services (16 Nov)
Alan Teh
 
PDF
1st Joine ESMO-MOS Conference
Alan Teh
 
PDF
Dialogue with Datuk Seri Gopal Sri Ram
Alan Teh
 
PDF
Guide to GST for Healthcare Services (Malaysia)
Alan Teh
 
PDF
eKlinikmd sponsored edition 2014
Alan Teh
 
PDF
The Malaysian Calendar 2014
Alan Teh
 
PDF
HRI Workshop February 2014
Alan Teh
 
PPTX
Obstructive Sleep Apnoea
Alan Teh
 
PDF
Health metropolis the star e paper metro central - 6 sep 2013 - page #4
Alan Teh
 
PDF
10th apchg 2nd ann (13 august)
Alan Teh
 
PDF
Haemostasis workshop final announcement
Alan Teh
 
PDF
Haemostasis workshop final announcement
Alan Teh
 
PDF
Introductory bioinformatics workshop flyer
Alan Teh
 
PDF
AFH 2012 flyer
Alan Teh
 
DOC
Annualreport2012
Alan Teh
 
DOC
Agmmins2011
Alan Teh
 
PDF
Taknak 1care forum sitiawan
Alan Teh
 
PPT
Consent
Alan Teh
 
PDF
1 Care Concept Caper
Alan Teh
 
Talk on Prostate Cancer, KL
Alan Teh
 
Guide to GST for Healthcare services (16 Nov)
Alan Teh
 
1st Joine ESMO-MOS Conference
Alan Teh
 
Dialogue with Datuk Seri Gopal Sri Ram
Alan Teh
 
Guide to GST for Healthcare Services (Malaysia)
Alan Teh
 
eKlinikmd sponsored edition 2014
Alan Teh
 
The Malaysian Calendar 2014
Alan Teh
 
HRI Workshop February 2014
Alan Teh
 
Obstructive Sleep Apnoea
Alan Teh
 
Health metropolis the star e paper metro central - 6 sep 2013 - page #4
Alan Teh
 
10th apchg 2nd ann (13 august)
Alan Teh
 
Haemostasis workshop final announcement
Alan Teh
 
Haemostasis workshop final announcement
Alan Teh
 
Introductory bioinformatics workshop flyer
Alan Teh
 
AFH 2012 flyer
Alan Teh
 
Annualreport2012
Alan Teh
 
Agmmins2011
Alan Teh
 
Taknak 1care forum sitiawan
Alan Teh
 
Consent
Alan Teh
 
1 Care Concept Caper
Alan Teh
 

Recently uploaded (20)

PPTX
Acid Base Disorders educational power point.pptx
YordanosAyele3
 
PPTX
Respiratory drugs, drugs acting on the respi system
scsbtzbq9b
 
PPTX
SKIN Anatomy and physiology and associated diseases
ReshmaMurali14
 
PPTX
Transforming Regulatory Affairs with ChatGPT-5.pptx
Sharan Murugan
 
PPTX
Stimulation Protocols for IUI | Dr. Laxmi Shrikhande
Dr.Laxmi Agrawal Shrikhande
 
PPT
Management of Acute Kidney Injury at LAUTECH
popooladamilare28
 
PPT
STD NOTES INTRODUCTION TO COMMUNITY HEALT STRATEGY.ppt
iloveonlyfriday
 
PPTX
ACID BASE management, base deficit correction
bhoomikagowda71
 
PPTX
NEET PG 2025 Pharmacology Recall | Real Exam Questions from 3rd August with D...
Shivankan Kakkar
 
PPT
MENTAL HEALTH - NOTES.ppt for nursing students
iloveonlyfriday
 
DOC
Adobe Premiere Pro CC Crack With Serial Key Full Free Download 2025
muhammadsharaz350
 
PPTX
LUNG ABSCESS - respiratory medicine - ppt
dranjalipulmo
 
PPTX
History and examination of abdomen, & pelvis .pptx
drmariaalrafi
 
PPT
genitourinary-cancers_1.ppt Nursing care of clients with GU cancer
MohammedGazo
 
PPTX
Electromyography (EMG) in Physiotherapy: Principles, Procedure & Clinical App...
BALAJI SOMA
 
PPT
Copy-Histopathology Practical by CMDA ESUTH CHAPTER(0) - Copy.ppt
jackophyta10
 
PPTX
CEREBROVASCULAR DISORDER.POWERPOINT PRESENTATIONx
jesselejadefernandez
 
PPTX
JUVENILE NASOPHARYNGEAL ANGIOFIBROMA.pptx
rounakuser
 
PPTX
surgery guide for USMLE step 2-part 1.pptx
kaleb90
 
PPT
Breast Cancer management for medicsl student.ppt
Bedrumohammed2
 
Acid Base Disorders educational power point.pptx
YordanosAyele3
 
Respiratory drugs, drugs acting on the respi system
scsbtzbq9b
 
SKIN Anatomy and physiology and associated diseases
ReshmaMurali14
 
Transforming Regulatory Affairs with ChatGPT-5.pptx
Sharan Murugan
 
Stimulation Protocols for IUI | Dr. Laxmi Shrikhande
Dr.Laxmi Agrawal Shrikhande
 
Management of Acute Kidney Injury at LAUTECH
popooladamilare28
 
STD NOTES INTRODUCTION TO COMMUNITY HEALT STRATEGY.ppt
iloveonlyfriday
 
ACID BASE management, base deficit correction
bhoomikagowda71
 
NEET PG 2025 Pharmacology Recall | Real Exam Questions from 3rd August with D...
Shivankan Kakkar
 
MENTAL HEALTH - NOTES.ppt for nursing students
iloveonlyfriday
 
Adobe Premiere Pro CC Crack With Serial Key Full Free Download 2025
muhammadsharaz350
 
LUNG ABSCESS - respiratory medicine - ppt
dranjalipulmo
 
History and examination of abdomen, & pelvis .pptx
drmariaalrafi
 
genitourinary-cancers_1.ppt Nursing care of clients with GU cancer
MohammedGazo
 
Electromyography (EMG) in Physiotherapy: Principles, Procedure & Clinical App...
BALAJI SOMA
 
Copy-Histopathology Practical by CMDA ESUTH CHAPTER(0) - Copy.ppt
jackophyta10
 
CEREBROVASCULAR DISORDER.POWERPOINT PRESENTATIONx
jesselejadefernandez
 
JUVENILE NASOPHARYNGEAL ANGIOFIBROMA.pptx
rounakuser
 
surgery guide for USMLE step 2-part 1.pptx
kaleb90
 
Breast Cancer management for medicsl student.ppt
Bedrumohammed2
 

Pdpa presentation

  • 1. 1
  • 3. 3 Personal Data Protection Act 2010 • Passed on 10 June 2010 • The Minister has appointed a Director General & created a PDP Dept • Once the PDPA comes into force the DG may assume the role of Data Protection Commissioner • Once the PDPA is brought into force - Data Users have 3 months to comply
  • 4. 4 Minister of Information Communication and Culture Appeal Mechanism Personal Data Protection Commissioner Data User Forum Advisory Committee Data User
  • 5. 5 Growth of computer networks & internet – Huge impact on society • Over the last 3 decades computer networks have made pervasive inroads in our everyday lives, both in business as well as the home • The internet came along and connected the world • Computer networks enabled efficient collection, manipulation and storage of data – and vast quantities of it too • Data can be stored anywhere in the world – not necessarily where it is collected • Gigabytes of personal data are accessed and used on daily basis • New threats affecting privacy and data protection (identity theft, facebook, twitter, friendster, etc)
  • 6. 6 Has your Personal Data been abused lately? • How many marketing sms’s do you receive in a day? • Has a bank offered you a pre-approved loan lately? • Does your telco send you “I love you” mms’s without your consent? • Did you get a season’s greeting from the Prime Minister lately? • Did you get an email telling you that you have won USD5 million in a European lottery? None of these activities may have had your consent
  • 7. 7 What is Personal data • Personal Data (PD) means any information which relates directly or indirectly to a data subject, who is identified or identifiable from that information  Examples : Name, Address, Photographs, IC, Bank Account details, Medical Records / History Some Definitions Data Subject (DS) – an individual who is the subject of the PD – includes patients and employees Data User (DU) – a person who processed any PD or has control over or authorizes the processing of any PD but does not include a data processor
  • 8. 8 Processing is defined widely • Processing – means collecting, recording, holding, storing and carrying out of operations with that data like organizations, adaptation, retrieval, use, disclosure, transmission, transfer, correction, erasure & destruction Collection Use Disclosure Destruction
  • 9. 9 Application of the PDPA • The act applies to : (a) personal data which is processed; (b) any person who processes and any person who has control over or authorizes the processing of any personal data in respect of commercial transactions and such a person is a “data user”; Commercial transactions – “... of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance, but does not include a credit reporting business carried out by a credit reporting agency under the Credit Reporting Agencies Act 2010”.
  • 10. 10 Personal Data Flow - patient HRM Discharge/Payment •HIS Patient Registration (demographics ) HRM PATIENT Clinical Information at Clinic Procedures •HIS •LIS •OIS 10 HRM HRM Clinical Information at Wards HRM
  • 11. 11 The PDPA – Who Does it NOT Apply To? • The PDPA does not apply to : The Federal Government The State Government  PD processed outside Malaysia UNLESS intended to be further processed in Malaysia
  • 12. 12 Healthcare Sector in Malaysia Current Position Pre PDPA 2010
  • 13. 13 Current Regulatory Position – Piecemeal Approach to Data Protection Private Healthcare & Services Act MMC Guide on Confidentiality Medical Act MMC Guide on Medical Records and Medical Reports MMA Code on Medical Ethics Patient’s Charter MMC Code of Professional Conduct
  • 14. 14 Pre-PDPA – How Personal Data was dealt with • PHFSA – hospitals must have a policy on Patients rights: Information concerning medical treatment and care; Be provided with patient’s medical report within a reasonable time • Reg 30 – patient’s MR is the property of Hospital . Patient has a right to request for medical report • Retention of MR is for the Limitation Period • Doctors have right of access to MR of old patients to defend civil actions
  • 15. 15 MMC Guidelines on Doctors • On medical records and reports Medical records belong to the hospital Information in MR belong morally and ethically to the patient  Doctors have obligation to provide comprehensive medical reports upon request by patient (for 2nd opinion, litigation etc) • Doctor patient confidentially No disclosure to 3rd parties without consent of patient Should not reveal patient PD in medical publications Drs must exert all powers to preserve patient confidentiality
  • 16. 16 MMC Guidelines for Doctors – Disclosure to 3rd Parties • Disclosure within Medical Teams Drs must obtain consent of Patient to share PD with other doctors Patient can refuse consent for sharing of PD between doctors • Disclosure to Employers, Insurers Dr must inform Patient and obtain consent before disclosure to these parties • Disclosure for Medical Teaching and medical audit Should anonymise PD as far as possible Doctors who decide to disclose PD must be prepared to explain and justify their decision (MMC Guideline)
  • 18. The 7 Data Protection Principles Under the PDPA General principle Notice & Choice Principle Access Principle PDPA Data Integrity Principle Disclosure Principle Retention Principle Security Principle 18
  • 19. 19 No PDP Principles What it covers 1 General Principle Consent of DS is required to process PD. For Sensitive Personal Data – explicit consent is required 2 Notice & Choice Principle DU give Notice to DS of the processing, description of PD, purpose, source of info and right to request access, 3P to whom DU discloses, how to limit the processing, whether it is obligatory or voluntary to supply PD 3 Disclosure Principle No disclosure of PD without consent of DS 4 Security Principle DU must take practical steps to protect PD (IT System & Internal processes) 5 Retention Principle PD should not be kept longer than necessary – must destroy after purpose is met 6 Data Integrity Principle DU must ensure Data processed is accurate, complete and upto-date having regard to the purpose of collection 7 Access Principle DS must have access and be able to correct if inaccurate
  • 20. 20 1. General Principle - consent • A data user cannot process any PD about a Data Subject unless the Data Subject has given his consent. • Consent can be expressed or implied • PD cannot be processed unless :  PD is processed for a lawful purpose directly related to the activity of the Data User The processing of PD is necessary for or directly related to that purpose Directly related to that purpose means the reason that the PD was collected. Eg: a person comes for a blood test and his consent is acquired to conduct all the necessary test. However, the consent shall not extend to the publication of his blood test results in a medical article. PD is adequate but not excessive in relation to that purpose Eg: a patients comes to ER to see the doctor for fever medication. It is not necessary to ask the patient of his grandparents, aunt, uncle’s names, IC, add etc. Distinction between consent for medical purpose and other purpose
  • 21. 21
  • 22. 22 2. Notice & Choice Principle • A DS is required to give written consent to DU: That PD is being processed and provide a description of the PD being processed The purposes for which the PD is collected and processed  DS’s right to request access to and request correction of the PD Disclosure to any 3rd parties that may be made
  • 23. 23 3. Disclosure principle • No Personal Data shall be disclosed without the consent of the DS: For any other purpose other than the original purpose as disclosed to the DS at the time of collection A purpose directly related to the purpose above To any party other than a 3rd party already notified to the DS (under Notice Principle) • Disclosure for the purpose of research, discussions in medical meetings / seminars :This disclosure is allowed as long as the data that is being disclosed cannot be related to a particular person • Note: Disclosure to the Ministry of Health – this is a compulsory disclosure and thus shall be exempted.
  • 24. 24 Case note - disclosure Improper disclosure of SPD to Government Agency The complainant had medical tests at a pathology clinic and asked that the results be provided only to their treating medical specialist and solicitor. The tests results were to be part of a claim that the complainant was making to a federal government agency. The complainant later became aware that the clinic had provided the results directly to that government agency. DS complained to the Data Commissioner The clinic advised the clinic staff to send directly to the government agency noted on the complainant’s form. The clinic contended that this was an isolated error. As this information was disclosed for a purpose other than the primary purpose for which it was collected. The commissioner formed the view that the disclosure was an interference with the complainant’s privacy. The clinic paid compensation to the DS.
  • 25. 25 The security principle need to be adequate but it shouldn’t be unreasonable.
  • 26. 26 4. Security Principle • DU shall take practical steps to protect PD from any Loss, misuse, modification Unauthorized or accidental access or disclosure Alteration or destruction Having regard to location, IT systems and mode of transfer of PD • Hospital IT systems such as the HMIS, HIS and LIS need strict policies • Transfer to 3rd party service providers such as outside lab and transfers of PD overseas Security issues : use of portable devices (laptops, USB, External hard drive, CD, DVD) Transmission of patient info via fax Medical devices storage function Remote access to MR Doctors have to comply with Hospital’s policies regarding PDPA requirements
  • 27. 27
  • 28. 28 Sony fined GBP 250,000 for Breach of Security • A cyber attack on the SONY’s PlayStation Network in April 2011 put a huge number of consumers at risk of identity theft including credit card details • It could have been prevented if Sony’s software was up-to-date and technical developments hadn’t made passwords unsecure • “There’s no disguising that this is a business that should have known better,” said the ICO’s data protection director David Smith • It is a company that trades on its technical expertise and there is no doubt in my mind that they had access to both the technical expertise and the resources to keep this information safe.
  • 29. 29 Data Processor • Where PD is processed on behalf of DU the DU shall ensure that the Data Processor :  Provides guarantees in respect of technical and security measures governing the processing; and  Takes reasonable steps to ensure compliance with those measures  Eg: The IT system in SDMC PC – system designed for SDH and they do have access to our patient records. Data Processor = Outsourced Service Providers
  • 31. 31 Retention Principle • PD shall not be kept longer than is necessary for the fulfillment of the original purpose • DU has duty to take all reasonable steps to ensure that PD is : • Destroyed (must be done in a proper manner); or • Permanently deleted …… if it is no longer required for the purpose for which it was processed QUESTION : how long is long?  Depends on the nature of your business and the commercial reasons to keep data  7 years / 25 years / hospital policy
  • 32. 32
  • 33. 33 6. Data Integrity Principle
  • 34. 34 Data Integrity Principle • DU has duty to take all reasonable steps to ensure that PD is : • Accurate • Complete • Not misleading; and • Kept up to date
  • 35. 35 7. Access Principle • A data subject shall be given access to his personal data upon Data Access Request • All information that is being processed by or on behalf of the Data User • Entitled to an intelligible copy of the PD • Access can be just to view or get a copy • Subject to some exceptions Under the PDPA, patient may now get access to his entire MR
  • 36. 36 Case note Who can access PD Hospital prepared a health report for an insurance company Patient wanted a copy under access principle Hospital refused DC held that all PD held by the hospital, including report should be provided to the data subject Regardless for whom it was prepared
  • 37. 37
  • 38. 38 GE Healthcare Admits Sending NHS Patient Data to US • Personal details of 600,000 patients were sent to the US following a mistake made by the NHS’s IT provider, GE Healthcare • GE Healthcare admitted that the error had occurred after it had obtained more patient data than it needed, but stressed that there was no need to worry • Overloaded in PD • GE Healthcare recently discovered that they obtained more patient data from diagnostic imaging products than they needed to perform services to their customers
  • 39. 39 NHS Trust fined 325,000 for data breach • Brighton and Sussex University Hospital NHS Trust has been fined 400,000 euros following a serious breach of the UK Data Protection Act • Highly sensitive personal data belonging to tens of thousands of patients and staff, including some relating to HIV and Genito Urinary Medicine patients, on hard drives sold on an Internet auction site in October and November 2010 • The Data breach occurred when an individual engaged by the Trust’s IT service provider, was tasked to destroy approximately 1000 hard drives • The individual sold 4 hard drives on an internet auction in December 2010
  • 40. 40 Offences and Penalties • If a body corporate commits an offence under the PDPA, any person who at the time of the offence was a director, CEO, COO, Manager etc may be charged jointly or severally with the company • Liability also is attached to Senior Management for acts or omissions of any employee acting in the course of their employment. • Section 5 (1) Anyone who contravenes the Personal Data Protection Principles commits and offence and shall, on conviction, be liable to a fine not exceeding RM300,000 or to imprisonment for a term not exceeding 2 years or to both  Penalties for other offences ranges from RM100k to RM500k with imprisonment ranging from 1 – 3 years  Eg. For unlawful collection or selling of PD – 500k and 3 years