Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Singapore: PDPC updates Advisory Guidelines for Healthcare Sector

On September 20, 2023, the Personal Data Protection Commission (PDPC) updated the Advisory Guidelines for the Healthcare Sector, following their publication on September 11, 2014. In particular, the Guidelines take into account the amendments made to the Personal Data Protection Act (No. 26 of 2012) (PDPA) in February 2021. The Guidelines highlight the application of the PDPA to the processing of personal data in healthcare, including valid legal bases, purpose limitation, and notification obligations. Regarding the research exception to obtaining data subject consent, organizations may use personal data for a research purpose without consent, including historical and statistical research, where:

  • the research purpose cannot be reasonably accomplished unless the personal data is provided in an individually identifiable form;
  • there is a clear public benefit to using personal data for the research purpose;
  • the results of the research will not be used to make any decision that affects the individual; and
  • in the event the research is published, the organization must publish the results in a form that does not identify the individual.

Organizations may also disclose personal data for research purposes without consent by assessing the above conditions and if it is impracticable for the organization to seek the consent of the individual. More generally, the Guidelines also provide examples of collecting and disclosing personal data from patients seeking medical care on different legal bases.

Regarding obligations related to data subject rights, the Guidelines also provide examples of how medical facilities may comply. Specifically, on requests to access personal data, the Guidelines clarify that organizations are not required to provide data subjects with copies of original documents, and can provide personal data in a form other than that in which it was originally recorded.

On the retention limitation obligation, the Guidelines stipulate that although there is not a specific retention period, such a period should be judged on whether the personal data is required for research or archival purposes that benefit the wider public. Notably, the Guidelines detail that healthcare institutions should not keep personal data 'just in case' when it is no longer needed for the purpose it was collected.

You can read the Guidelines here.