+ What are the data protection laws and guidelines applicable to the healthcare industry in Malaysia?

There are various data protection laws and guidelines which apply to the healthcare industry. The main laws include the Malaysia Personal Data Protection Act 2010 (Act 709) and regulations and orders issued thereunder, the Personal Data Protection Standard 2015, (“PDPA”), industry Codes of Practice, the Private Healthcare Facilities and Services Act 1998 and regulations issued thereunder (“PHFSA”), the codes of professional conduct and circulars/guidelines (particularly the Confidentiality Guidelines) by the Malaysia Medical Council (“MMC”), and the User Access Control Policy of the Ministry of Health of Malaysia (collectively, the “Data Protection Regime”). The applicable laws and guidelines are constantly being updated, and as a healthcare provider, it is your responsibility to keep up with the changes in the Data Protection Regime from time to time.

A common requirement under the various regulations/guidelines is consent by the data subject (ie. patients). The consent provided is limited in scope and duration and restricts both you and us from using the data for any purpose other than what the data subject has specifically consented to.

Where the data elements used to identify the individual are removed, the remaining anonymised data becomes non-personal information, and accordingly, the PDPA will not apply.

+ What is the PDPA, and what is personal data?

The PDPA is the main legislation in Malaysia regulating the collection, processing, storage and transmission of personal data in commercial transactions.

“Personal data” refers to any information, that relates directly or indirectly to an individual who is identified or identifiable from: (a) that information; or (b) that information and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.

Examples of personal data you may provide to us include the following details of your patients, and users (i.e. members of your clinic): name, NRIC, passport or other identification number, telephone number(s), mailing address, email address, personal health information, and any other information relating to any individuals which you have provided us in any form you may have submitted to us, or via other forms of interaction with you.

+ How is compliance with the Data Protection Regime ensured?

Ensuring compliance with the Data Protection Regime requires the concerted effort of both you and us.

We endeavor to always be compliant with the Data Protection Regime by, among others, putting in place appropriate and up to date security measures for the storage and access of data.

On your part, you are required to ensure your own compliance with the Data Protection Regime in relation to the processing of the personal data. This may require training of your personnel by suitably qualified professional legal advisors.

Among others, you are also required to obtain the specific consent of the data subject (i.e. your patients). Such specific consent is usually obtained by having the patients sign a PDPA notice and consent form. For reference only, we have shared a sample PDPA consent form which you may refer to and amend based on your own commercial requirements and subject to your legal counsel’s advice.

+ Do we share the personal data uploaded on the Klinify platform with third parties?

We do not disclose any personal data of your staff or patients to any third parties unless required by law, or when your usage of particular services we provide requires data to be shared with our third party commercial partners, in which case, we will seek your explicit consent to share such data for the first time you use such particular service (for example, when you arrange for diagnostic services with medical diagnostic labs who are registered on the Klinify platform). You shall procure all the necessary consents required from the relevant data subjects in respect of the aforementioned sharing.

The personal data uploaded by you onto the Klinify platform is solely used for presenting dashboards, reports and offering analytics tools to you for your use within the Klinify platform and for accessing services provided by third party commercial partners, as stated above.

For all other circumstances (unless otherwise required by law), we anonymise the personal data before dealing with it, by removing all personally identifiable data. Anonymised personal data does not fall under the Data Protection Regime. For instance, to conduct internal analytics, we automatically remove personally identifiable data from all patient data, merge the data from all clinics, and analyse the anonymised data to understand what features are being used, so that we can work with you to increase the value you gain from these features. Further, as part of our business model, we share anonymised patient data (removing all identifying data of the clinics and the patients) to organisations who might be interested in the aggregate insights, to assess the performance of their products in the market. For example, we answer meaningful questions like - What is the percentage of patients who are prescribed Panadol vs. generic Paracetamol in Kuala Lumpur?

+ Has this been done before?

Doctors have been working with clinical research organisations on a commercial basis to provide these aggregate insights, to aid the advancement of medical care and technologies for many years. We believe that by supporting this, we are bringing value to the entire community instead of a select few doctors.

+ Technical Security: Is it true that a breach of the Data Protection Regime is likely to occur with a cloud-based system?

No system is completely safe and breaches of the Data Protection Regime can occur outside of the cloud as well. For instance, there may be unauthorised use of patient data obtained via physical patient files, or even digital patient files removed from your clinic’s physical computing devices. We strive to make our cloud-based systems secure with an up-to-date centralized security and monitoring system. to detect and prevent suspicious activities.

+ Are the doctors liable where a breach of PDPA is caused by Klinify?

Klinify processes personal data on your behalf, and we endeavour to process the personal data in a safe and secure manner, together with any third party service providers we may engage. We are responsible only for our compliance with the applicable regulations insofar as these apply to us. You are reminded that your obligations in relation to your data subjects under the Data Protection Regime remain your sole responsibility, which by law cannot be delegated to any party (including us). Please consult with your legal advisors to ensure you are compliant with your legal obligations at all times.

+ Who owns the data?

You own your own data. Data is stored on the Klinify platform maintained by us. Your records are confidential and you have the rights to it. However, we own the rights over the anonymised processed data. Should you wish to cease using Klinify, upon written request we will return your uploaded personal data to you. Unlike some of the other vendors in the market, we state this explicitly in our End User License Agreement (EULA).