Chat with us, powered by LiveChat

Personal Data Protection Act

All your questions about PDPA (Personal Data Protection Act) answered.

Header - No image.png


+ What are the applicable data protection regulations/guidelines in Malaysia?

There are various data protection regulations and guidelines which apply to the healthcare industry. The main regulations include the Malaysia Personal Data Protection Act 2010 (Act 709) (the “PDPA”), the Private Healthcare Facilities and Services Act 1998 (“PHFSA”), the codes of professional conduct and circulars/guidelines (particularly the Confidentiality Guidelines) by the Malaysia Medical Council (“MMC”), and the User Access Control Policy of the Ministry of Health of Malaysia (collectively, the “Data Protection Regime”). The applicable regulations and guidelines are constantly being updated, and as a healthcare provider, it is your responsibility to keep up with the changes from time to time.

A common requirement under the various regulations/guidelines is consent by the data subject (ie. patients). The consent provided is limited in scope and duration and restricts both you and us from using the data for any purpose other than what the data subject has specifically consented to.

Where the data elements used to identify the individual are removed, the remaining anonymised data becomes non-personal information, and accordingly, the PDPA will not apply.

+ What is the PDPA, and what is personal data?

The PDPA is the main Malaysian legislation regulating the collection, processing, storage and transmission of personal data in commercial transactions.

“Personal data” refers to any data, whether true or not, about an individual who can be identified from: (a) that data; or (b) that data and other information to which we have or are likely to have access, including data in our records as may be updated from time to time.

Examples of personal data you may provide to us include the following details of your patients, and users (i.e. members of your clinic): name, NRIC, passport or other identification number, telephone number(s), mailing address, email address, personal health information, and any other information relating to any individuals which you have provided us in any forms you may have submitted to us, or via other forms of interaction with you.

+ How is compliance with the Data Protection Regime ensured?

Ensuring compliance with the Data Protection Regime requires the concerted effort of both you and us.

On our part:

We use secure Microsoft Azure servers which complies with the latest industry standards and only uses the data for the purposes of providing the cloud services.

Internally, our software ensures that we have audit trails to track every login and change, we store your data in isolated containers, and allow only limited access internally for support (which is only provided when asked explicitly by our customers, or when our internal tracking software flags a problem with the application).

On your part:

You are required to ensure your own compliance with the Data Protection Regime in relation to the collection, use and disclosure of the personal data. This may require training of your personnel by suitably qualified professional legal advisors.

You are also required to obtain the specific consent of the data subject (ie. patients). This is usually obtained by having the patients sign a PDPA notice and consent form. For reference only, we have shared a sample PDPA consent form which you may tweak based on your own commercial requirements and subject to your legal counsel’s advice.

+ Do you share the personal data uploaded on the Klinify platform with third parties?

No. As set out in Clause 8.2 of the End User License Agreement (EULA), we do not disclose any personal data of your staff or patients to any third parties unless required by law.

The personal data uploaded by you onto the Klinify platform is solely used for presenting dashboards, reports and offering analytics tools to you for your use within the Klinify platform.

For all other circumstances (unless otherwise required by law), we anonymise the personal data before dealing with it, by removing all personally identifiable data. Anonymised personal data does not fall under the Data Protection Regime. For instance, to conduct internal analytics, we automatically remove personally identifiable data from all patient data, merge the data from all clinics, and analyse the anonymised data to understand what features are being used, so that we can work with you to increase the value you gain from these features. Further, as part of our business model, we share anonymised patient data (removing all identifying data of the clinics and the patients) to organisations who might be interested in the aggregate insights, to assess the performance of their products in the market. For example, we answer meaningful questions like - What is the percentage of patients who are prescribed Panadol vs. generic Paracetamol in Kuala Lumpur?

+ Has this been done before?

Doctors have been working with clinical research organisations on a commercial basis to provide these insights, to aid the advancement of medical care and technologies for many years. We believe that by supporting this, we are bringing value to the entire community instead of a select few doctors.

Technical Security: Is it true that a breach of the Data Protection Regime is likely to occur with a cloud-based system? This is false. Breaches of the Data Protection Regime can occur outside of the cloud as well. For instance, there may be unauthorised use of patient data obtained via physical patient files, or even digital patient files removed from your clinic’s physical computing devices.

Further, it is arguable that desktop systems are more hackable than cloud-based systems, as there are no data monitoring and protection of the devices on the network. With a cloud-based solution, security is centralised and there are monitoring systems in place to detect and prevent suspicious activities.

+ Are the doctors liable where a breach of PDPA is caused by Klinify?

Klinify is a data intermediary which processes personal data on your behalf, and we endeavour to process the personal data in a safe and secure manner, together with any third party service providers we may engage. We are responsible only for our compliance with the applicable regulations insofar as these apply to us. You are reminded that your obligations in relation to your data subjects under the Data Protection Regime remain your sole responsibility, which by law cannot be delegated to any party (including us). Please consult with your legal advisors to ensure you are compliant with your legal obligations at all times.

+ Who owns the data?

You own your own data. Data is stored on the Klinify platform maintained by us. Your records are confidential and you have the rights to it. However, we own the rights over the anonymised processed data. Should you wish to cease using Klinify, upon written request we will return your uploaded personal data to you in Excel format. Unlike some of the other vendors in the market, we state this explicitly in our End User License Agreement (EULA)


 Last updated: 11th October 2018

We have all been patients of the medical system at some point. We believe we can bring this industry forward through the power of analytics. Our goal as a team is to collaborate with you to improve the outcomes for patients together. We strongly believe in being transparent about what we do, and you should be able to notice that in all your interactions with our team.

This FAQ page is provided solely for informational purposes and seeks to provide information on some of the most commonly asked questions we receive from customers. This FAQ page does not constitute legal advice, and should not be relied on as legal advice. You acknowledge and agree that we shall not be held responsible or liable in any way for any and/or all consequences (including, without limitation, damages for loss of profits, business interruption, or breaches of law) that may be incurred or suffered by you as a direct or indirect result of reliance on information set out in this FAQ page. Further, as we have no control over third party links and resources, you acknowledge and agree that we will not be responsible nor liable for any content or material on or available from such links or resources. If you have any queries or concerns, please seek appropriate professional advice before proceeding.

We reserve the right to update this FAQ page periodically.

 Have more questions about PDPA?

Contact Us CTA - Green.png