You might have heard “PDPA” being a talking point for the past few years, especially since 2019 when it was announced that private organisations were not allowed to collect NRIC or NRIC card, unless required by the law or it’s “necessary to establish or verify an individual’s identity to a high degree of accuracy.”
But the Personal Data Protection Act (PDPA), which was enacted in Singapore in 2012, protects more than the possible misuse of one’s NRIC number — it provides a standard of protection for all personal data. It allows an individual to decide who can collect their personal data, how their data is used, and whether the data can be disclosed to third parties.
This data can range from, but not limited to, an individual’s name, mobile number, e-mail address, NRIC number, thumbprint and even photos or videos collected in electronic and non-electronic format.
How does PDPA affect Community Care providers?
As Community Care professionals, you have constant interaction with patients, giving you access to their personal data. Whether you're doing a quick update on a patient's medical records, calling their next-of-kin, or even processing payment, all these involve handling your patients' data. In cases where a patient suspects any misuse of their data, they have a right to lodge a complaint to the Personal Data Protection Commission (PDPC), which could launch an investigation into your organisation’s practices. Hence, it's important to ensure that your practices comply with the standards of PDPA.
Here are some of the key areas you should know about the PDPA.
The sharing of a patient’s data can help healthcare and Community Care providers to gain a holistic view of a patient’s medical history to recommend the best rehabilitation programmes for their well-being. However, your organisation needs to disclose to your patient if any of the information collected would be shared with other public healthcare institutions.
Knowing Your Patient's Rights
After collecting your patients’ personal information, you should also allow them to have some degree of control over it. This includes giving them the option to withdraw consent and stop your organisation from collecting, using or disclosing their personal data at any time.
You should also allow them review the personal data they have shared and accommodate any requests to correct their information. As a best practice, organisations should appoint a Data Protection Officer (DPO) to detail their data collection and usage guidelines. The DPO will also be your patient's point of contact if they have any doubts on the management of their data collected.
Data Security and Protection
Sensitive information such as a patient's health records must be documented and managed securely. While some healthcare providers still keep physical records of their patients’ information, more and more organisations are moving towards digitising those records to allow for seamless data-sharing across medical institutions. As you digitise your records, remember to implement measures to protect your patients' data, such as using data encryption and data anonymisation. Regardless of the format of data collected, a documentation system should be put in place to align data access protocols and standards of security so you can effectively manage the data you have access to.
In cases of Data Breach
Even with the best efforts to protect your organisation’s data, there is always a risk of data leaks. In the unfortunate event of a data breach, the PDPA guideline states that you must notify all those affected within three calendar days, especially if the breach is likely to result in significant harm. The DPO of your organisation is responsible for setting a response-management framework should this happen.
The Importance of PDPA
The PDPA was put in place to protect individuals from having their personal details misused or mishandled whilst being able to use or disclose that information when needed. The dissemination of patient's data among medical institutions can be beneficial to provide a holistic view of a patient's records. Any organisation has the responsibility to implement reasonable security measures to the management of data. Fulfilling these obligations provided by the PDPC will help you maintain a level of trust with the community you care for.
For more detailed information, visit the Personal Data Protection Commission (PDPC) website at www.pdpc.gov.sg.