Personal Data Protection Committee issues sector specific advisory guidelines

CNPupdate

 

Personal Data Protection Committee issues sector specific advisory guidelines


Date Published: 1 October 2014


Authors and Contributors: Stephen Soh, Wong Pei Ling, and Manisha Rai.




 

On 11 September 2014 the Personal Data Protection Committee released advisory guidelines applicable to the education, healthcare and social services sector. These sector specific guidelines are part of the PDPC’s series of sector specific guidelines (which, thus far, includes the telecommunications sector and the real estate agency sector) to address any unique sector specific issues such industries may have. The three new guidelines were released following a public consultation exercise carried out between May to June 2014. We have highlighted certain sections of the guidelines for each new sector below.

If you want to find out more about the Personal Data Protection Act and how we can help you or your organisation please refer to our previous article here.

 

Education Sector Guidelines

The Education guidelines apply to education institutions which are not within the meaning of “public agency” i.e. government-aided schools, specialised independent schools, specialized schools, independent schools, autonomous universities, SIM University, Nanyang Academy of Fine Arts, LASALLE College of the Arts and private education institutions (e.g. Foreign System Schools).

 

Minor’s consent

Education institutions will need to notify and specify the purposes for which they collect, use or disclose a student’s personal data for example, to evaluate the student’s suitability for a course, administer bursaries, scholarships and other relevant financial assistance schemes. Factors the education institution should consider in complying with Parts III to VI of the PDPA include whether the students have legal capacity to give consent, which is determined by common law[1] . According to the Advisory Guidelines on the PDPA for Selected Topics issued by the PDPC, while the PDPA does not specify the situations in which a minor (an individual less than 21 years of age) may give consent for the purposes of the PDPA, the age threshold of 13 years appears to be a significant one in relation to according protection to minors and the PDPC will adopt the policy that a minor who is at least 13 years of age would typically have sufficient understanding to be able to consent on his own behalf. However, all organisations should consider whether a minor has sufficient understanding of the nature and consequences of giving consent. Under Section 14(4) of the PDPA where the individual does not have the capacity to give consent the minor’s parents or other legal guardians may give consent on behalf of the minor.

 

Healthcare Sector Guidelines

Deemed consent

These guidelines were developed together with the Ministry of Health and like all organisations, healthcare organisations are required to notify an individual of the purposes for the collection, use and disclose of personal data of the individual and obtain his consent. However, consent may be deemed in particular circumstances, for example:

  • Voluntarily providing personal data in a healthcare institution’s registration form would be deemed consent by the patient to the use of that information for the purpose of his visit, including for any associated examinations or tests, follow-up consultations or the convening of a case conference with other doctors within that healthcare institution.
  • Disclosing and transferring personal data of patient to other organisations like specialists, another hospital for further medical tests or long term care services at a nursing home. By agreeing to the referral recommendations the patient would then have consented to his referring doctor disclosing personal data required for such referrals
  • Use of patient’s personal data by medical students, volunteers or doctors of the healthcare institution.
  • Use of patient’s personal data by medical students, volunteers or doctors of the healthcare institution.
  • For the purposes of the healthcare institution’s internal processes for quality assurance and improving their service.

 

Family medical history

Patients are usually asked for their family’s medical history, which also constitutes personal data. The healthcare institution may collect personal data about the patient’s family member without the family member’s consent if the personal data was provided to the organisation through the patient to enable the healthcare organisation to provide a service for the patient.

 

Purposes beyond the provision of healthcare

However, the healthcare institution should note that consent cannot be deemed for purposes beyond the provision of medical care, for example, marketing health products unrelated to the patient’s condition.

 

Access obligation

A patient is entitled to make a request to a healthcare institution to access personal data he provided or obtain the diagnosis of a condition recorded by the doctor. The clinic will be required to grant the patient access to such records but it is not obliged to provide such information in the original form it was recorded (e.g. the doctor’s handwritten notes) and the healthcare institution may also charge a reasonable fee for this request.

 

Social Service Sector

These guidelines were developed following consultations with the National Council of Social Service and apply to voluntary welfare organisations (“VWOs”) which are not public agencies (i.e. a public agency like the government and specified statutory bodies like the NCSS) or are not in the course of collecting, using or disclosing personal data on behalf of a public agency. VWOs may collect, use or disclose an individual’s NRIC, full name, contact details, financial and family information, medical history etc for the purposes of evaluating the individual’s suitability for social services or administering social services.

 

Minor’s consent

VWOs should consider, based on the demographics of their clients or beneficiaries and nature of services, how to obtain consents of minors when collecting personal data. Please refer to the Advisory Guidelines on data activities relating to minors, discussed above.

 

Case Conferences

Where an individual receives assistance from more than one VWO and the VWOs believe that all the VWOs concerned should co-ordinate their assistance to provide a more timely service to the individual, they may hold a case conference to discuss the individual’s needs which may require the sharing of the individual’s personal data amongst the VWOs. In this case, all the VWOs involved are required to notify the individual of the purpose for the collection, use and disclosure of personal data unless the collection, use or disclosure is necessary for any purpose that is clearly in the interest of the individual and if consent cannot be obtained in a timely fashion.

 

Client surveys

VWOs must obtain consent from individuals to collect, use and disclose personal data of individuals before conducting a survey, unless they are using or disclosing personal data which had been collected previously for a different purpose and the PDPA exception for use or disclosure of personal data without consent for research (paragraph 1(i), Third Schedule or paragraph 1(q), Fourth Schedule PDPA) would apply.

 

Evaluating individuals

A VWO will not need to obtain the individual’s consent if the collection and use of the personal data is necessary for an evaluative purpose, for example, to determine that individual’s suitability or eligibility for the grant of social assistance.

 

Data from third parties

VWOs may collect personal data from an individual in relation to that individual’s family members, for example, which may be required by certain VWOs as part of their enrolment process, without obtaining the consent of the family members as the personal data is provided by the individual to enable the VWO to provide a service for the person or domestic purpose of that individual.

 

[1] 18 years old to enter contracts under the Civil Law Act, 15 years old under the Employment Act, and 14 years old under the Children and Young Persons Act.

 

CNPLaw’s Data Protection and Security Lawyers

Stephen Soh Legal Parnter at CNPLaw LLP image

Partner

Stephen heads the firm’s technology, media and entertainment team and co-heads the corporate finance team. He has more than two decades of experience, acquired both in-house and in private practice.




Wong Pei Ling Senior Legal Associate at CNPLaw LLP image
Partner

Pei-Ling has over 23 years of experience in corporate and cross-border transactions, and has advised on investments, joint-ventures and commercial transactions in Singapore and Malaysia.  Over the years, she has also developed a practice in the areas of data protection, technology and employment.



With the prevalence of technology and increasing connectivity through the internetcybersecurity and data protection are areas that have grown more important in Singapore.

Since the introduction of the Personal Data Protection Act 2012 (“PDPA), it is mandatory for organisations to comply with data protection rules and we strive to help our clients understand that compliance with the PDPA is no longer an option.

At CNPLaw, we have worked with our clients and helped them navigate through a variety of data protection issues, which include:

  • Reviewing existing policies in order to advise on our client’s compliance with the law
  • Highlighting possible legal risk areas
  • Drafting appropriate documents including personal data protection policies and website terms of use.

We also advise our corporate clients in relation to ad hoc queries on potential breaches of the law and the PDPA, and highlight data protection issues that may arise in the context of employment or HR policies.




    Data Protection and Security   >   CNPupdate   > Current Article